Auditors slam US govt's $8bn firewall as ineffective

The firewall used by United States government agencies is failing to fully meet its objectives and is leaving agencies open to zero-day attacks, a US audit report has found.

Late last month the Government Accounting Office released its report [pdf] into the US' national cybersecurity protection system, known colloquially as Einstein, and found it was failing to fully protect its users.

Einstein's four stated objectives are to provide intrusion detection, intrusion prevention, analytics, and information sharing to user agencies.

But the auditors found the system - which has a total cost of US$5.7 billion (A$8 billion) - is unable to monitor web traffic or cloud services for malicious content, uncover malware on a system, and only offers signature-based detection, rather than monitoring for unusual activity.

The report also found that the government had no process in place to measure how well Einstein was performing - a metric that was similarly hindered by lack of information-sharing between user agencies. 

"While [Einstein's] ability to detect and prevent intrusions, analyse network data, and share information is useful, its capabilities are limited," the GAO wrote.

"For example, [it] detects signature-based anomalies, but does not employ other, more complex methodologies and cannot detect anomalies in certain types of traffic. Further, the intrusion prevention capabilities can currently mitigate threats to a limited subset of network traffic."

Information sharing has only recently been approved and funded for development, the auditors wrote - existing arrangements were manual and "largely adhoc".

"Until [Einstein's] intended capabilities are more fully developed, DHS will be hampered in its abilities to provide effective cybersecurity-related support to federal agencies," the office said.

Most of the 23 agencies required to use the firewall were only employing it to a limited degree, and only five agencies were utilising its intrusion detection capabilities, the report noted.

The audit office tried to exploit 489 known vulnerabilities across Flash, Office, Java, IE and Acrobat, and found the system only identified and blocked 29.

Einstein was built in 2003 to automatically monitor agency network traffic, and later expanded to offer signature-based detection and malware-blocking abilities.

The department told the office Einstein was always intended to be a signature-based detection system only.

"It is the responsibility of each agency to ensure their networks and information systems are secure while it is the responsibility of DHS to provide a baseline set of protections and government-wide situational awareness, as part of a defense-in-depth information security strategy," the department told the auditors.

The government spent US$1.2 billion on the system in the last year alone, for a total projected cost of US$5.7 billion to fiscal 2018.