Information Security:

DHS Needs to Enhance Capabilities, Improve Planning, and Support Greater Adoption of Its National Cybersecurity Protection System

GAO-16-294: Published: Jan 28, 2016. Publicly Released: Jan 28, 2016.

Multimedia:

Additional Materials:

Contact:

Gregory C. Wilshusen
(202) 512-6244
wilshuseng@gao.gov

 

Nabajyoti Barkakati, Ph.D.
(202) 512-4499
NabajyotiB@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

The Department of Homeland Security's (DHS) National Cybersecurity Protection System (NCPS) is partially, but not fully, meeting its stated system objectives:

Intrusion detection: NCPS provides DHS with a limited ability to detect potentially malicious activity entering and exiting computer networks at federal agencies. Specifically, NCPS compares network traffic to known patterns of malicious data, or “signatures,” but does not detect deviations from predefined baselines of normal network behavior. In addition, NCPS does not monitor several types of network traffic and its “signatures” do not address threats that exploit many common security vulnerabilities and thus may be less effective.

Intrusion prevention: The capability of NCPS to prevent intrusions (e.g., blocking an e-mail determined to be malicious) is limited to the types of network traffic that it monitors. For example, the intrusion prevention function monitors and blocks e-mail. However, it does not address malicious content within web traffic, although DHS plans to deliver this capability in 2016.

Analytics: NCPS supports a variety of data analytical tools, including a centralized platform for aggregating data and a capability for analyzing the characteristics of malicious code. In addition, DHS has further enhancements to this capability planned through 2018.

Information sharing: DHS has yet to develop most of the planned functionality for NCPS's information-sharing capability, and requirements were only recently approved. Moreover, agencies and DHS did not always agree about whether notifications of potentially malicious activity had been sent or received, and agencies had mixed views about the usefulness of these notifications. Further, DHS did not always solicit—and agencies did not always provide—feedback on them.

In addition, while DHS has developed metrics for measuring the performance of NCPS, they do not gauge the quality, accuracy, or effectiveness of the system's intrusion detection and prevention capabilities. As a result, DHS is unable to describe the value provided by NCPS.

Regarding future stages of the system, DHS has identified needs for selected capabilities. However, it had not defined requirements for two capabilities: to detect (1) malware on customer agency internal networks or (2) threats entering and exiting cloud service providers. DHS also has not considered specific vulnerability information for agency information systems in making risk-based decisions about future intrusion prevention capabilities.

Federal agencies have adopted NCPS to varying degrees. The 23 agencies required to implement the intrusion detection capabilities had routed some traffic to NCPS intrusion detection sensors. However, only 5 of the 23 agencies were receiving intrusion prevention services, but DHS was working to overcome policy and implementation challenges. Further, agencies have not taken all the technical steps needed to implement the system, such as ensuring that all network traffic is being routed through NCPS sensors. This occurred in part because DHS has not provided network routing guidance to agencies. As a result, DHS has limited assurance regarding the effectiveness of the system.

Why GAO Did This Study

Cyber-based attacks on federal systems continue to increase. GAO has designated information security as a government-wide high-risk area since 1997. This was expanded to include the protection of critical cyber infrastructure in 2003 and protecting the privacy of personally identifiable information in 2015. NCPS is intended to provide DHS with capabilities to detect malicious traffic traversing federal agencies' computer networks, prevent intrusions, and support data analytics and information sharing.

Senate and House reports accompanying the 2014 Consolidated Appropriations Act included provisions for GAO to review the implementation of NCPS. GAO determined the extent to which (1) the system meets stated objectives, (2) DHS has designed requirements for future stages of the system, and (3) federal agencies have adopted the system. To do this, GAO compared NCPS capabilities to leading practices, examined documentation, and interviewed officials at DHS and five selected agencies. This is a public version of a report that GAO issued in November 2015 with limited distribution. Certain information on technical issues has been omitted from this version.

What GAO Recommends

GAO recommends that DHS take nine actions to enhance NCPS's capabilities for meeting its objectives, better define requirements for future capabilities, and develop network routing guidance. DHS concurred with GAO's recommendations.

