Skip Links

DHS use of deep packet inspection technology in new net security system raises serious privacy questions

Department of Homeland Security is preparing to deploy a much more powerful version of its EINSTEIN intrusion-detection system that can capture e-mail content and personally identifiable data

By , Network World
April 24, 2013 03:26 PM ET

Network World - To protect the federal civilian agencies against cyberthreats, the Department of Homeland Security (DHS) is preparing to deploy a  more powerful version of its EINSTEIN intrusion-detection system that’s supposed to detect attacks and malware, especially associated with e-mail. But since this version of EINSTEIN is acknowledged by DHS to be able to read electronic content, it’s raising privacy concerns.

Homeland security

The DHS recognizes there are privacy implications and just issued a “privacy impact assessment” report about what it calls EINSTEIN 3 Accelerated, the intrusion detection and prevention system expected to be made available as a managed security service from ISPs to monitor the “.gov” traffic to and from civilian agencies and Executive Branch departments, such as Treasury. DHS says EINSTEIN 3 may collect “personally identifiable information” (PII)  in some instances where this network security system will not just monitor but also prevent threats by blocking traffic in order to detect a cyberthreat or potential cyberthreat.  


[MORE: No humor zone: 33 things you should never say to a TSA agent]

[RELATED: DHS chief Napolitano: Algorithms a big key in solving security, Big Data puzzle]

In its “privacy impact assessment” for EINSTEIN 3 published April 19, DHS states appropriate privacy-protection controls related to PII have been established. DHS says it has procedures in place where analysts will know how to “minimize (i.e., overwrite, redact, or replace) PII data that is not necessary to understand the cyber threat.”

But EINSTEIN 3 is anticipated to include packet-inspection tools that “allow an analyst to look at the content of the threat data, which enables a more comprehensive analysis. Packet capture may contain information that could be considered PII-like malicious data from or associated with email messages or attachments,” the DHS privacy-impact assessment notes.

“DHS is only using this information to better identify a known or suspected cyber threat against computer networks,” states the DHS privacy impact assessment which cites the main contacts as Brendan Goode, director, network security deployment, Office of Cybersecurity & Communications, National Protection and Programs Directorate at DHS and the DHS acting chief privacy officer, Jonathan Cantor.

In their privacy-impact statement, the DHS acknowledges EINSTEIN 3’s threat-prevention capabilities “may include deep-packet inspection by ISPs. DHS will approve indicators to be transferred to ISPs for deployment in E3A to ensure that indicators are specific to a particular type of traffic and are not overly broad in their data collection requirements.”

These “indicators” are expected to be configured by ISPs into “signatures” related to pattern-matching to detect “known or suspected malicious traffic to and from the participating agencies.” ISPs that participate in EINSTEIN 3 are being asked to submit their own “cyber threat indicators” to DHS for consideration as well.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News