back to article US government's $6bn super firewall doesn't even monitor web traffic

The US government's firewall, named Einstein, is not as smart as its name would suggest. A report [PDF] by the General Accounting Office (GAO) into the National Cybersecurity Protection System (NCPS) has concluded that it is only "partially meeting its stated system objectives." Which is a polite way of saying it sucks. Among …

  1. Drs. Security

    governments and IT projects

    Interesting to see it's not only the Dutch government making a mass of their IT project and spanding.

    As for safe harbour II? Hope Homeland Security is not part of the negosiating team ;)

    1. Charles Manning

      Re: governments and ANY projects

      FTFY....

      I've just been looking at the F22 and F35 tragedies. 10% of the national debt pissed against the wall making two useless generations of planes. The only thing achieved was spending vast amounts of money, with each state making sure they get a good slosh of the gravy.

      1. Anonymous Coward
        Anonymous Coward

        Why are you surprised???

        Pork barrel politics has been a core part of the US government since about 15 minutes after the Constitution was signed.

      2. allthecoolshortnamesweretaken

        Re: governments and ANY projects

        This reminds me of the Great Wall of China. Good idea* on paper, pretty much useless after implementation.

        *Some claim that it was an even bigger failure as usually percieved. Alledgedly the project wasn't meant to shield the whole kingdom against babarian hordes, it started as a garden wall for the emeror's summer palace and then somehow snowballed. Given how bureaucracies worked even then, well...

    2. The Man Who Fell To Earth
      Boffin

      Re: governments and IT projects

      Not government. Cops.

      In the US, Law Enforcement Agencies actively go out of their way to NOT hire the best and brightest. Their philosophy, tested by Court Rulings, is that smart people get bored with police & security work, and don't stay around. So why hire them? (See for example, http://abcnews.go.com/US/court-oks-barring-high-iqs-cops/story?id=95836 )

      Really, nothing to see here. Typical Homeland Security. Move along.

  2. Will Godfrey Silver badge
    FAIL

    You coundn't make it up.

    See icon

  3. This post has been deleted by its author

  4. Darryl

    Instead of reinventing the wheel (and making it square, from the sounds of things) wouldn't it have been about 5.5 billion cheaper to pick up the phone and call one of the established firewall/security companies? They could've even supported some US company like Palo Alto or Dell Sonicwall...

    1. ecofeco Silver badge

      It would, but none of them are on the approved pork/insider/lobbyist/defense contractor list.

    2. Mark 85 Silver badge
      Trollface

      Well.. it doesn't work as intended, doesn't really catch anything and is expensive as hell... I think Einstein = McAfee might apply.

    3. a_yank_lurker Silver badge

      @Darryl - Or have one them adapt an existing enterprise grade product for the feral's needs. But it sounds like another feral payola to favored but incompetent cronies.

    4. Charles Manning

      Dear Sir/Madam

      We are fascinated by this curious concept called "cheaper".

      Can we get you and your consulting team at the standard rate of $500/person/hour + expenses to explain it to us? How many years do you think it will need to describe this idea adequately?

      Yours sincerely

      Congressional Procurement Office

  5. scrubber

    Obvious when you consider their priorities

    If all your top IT people are hoovered up into the NSA then you're gonna be left with idiots.

    Still, makes it easy to know what most of the US govt is up to I suppose... If you're a hacker, or China, or Russia, or ISIS.

    1. Gene Cash Silver badge

      Re: Obvious when you consider their priorities

      > gonna be left with idiots.

      Not really. DHS is the dumb clown dumping ground, like Siberia for KGB agents, so they're *all* idiots.

    2. John Brown (no body) Silver badge

      Re: Obvious when you consider their priorities

      "If all your top IT people are hoovered up into the NSA then you're gonna be left with idiots."

      Is the USA really THAT different from the UK and probably every other country in the world? Surely the best are in private industry earning the big bucks and not just taking home a "civil service" wage?

      1. L05ER

        Re: Obvious when you consider their priorities

        think: big fish, little pond.

        not the country's top IT people... DHS's top IT people.

  6. Marketing Hack Silver badge
    Flame

    Thank you, Clint Eastwood!!

    If he had never made "Heartbreak Ridge", I possibly never would have heard of the term "clusterfuck", which so perfectly describes this situation.

    Gotta love this article, including some examples of the use of leading-edge technology, such as:

    "In 2009, a second version was deployed that added signatures". Really!? Wasn't signature-based antivirus pretty much solidified by say, 1991 or 1992? Way to win Gulf War #1, guys!! What's next? Is the DHS working on something to "Keep the damned Krauts from coming at our boys in the Ardennes" again?

    Throw another $5.7 billion on the national debt bonfire, why don't you? Hey, it's not like its real money, after all!

  7. JEF_UK
    WTF?

    SNORT?

    Isn't there a CAPEX rule that says

    "Is there a COTS solution?"

    Hasn't this been done?

    I mean; "Really" done?

    I mean; Have I been hallucinating?

    Perhaps this http://archive.oreilly.com/pub/h/1393 page does not exist and I've not made my own rules?