For more information, contact Gregory C. Wilshusen at (202) 512-6244 or wilshuseng@gao.gov or Dr. Nabajyoti Barkakati at (202) 512-4499 or barkakatin@gao.gov

Recommendations for Executive Action

  1. Status: Open

    Comments: April 2016 update: DHS concurred with the recommendation and has taken steps to implement it. Specifically, DHS/NSD is conducting a pilot that will enable DHS to identify suspicious network activity based on anomalous behavior and reputation. NSD anticipates that there will be multiple phases of the pilot. Currently, the pilot is in the first phase, which involves testing anomaly analytics at Internet Service Providers (ISPs) that handle Departments and Agencies traffic. NSD continues to analyze results of the pilot activities and documenting lessons learned through the pilot phase. The results of the pilot are anticipated by July 31, 2016. The NCPS Program Management Office (PMO) will then use the results of the Phase 1 pilot and the reference architecture to develop an implementation plan by September 30, 2016. Though DHS has taken steps to address our recommendation, we would need to review and evaluate DHS's plans to implement a solution (likely dominated in the implementation plan) to fully close it.

    Recommendation: The Secretary of Homeland Security should direct Network Security Deployment (NSD) to determine the feasibility of enhancing NCPS's current intrusion detection approach to include functionality that would detect deviations from normal network behavior baselines.

    Agency Affected: Department of Homeland Security

  2. Status: Open

    Comments: April 2016 update: DHS concurred with the recommendation and has taken steps to implement it. Specifically, DHS officials stated NSD and the US-CERT continue to monitor the amount of IPv6 traffic that is traversing the sensors using report data from the NSD Sustainment team. NSD is also completing an assessment of encrypted traffic to understand the current amount of encrypted sessions and the growth of encrypted traffic on the .gov. Results of the assessment will be used to understand the feasibility of developing enhancements. The NCPS Program Office continues to discuss SCADA traffic with ICS-CERT to get an understanding of SCADA traffic that passes through network gateways. DHS stated additional coordination/actions were needed to fully close this recommendation.

    Recommendation: The Secretary of Homeland Security should direct NSD to determine the feasibility of developing enhancements to current intrusion detection capabilities to facilitate the scanning of traffic not currently scanned by NCPS.

    Agency Affected: Department of Homeland Security

  3. Status: Open

    Comments: April 2016 update: DHS concurred with the recommendation and has taken steps to implement it. Specifically, DHS officials stated that the SMS (Signature Management System) 2.0 was successfully deployed with many new features, including the capability to clearly link signatures to both open source external reports as well as those from classified sources as well and that the data is fully indexed and searchable. We should be able to close this as implemented after additional review of DHS evidence and possibly observation of functionality.

    Recommendation: The Secretary of Homeland Security should direct United States Computer Emergency Readiness Team (US-CERT) to update the tool it uses to manage and deploy intrusion detection signatures to include the ability to more clearly link signatures to publicly available, open-source data repositories.

    Agency Affected: Department of Homeland Security

  4. Status: Open

    Comments: April 2016 update: DHS concurred with the recommendation and has taken steps to implement it. Specifically, US-CERT stated they are still in the process of developing a system for tracking the sources of threat information that are processed as well as recording actions taken or not taken with associated indicators. DHS stated they expect this system to be completed by July 31, 2016. This recommendation should be able to be closed implemented after we review output from the developed system.

    Recommendation: The Secretary of Homeland Security should direct US-CERT to consider the viability of using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, as an input into the development and management of intrusion detection signatures.

    Agency Affected: Department of Homeland Security

  5. Status: Open

    Comments: April 2016 update: DHS concurred with the recommendation and has taken steps to implement it. Specifically, US-CERT stated they have conducted another iteration of a survey aimed at soliciting feedback from agencies and plan to provide the results upon completion (expected in end of April 2016). In addition, US-CERT has held working group sessions to develop a process for soliciting feedback by the end of June 2016. This recommendation should be able to be closed implemented after we review output from the developed process.

    Recommendation: The Secretary of Homeland Security should direct US-CERT to develop a timetable for finalizing the incident notification process, to ensure that customer agencies are being sent notifications of potential incidents, which clearly solicit feedback on the usefulness and timeliness of the notification.

