Participating departments and agencies are expected to enter into a memorandum of understanding with DHS to authorize the application of these intrusion-prevention capabilities by DHS and lists of identified IP addresses will be verified by DHS.However, some privacy-advocacy groups, including the Electronic Privacy Information Center (EPIC) based in Washington, D.C., say they have questions about EINSTEIN 3.
Were not sure entirely where this information is flowing when the government puts it into a database, says Amie Stepanovich, director, EPIC domestic surveillance project, who has read the EINSTEIN 3 privacy impact assessment report. The ability of the government to intercept and sort through any collected data could include not just official business but intercepted communications that involve personal contacts as well, she points out.
Stepanovich says the secretive EINSTEIN program appears to operate under whats known as National Security Presidential Directive 54 (NSPD-54), an as-yet undisclosed cybersecurity directive signed by George W. Bush in 2008 whose contents have not yet been made public. She noted EPIC has an ongoing lawsuit to compel the government to make NSPD-54 available to the public.
Originally called the National Cybersecurity Protection System, the EINSTEIN project started in 2004 as a way to automatically collect computer network security information from voluntarily participating federal executive agencies by means of EINSTEIN 1. EINSTEIN 2, launched in 2008, evolved further into a network intrusion detection system that monitors for malicious activity in network traffic to and from participating federal executive agencies to assist the U.S. Computer Emergency Readiness Team (US-CERT). Thats according to the Privacy Compliance Review of the EINSTEIN Program published Jan. 3, 2012 by DHS.
Both EINSTEIN 1 and 2 continue to operate for their distinct purposes, according to the DHS report. EINSTEIN 1 collects network flow records, which identify the source Internet Protocol (IP) address of the computer that connects to the federal system, recording port source, communications time, federal destination IP address and other protocol information. EINSTEIN 2 makes use of custom signatures based upon known malicious traffic to detect attacks. The DHS report from January 2012 said EINSTEIN 2 can collect some PII, including email header and the body of the email message, when custom signature indicates a cyberthreat. The Jan. 2012 privacy compliance review by DHS indicated any information collected related to a cyberthreat will be maintained for up to three years.There has been some external sharing of information collected by EINSTEIN 2, including with India and Israel, and DHS Privacy Office recommended that US-CERT stipulate what PII is to be shared in the reports and retention rates in memorandums of understanding with all foreign partners.
DHS was not immediately available to discuss the EINSTEIN program and when EINSTEIN 3 will be in deployment.The DHS Office of Cybersecurity & Communications in the National Protection and Programs Directorate is making it clear in its publicly available privacy impact assessment that the updated EINSTEIN 3 is expected to be available as a managed security service provided by ISPs under the direction of DHS.
Sign up for CIO Asia eNewsletters.