To protect the federal civilian agencies against cyberthreats, the Department of Homeland Security (DHS) is preparing to deploy a more powerful version of its EINSTEIN intrusion-detection system thats supposed to detect attacks and malware, especially associated with e-mail. But since this version of EINSTEIN is acknowledged by DHS to be able to read electronic content, its raising privacy concerns.
The DHS recognizes there are privacy implications and just issued a privacy impact assessment report about what it calls EINSTEIN 3 Accelerated, the intrusion detection and prevention system expected to be made available as a managed security service from ISPs to monitor the .gov traffic to and from civilian agencies and Executive Branch departments, such as Treasury. DHS says EINSTEIN 3 may collect personally identifiable information (PII) in some instances where this network security system will not just monitor but also prevent threats by blocking traffic in order to detect a cyberthreat or potential cyberthreat.
In its privacy impact assessment for EINSTEIN 3 published April 19, DHS states appropriate privacy-protection controls related to PII have been established. DHS says it has procedures in place where analysts will know how to minimize (i.e., overwrite, redact, or replace) PII data that is not necessary to understand the cyber threat.
But EINSTEIN 3 is anticipated to include packet-inspection tools that allow an analyst to look at the content of the threat data, which enables a more comprehensive analysis. Packet capture may contain information that could be considered PII-like malicious data from or associated with email messages or attachments, the DHS privacy-impact assessment notes.
DHS is only using this information to better identify a known or suspected cyber threat against computer networks, states the DHS privacy impact assessment which cites the main contacts as Brendan Goode, director, network security deployment, Office of Cybersecurity & Communications, National Protection and Programs Directorate at DHS and the DHS acting chief privacy officer, Jonathan Cantor.
In their privacy-impact statement, the DHS acknowledges EINSTEIN 3s threat-prevention capabilities may include deep-packet inspection by ISPs. DHS will approve indicators to be transferred to ISPs for deployment in E3A to ensure that indicators are specific to a particular type of traffic and are not overly broad in their data collection requirements.
These indicators are expected to be configured by ISPs into signatures related to pattern-matching to detect known or suspected malicious traffic to and from the participating agencies. ISPs that participate in EINSTEIN 3 are being asked to submit their own cyber threat indicators to DHS for consideration as well.
According to the DHS privacy impact assessment report, the idea is that alerts and other information provided to the DHS cybersecurity office by the ISP providing the managed service will generally contain the following information: unique ID for the alert, participating agency, indicator/action pair that produced the alert, data and timestamp of the alert, netflow record, and if applicable, identification of quarantined or captured/stored data associated with the alert.
Sign up for CIO Asia eNewsletters.