    It's a bit harder to have a good fully working SSL bump to get all HTML but really just buy some pfSense boxes and be done with it.

    Pay for the support too. They will need it.

    still have change for a Mars base...

    It's 50/50 FAIL/WTF

  8. Diodelogic

    At least 90% of the Register's readers

    could have written this article after being told nothing more than the name of the department in charge of the firewall, although he/she might not have gotten the statistics exactly right.* That would apply to a British version as well.

    *The only surprising information is that the firewall caught as much as 29% of the intrusions. I'd have guessed somewhere in the 6-9% range.

    1. veti Silver badge

      Re: At least 90% of the Register's readers

      True, but the numbers are important. That's why the GAO spends half a billion dollars a year working them out.

    2. Andrew Hodgkinson
      Holmes

      Re: At least 90% of the Register's readers

      Diodelogic wrote:

      > The only surprising information is that the firewall caught as much as 29% of the intrusions. I'd have guessed somewhere in the 6-9% range.

      It didn't. It caught 29 of them. 29, not 29%. Which was indeed, as both your guess and the article say, around 6%.

      1. Old Handle

        Re: At least 90% of the Register's readers

        It's still better than the TSA is at their job, so by DHS standards this project exceeded expectations.

        1. Roj Blake Silver badge

          Re: At least 90% of the Register's readers

          Isn't the TSA a part of the DHS though?

          1. Old Handle

            Re: At least 90% of the Register's readers

            Of course. Just pointing out that as bad as this was, another branch of their organization managed to fail even harder.

  9. EastFinchleyite
    FAIL

    You know it makes sense

    The DHS was created by President George W Bush.

    Figures....

  10. Crazy Operations Guy Silver badge

    Off-the-sehlf system

    For even $57 dollars, I could throw together OpenBSD, Squid, Bro, OpenSMTPD, and ClamAV on a basic, off-the-shelf piece of hardware that actually does what the project should've been capable of doing. Point the machines to update from an internal server for the super-secret signatures they are checking for and you're good to go.

    A quad-core box, 32 GB of RAM, and 640+ GB of disk would be enough for such a system. (Pricing such a thing on NewEgg comes out to about $750). Those applications support clustering, so there's your reliability and scale.

    1. Adam 52 Silver badge

      Re: Off-the-sehlf system

      Oh dear. You probably need to think a little harder about the scale, variability and distribution of the US government.

      1. SolidSquid

        Re: Off-the-sehlf system

        Considering the budget for this would allow you to buy over 8 million of those, I'd say scale isn't likely to be a problem with the off-the-shelf approach

  11. Bill Stewart

    So it's about $1000-$2000/user?

    I'm not sure how many government employees it's covering, but it seems like there'd be much cheaper commercial solutions around.

  12. David Pollard
    Joke

    "... six per cent coverage ... for $6bn"

    Obviously they need an increase of funding to $100bn to achieve 100% coverage.

    1. Ole Juul

      Re: "... six per cent coverage ... for $6bn"

      I was about to write the same thing, but then I got to thinking. The first 6% is probably way cheaper than the last 6%. In fact the curve might even be exponential. I'd say it would be closer to $1 trillion to get into the 90% range. Anyway, in the end it's just a lolfest on salary. Like others have suggested, putting the money toward a workable solution might be more prudent.

      1. Crazy Operations Guy Silver badge

        Re: "... six per cent coverage ... for $6bn"

        I've always seen it as a bath-tub curve. The first 5% is near impossible since the product is untested and there is still a bit of a teething phase, the next 90% flies by without issue, then the last 5% would be those weird corner cases and mission-critical stuff that can't be down for changes. And it always seems to be that that last 5% is the group that needs it the most, such as the systems that everything is dependent on and thus needs the most protection, but you can't take it down because everyone is depending on it being accessible constantly...

    2. SolidSquid

      Re: "... six per cent coverage ... for $6bn"

      Don't be silly, government IT spending is done on an *exponential* curve, not linear. They need $6 trillion to hit 60% coverage

  13. Anonymous Coward
    Anonymous Coward

    Fascism/Corporate Welfare at its worst

    5 billion here, 5 billion there, pretty soon we are talking about real money.

    This is how Fascism and Corporate Welfare get fat while our basic infrastructure crumbles.

  14. Bob Dole (tm)
    Holmes

    Considering there's no way they actually spent 5.7 bil on that piece of crap, what was the money actually spent on?

    1. Mark 85 Silver badge

      Well there's meetings.. so donuts and coffee. Then there's travel to inspect something. Then there's fancy logos and catchy names for stuff. Oh.. and the director's office needed redecorating.

      1. Crazy Operations Guy Silver badge

        Don't forget the luxury team-building retreats to Dubrovnik or the industry trade shows in Maui. The expensive auditors to ensure that the development process is complying with all the random ISO standards and six-sigma training, then halfway through, trying to implement the "lean" methodology (Because something that works for Toyota is -totally- going to work fro a software product...)

        I wish I was being facetious, but that happened to me last year. A project that was supposed to be 6 weeks (which I almost finished in week 3) but has been going on for 8 months now because the managers keep going to seminars about how to get projects back on track by using some new, cutting edge process...