    Agency Affected: Department of Homeland Security

  6. Status: Open

    Comments: April 2016 update: DHS concurred with the recommendation and has taken steps to implement it. Specifically, DHS officials stated that the Office of Cybersecurity and Communications (CS&C) Executive Program Management Office has facilitated a working group, led by NSD and US-CERT, with appropriate program personnel to collaborate on the development of metrics that clearly measure the value and impact of NCPS?s efforts. Using industry best practices, the working group will hold brainstorming and verification and validation sessions, solicit input from .gov partners, and work with a statistician to assess the proposals before finalizing the metrics. The working group will develop two sets of measures?the first set based on current NCPS capabilities and the second based on capabilities introduced over the course of FY 2016. For each set, the working group will oversee a baselining period to ensure the measure methodologies are sound and that targets are appropriately established. Following the baselining periods, CS&C will begin to use the associated performance measures. Officials cited that CS&C continues to invest in efforts to develop outcome-oriented measures, but cited challenges in developing such metrics. For examples, officials stated it is difficult to estimate how many potential compromises are not detected by any current defenses. This makes it challenging to evaluate the ?completeness? of any given security tools. Further, they stated it is difficult to estimate the impact of a prevented attack because the consequences of cybersecurity compromises vary widely. This results in a challenge to identify the true outcomes of any cybersecurity program. CS&C submitted a request to DHS?s Science and Technology Directorate in March 2016 for a task to help define effectiveness metrics for the NCPS. This recommendation will remain open until we are able to review the developed metrics and the subsequent data they are to measure.

    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop metrics that clearly measure the effectiveness of NCPS's efforts, including the quality, efficiency, and accuracy of supporting actions related to detecting and preventing intrusions, providing analytic services, and sharing cyber-related information.

    Agency Affected: Department of Homeland Security

  7. Status: Open

    Comments: April 2016 update: DHS concurred with the recommendation and has taken steps to implement it. Specifically, DHS stated that they expect this recommendation to be addressed as part of Continuous Diagnostics and Mitigation (CDM) Phase 3 (expected implementation of Q1 FY 2018). DHS has developed initial requirements that they believe will address this recommendation; however, we have yet to review them.

    Recommendation: The Secretary of Homeland Security should direct the Office of Cybersecurity and Communications to develop clearly defined requirements for detecting threats on agency internal networks and at cloud service providers to help better ensure effective support of information security activities.

    Agency Affected: Department of Homeland Security

  8. Status: Open

    Comments: April 2016 update: DHS concurred with the recommendation and has taken steps to implement it. Specifically, DHS stated that the NCPS Program Office and the CDM Program Office continue to have technical discussions that will allow the NCPS PMO to prepare the NCPS Mission Operating Environment (MOE) for hosting the CDM Federal Dashboard. Once the CDM Federal Dashboard is available, the CDM program will begin connecting CDM agency-specific dashboards with the CDM Federal Dashboard in Q1 2017. In preparation of future integration efforts, NSD has begun working on a task to create a data correlation model of NCPS and CDM data. The development of the model is in progress and expected to be delivered in June 2016. In order to close this recommendation, we would need to review this model and determine how, if at all, the vulnerability information was used as part of a risk-based approach to intrusion prevention.

    Recommendation: The Secretary of Homeland Security should direct NSD to develop processes and procedures for using vulnerability information, such as data from the Continuous Diagnostics and Mitigation program as it becomes available, to help ensure DHS is using a risk-based approach for the selection/development of future NCPS intrusion prevention capabilities.

    Agency Affected: Department of Homeland Security

  9. Status: Open

    Comments: April 2016 update: DHS concurred with the recommendation and has taken steps to implement it. Specifically, DHS stated CS&C is collaborating with the federal civilian departments and agencies via the Cloud TIC Working Group (CTWG) subcommittee, part of the Information Security Identity Management Committee (ISIMC), to address agency challenges with routing traffic through their Trusted Internet Connections (TIC) gateways. DHS, one of the co-chairs of the CTWG, is working with the agency representatives to develop ?alternative? approaches for routing .gov traffic to provide information more efficiently, while maintaining the DHS required situational awareness. Further, DHS stated that the Federal CIO was briefed on March 24, 2016 on the CTWG recommendations for alternate routing of agency traffic. The outcome of the meeting was to incorporate portions of the initiative into the Cybersecurity National Action Plan (CNAP) as part of the TIC 30 Day Review activities. The CNAP team will develop milestones for the progress on this activity. In order to close this recommendation, we will need to review the completed milestones to determine the extent to which they support/ensure the complete, safe, and effective routing of information to NCPS sensors.

    Recommendation: The Secretary of Homeland Security should direct NSD to work with their customer agencies and the Internet service providers to document secure routing requirements in order to better ensure the complete, safe, and effective routing of information to NCPS sensors.

    Agency Affected: Department of Homeland Security

 

Explore the full database of GAO's Open Recommendations »

Jun 14, 2016

Jun 7, 2016

Jun 6, 2016

May 31, 2016

May 26, 2016

May 24, 2016

May 17, 2016

Apr 25, 2016

Looking for more? Browse all our products here