The Cybersecurity and Infrastructure Security Agency (CISA) is seeking $425 million of fiscal year 2024 funding to put into motion a giant technology leap forward in how the agency analyzes the ever-growing volume of cybersecurity data that it needs to sift through to identify threats and vulnerabilities.
And at the same time, CISA is also looking to FY24 to accelerate a fundamental restructuring of its EINSTEIN intrusion detection and prevention capabilities – first deployed in their initial stages in 2003 and subsequently expanded to incorporate capabilities that work to detect and block cyber threats aimed at Federal civilian government agencies.
Those were two of the top-line news takeaways from Matt Hartman, CISA’s Deputy Executive Assistant Director for Cybersecurity, who took a deep dive into the agency’s cyber-tech plans in an exclusive interview with MeriTalk.
In the Q&A that follows, Hartman fleshes out some of the top-level agency tech planning laid out by CISA Director Jen Easterly late last month in testimony to the House Appropriations Committee’s Homeland Security Subcommittee, where she broached for the first time plans for creating the new Cyber Analytic and Data System (CADS).
Easterly also testified about FY24 budgeting plans that reveal funding shifts around CISA’s National Cybersecurity Protection System (NCPS). The NCPS – described by the agency as an integrated system-of-systems that delivers a range of capabilities, such as intrusion detection and prevention, analytics, information sharing, and core infrastructure – includes the EINSTEIN capabilities.
Here’s what Hartman had to say about CADS, the future of EINSTEIN, and where CISA wants to evolve its capabilities to meet current and emerging cyber threats in the age of cloud-driven modernization, the push to zero trust security architectures, and the certainty that older legacy networks will still be operating for years to come.
MeriTalk: Director Easterly’s testimony appears to point to some big changes coming in how CISA tackles analytics as well as the line-up of cyber defense tools. What can you tell us?
Hartman: This has really been a journey. Over the past several years, CISA has undergone a number of fundamental transitions.
First, the authorities and resources provided to CISA by Congress have allowed us to deploy new technologies, as well as enter into new agreements that provide us with really unprecedented visibility into cyber threats affecting American networks.
A couple of the new services and capabilities in the Federal space include our endpoint detection and response capabilities, and our Protective DNS service, which are providing CISA with much richer data today than we had previously.
Similarly, the expansion of our threat detection capabilities into critical infrastructure and into the state, local, tribal and territorial (SLTT) government organizations – as well as much richer data from industry as part of the maturation of our Joint Cyber Defense Collaborative – all play into this.
These capabilities together allow CISA to understand and act much more rapidly to address cyber risks than we were previously able to do. At the same time, the visibility enabled by these capabilities and partnerships requires new investments that allow our operators to seamlessly analyze massive volumes of data, and leverage best-in-class technologies and automation to identify previously undetected cyber threats.
MeriTalk: How is the agency going to tackle that higher volume of data?
Hartman: This is where the Cyber Analytic and Data System, or CADS, comes into play. This new environment will enable scalable analysis of cyber risk data that CISA accesses from our own sensors and from partners to more effectively detect and address cyber threats impacting Federal, SLTT, and critical infrastructure networks. CADS will provide CISA a modern, scalable, unclassified analytic infrastructure for our cyber operators.
MeriTalk: So, in a shorthand way, CADS lets the agency gets its arms around all of that data and do something with it?
Hartman: That is correct.
Looking forward, we recognize a broader requirement to collaboratively analyze cyber risk data with our partners. This includes other federal agencies, SLTT organizations, private sector partners, and international partners.
This broader capability – which will include classified analytic infrastructure, communications platforms, and knowledge management capabilities – will be called the Joint Collaborative Environment. This was a concept that was first suggested by the Cyberspace Solarium Commission.
Our development of CADS is a foundational step toward creating the Joint Collaborative Environment.
MeriTalk: Can you give us an idea of what that means for NCPS and EINSTEIN?
Hartman: The analytics, information sharing, and core infrastructure elements of NCPS is shifting to CADS. The EINSTEIN suite of intrusion detection and prevention services, however, will not be a part of CADS.
We understand that some of our capabilities provided legacy capabilities to detect and prevent cyber threats targeting Federal agencies require fairly urgent modernization, including in some cases by shifting from government-provided technologies delivered by NCPS to commercial shared services.
One of these capabilities – Protective DNS – blocks internet traffic to and from known malicious websites, preventing adversaries from executing some types of intrusions or stealing data from Federal agencies.
We are in the process of fully transitioning this capability to a commercial shared service, with full Federal Civilian Executive Branch agency migration expected by the end of this fiscal year.
In parallel, we’re exploring the need for a second capability called Protective Email to filter potentially malicious emails that may contain viruses or malicious links to infected websites.
So together, Protective DNS and Protective Email – which you will see in the FY24 budget – will serve as the successor to CISA’s EINSTEIN 3A government-furnished capabilities.
MeriTalk: Where does that leave the earlier EINSTEIN capabilities?
Hartman: The legacy NCPS-funded intrusion detection sensors that are deployed at every Federal agency where the agency’s internal network is connected to the public internet, commonly referred to as EINSTEIN 1 and EINSTEIN 2, remain valuable in detecting certain types of attacks, but they also require modernization to address changes in the technology environment.
To do that, the FY24 President’s budget requests funding to modernize these capabilities, which will likely include deployment of new types of sensors or transition of existing sensors to different parts of agencies’ technology environments.
MeriTalk: Are those still going to be called EINSTEIN 1 and EINSTEIN 2, or are there going to be different names?
Hartman: For today, they’re still going to be called EINSTEIN 1 and EINSTEIN 2. We are in the process of an urgent modernization effort, and that may come with a shift in branding.
Regardless of their names, they will no longer be part of NCPS as it shifts to CADS in FY24. They will be delivered and executed by different parts of the organization, really to allow the CADS team to focus their efforts on this extraordinarily important mission of providing the analytic infrastructure required to enable efficient analysis of our increasingly rich data, which will result in the cyber risk reduction actions that are core to our mission.