US-CERT Still Not Up to Snuff

The Office of Management and Budget released a report to Congress that brings forward lots of questions about US-CERT’s capabilities and ongoing problems securing the National Critical Cyber Infrastructure.

The report is here, courtesy of BusinessWeek, and it pretty well outlines everything the the US-CERT is doing with the millions in Federal funding.  And after reading the report, I can say that nothing has changed in 3 years except for senior leadership and a few more agencies feeding data into the “Einstein” program, which is essentially an anamoly detection COTS product.  Which would be okay, except Carnegie Mellon lawyers force US-CERT to strip out all useful information such as IP addresses and packet payloads, which renders the anamoly detection as useless as screen windows on a submarine.

Even OMB criticizes US-CERT for stripping the payloads from the packets.

The lack of a robust monitoring capability negatively affects the organization’s ability to verify and investigate anomalies and to identify threats. Specifically, although the Einstein flow data are collected in real time, the actual analysis is manually intensive and does not occur simultaneously or in real time. Another limiting factor of Einstein data is that the organization is unable to analyze the content of the potentially malicious traffic.

US-CERT needs to stop playing footsie with the data they collect and do some real analysis.  Otherwise, they should just cut off funding because they aren’t doing anything productive anyways.  Part of OMB’s recommendations note that US-CERT plans to hire 80 more cyber analysts.  Wow, that sure is going to be lots of thumbs up lots of asses.  Thanks to Steinnon for the story.