    2. This post has been deleted by its author

  15. Anonymous Coward
    Anonymous Coward

    You're missing the point

    It doesn't cost $5.7 billion to make firewall. They spend $5.7 billion on firewall systems because its not an import from China. So the money is spent in the US, and grows the US economy.

    When you're major business is printing money, finding bigger mattresses to stuff it under becomes ever harder. So they spend it on military and security stuff, knowing they can *require* that money be spent on US companies for 'security' reasons, hence the money stays in the US, at least for one iteration.

    Take a look, this is *adjusted* numbers to 2005 dollars! The devalued dollars would look much much worse:

    http://www.usgovernmentspending.com/us_gdp_history

    It's not going to get better, they moved from manufacturing stuff to manufacturing fear.

    1. David Pollard

      Re: You're missing the point

      Sadly A/C seems not so far wrong. Here's the xkcd money chart:

      https://www.xkcd.com/980/

  16. ToFab

    How is it even possible to spend 6 billion dollars on this?

    Cost: 6.000.000.000 USD

    Years of development 2016 - 2003 = 13

    Avg. annual wages of a developer: 100.000 USD

    Has 4.600 people been working full time on this for 13 years?

    Seriously.

    1. CrazyOldCatMan Silver badge

      > Has 4.600 people been working full time on this for 13 years?

      Ah bless. I remember being young and thinking that budgets would be spent on *actually* doing stuff..

      I'd be suprised if more than 25-30% got spent on people actually doing real stuff (coding/testing/sysops).

  17. simonorch

    Qui Bono

    The public sector is about keeping people in work, anything useful that may be a result of that work is purely coincidental and should be considered as a bonus.

    1. Roj Blake Silver badge

      Re: Qui Bono

      Wrong.

      In most modern Western economies the public sector is about keeping private companies (ie Civica, Haliburton, Serco, G4S et al) in work.

  18. BurnT'offering

    So they've proved the firewall is ineffective

    I wonder if it's also insecure. It would be slightly ironic if it gets owned by Ukrainian hackers

  19. Anonymous Coward
    Anonymous Coward

    hardly a firewall

    more of a slightly warm wall...

    So its a system set up to defend other departments networks build and run by a department that says its not its job to defend.

    It finds 6% of threats which is just as likely to be random failures of the controls than actual detections

    And you expect admins to integrate with the service provider without a service and allow it to packet inspect all of your traffic???

    Thus making it insecure, unreliable, expensive, complex...and unbelievable (as a non american...)

    1. I am not spartacus

      Re: hardly a firewall

      Seriously, though, it us exactly a firewall.

      What has happened is that people have got used to all sorts of non-primary functions being built in to domestic firewall products and have started mistaking them for what a firewall has as its primary function.

      Raises questions about the procurement process, and who worked out the specification and what was in it. I suspect it was really inadequate, and the actual firewall does what is specified, but that could be wrong.

      Mind you, I'm not sure how you can spend that much on a firewall, even if you try to spend to the max. Even if you are the gubmint...

      1. Vic

        Re: hardly a firewall

        What has happened is that people have got used to all sorts of non-primary functions being built in to domestic firewall products and have started mistaking them for what a firewall has as its primary function.

        Your point notwithstanding, setting -A INPUT --dport 80 -j ACCEPT hardly counts as a firewall...

        Vic.

  20. PaulAb

    Spring field Nuclear facility is better served with Homer at the Helm

    This system wouldn't belong to the same government that wants back doors in crypto and certificates.

    A government who work closely with UK security organisations who themselves failed to produce a communications protocol, a protocol l that is inherently flawed against any moderatley aggressive attack.

    Does this mean that Homeland security system users don't need to use Open Vpn to hide their porno adventures. Yep sound like a government project.

    I'll have some of that then, I'm sure I could do this for under £300 quid all in and I'll buy my own Lunch.

  21. Phil Kingston

    I'd have done it for 5bn.

  22. allthecoolshortnamesweretaken

    What the...

    ... oh, DHS, you say? Right, carry on.

  23. Jim O'Reilly
    FAIL

    Buying Symantec

    For $6.8 Bilion, the gov could have bought Symantec, gotten decent systems, provided NSA with backdoors galore and still have change

  24. The Islander
    Big Brother

    Surprised ..

    .. that no one has suggested:

    a) it's deliberate misdirection to lull us into a sense of superiority

    or

    b) it was hamstrung from within by people who didn't like where this could lead.

    No shortage of commentards here usually proclaiming conspiracy and dissemination of orchestrated disinformation ...

    Or maybe Occam would call it just right

  25. AustinTX
    Big Brother

    THIS

    is how I would either scam the government for money, or squirrel away money for a black operation. Depending on whether I were a well-connected defense contractor or an alphabet agency with covert side-projects.

  26. John Smith 19 Gold badge
    Unhappy

    too bad it wasn't in place before the OPM had all it's files copied

    Oh, it was.

    I wonder if it spotted anything?

  27. Grahame 2
    Joke

    Blackadder

    Blackadder: How did you manage to find a firewall that cost six billion dollars?

    Baldrick: I had to haggle.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019