Privacy Assessment Sheds Light on Einstein 3
The federal government is shedding more light on Einstein 3, the intrusion prevention system under development by the National Security Agency and to be deployed the Department of Homeland Security.
The already deployed Einstein 1 monitors network flow; Einstein 2, which is being deployed, detects system intrusions. Einstein 2 and 3 look for specific patterns of known malicious activity.
In preparation for a test of Einstein 3, DHS issued a privacy impact assessment last week aimed at protecting personally identifiable information. In providing privacy safeguards, the 19-page assessment prepared by DHS Chief Privacy Officer Mary Ellen Callahan furnished some details on how Einstein 3 work:
- The Einstein 3 technology to be tested will physically receive all redirected agency traffic and will apply predefined signatures to that traffic to identify known or suspected cyber threats. Only that limited portion of the redirected traffic that is associated with identified cyber threats will be available for review by analysts at DHS's United States Computer Emergency Readiness Team. Any traffic that is not associated with a cyber threat will not be retained by U.S.-CERT.
- Automated alerts generated during the exercise will announce the detection of known or suspected cyber threats. These notifications are generated by scenarios programmed into Einstein 3. A scenario is a computer instruction that monitors signatures and automatically directs that certain actions, such as the generation of alerts, be taken by Einstein 3.
- When an alert is triggered based upon a signature, the connection event - communication between two computers - is captured. For example, if the alert is triggered by malicious code contained in an attachment to an e-mail, that e-mail will be captured. In many cases, the analysis of this event will only require looking at the attachment and not even reviewing the contents of the e-mail. However, sometimes the malicious payload is hidden and delivered via the content of the e-mail. In those circumstances, the analyst focuses on analyzing the event for the malicious payload, not on any content nor personally identifiable information contained in the event.
Callahan said she conducted the privacy impact statement because Einstein 3 could analyze Internet traffic containing personally identifiable information. The test will involve a federal agency, an Internet service provider and DHS's U.S.-CERT and the Network Security Deployment Division.
Privacy advocates and civil libertarians have raised concerns about Einstein 3 allowing government agents to gain access to personally identifiable information of American citizens. At a congressional hearing last November, Gregory Nojeim, senior counsel and director of Project Freedom, Security and Technology at the Center for Democracy and Technology, cited press accounts that Einstein 3 would rely on pre-defined signatures of malicious code that might contain personally identified information, and threaten the privacy of law-abiding citizens.
At that hearing, DHS Deputy Undersecretary Philip Reitinger said the department has added layers of protection by creating an oversight and compliance officer position within the Office of the Assistant Secretary for Cybersecurity and Communications, whose primary function is the monitoring and oversight of the Einstein program. In addition, he said, Callahan is a member of the Einstein development team and reviews all components of the Einstein system to determine which elements require a privacy impact assessment.
The Obama administration is slowly providing more details on Einstein 3 and other cybersecurity initiatives. Earlier this month, at RSA Conference 2010, Cybersecurity Coordinator Howard Schmidt announced a declassified version of the Comprehensive National Cybersecurity Initiative, or CNCI, including previously unknown information about Einstein 3.
In her report, Callahan said the forthcoming exercise will seek to show the ability of:
- The ISP - designated as a TIC Access Provider - to redirect agency-specific Internet traffic through Einstein 3.
- U.S.-CERT, employing Einstein 3, to analyze redirected agency-specific traffic to detect cyber threats, and to respond appropriately to those threats.
- US-CERT to develop techniques for supporting future Einstein capabilities.
- US-CERT to potentially share cybersecurity-related information with appropriate organizations in real-time to coordinate the cybersecurity activities of the federal government.
- TIC Access Provider to deliver the traffic back to the particular participating agency in a timely and efficient fashion.
Once the exercise is completed, Callahan said, DHS will determine which technologies and methodologies to use in implementing Einstein 3.
The privacy impact statement provides some details on what's expected of the parties involved in the test and, presumable, in actuality when Einstein 3 is deployed: the ISP, the DHS units and participating federal agency.
The 19-page privacy impact assessment describes the four stages of the test, with each stage built on the capabilities of the previous phase. The stages are:
Phase One will demonstrate the TIC Access Provider's ability to successfully redirect the participating agency's traffic. The ISP will demonstrate that it can accurately identify the participating agency's traffic, re-direct only this network traffic to a secured facility within the ISP's facility, and then re-insert this same traffic back from the secured facility onto the ISP's network.
Phase Two will involve the installation of Einstein 3 in the secured facility within the TIC Access Provider's facility. Planned for 30 days from completion of Phase One.
Phase Three will require the TIC Access Provider to connect Einstein 3 and begin the operational portion of the exercise during which U.S.-CERT will begin applying the test's capabilities on the participating agency's traffic against known or suspected cyber threats. The ISP will provide system maintenance as contracted by DHS. Planned for 60 days from completion of Phase Two.
Phase Four, if elected by DHS, will continue the exercise for 12 months from completion of Phase Three. DHS's determination to extend the exercise will include a review of various factors including: achievement of test objectives and funding.
Callahan said the exercise will operate in a classified environment that will prevent unauthorized access to system information. Access to Einstein 3 will be limited to individuals who are cleared at the appropriate security level and have received DHS privacy training.