DHS use of deep packet inspection technology in new net security system raises serious privacy questions

Department of Homeland Security is preparing to deploy a much more powerful version of its EINSTEIN intrusion-detection system that can capture e-mail content and personally identifiable data

To protect the federal civilian agencies against cyberthreats, the Department of Homeland Security (DHS) is preparing to deploy a  more powerful version of its EINSTEIN intrusion-detection system that’s supposed to detect attacks and malware, especially associated with e-mail. But since this version of EINSTEIN is acknowledged by DHS to be able to read electronic content, it’s raising privacy concerns.

Homeland security

The DHS recognizes there are privacy implications and just issued a “privacy impact assessment” report about what it calls EINSTEIN 3 Accelerated, the intrusion detection and prevention system expected to be made available as a managed security service from ISPs to monitor the “.gov” traffic to and from civilian agencies and Executive Branch departments, such as Treasury. DHS says EINSTEIN 3 may collect “personally identifiable information” (PII)  in some instances where this network security system will not just monitor but also prevent threats by blocking traffic in order to detect a cyberthreat or potential cyberthreat.  


[MORE: No humor zone: 33 things you should never say to a TSA agent]

[RELATED: DHS chief Napolitano: Algorithms a big key in solving security, Big Data puzzle]

In its “privacy impact assessment” for EINSTEIN 3 published April 19, DHS states appropriate privacy-protection controls related to PII have been established. DHS says it has procedures in place where analysts will know how to “minimize (i.e., overwrite, redact, or replace) PII data that is not necessary to understand the cyber threat.”

But EINSTEIN 3 is anticipated to include packet-inspection tools that “allow an analyst to look at the content of the threat data, which enables a more comprehensive analysis. Packet capture may contain information that could be considered PII-like malicious data from or associated with email messages or attachments,” the DHS privacy-impact assessment notes.

“DHS is only using this information to better identify a known or suspected cyber threat against computer networks,” states the DHS privacy impact assessment which cites the main contacts as Brendan Goode, director, network security deployment, Office of Cybersecurity & Communications, National Protection and Programs Directorate at DHS and the DHS acting chief privacy officer, Jonathan Cantor.

In their privacy-impact statement, the DHS acknowledges EINSTEIN 3’s threat-prevention capabilities “may include deep-packet inspection by ISPs. DHS will approve indicators to be transferred to ISPs for deployment in E3A to ensure that indicators are specific to a particular type of traffic and are not overly broad in their data collection requirements.”

These “indicators” are expected to be configured by ISPs into “signatures” related to pattern-matching to detect “known or suspected malicious traffic to and from the participating agencies.” ISPs that participate in EINSTEIN 3 are being asked to submit their own “cyber threat indicators” to DHS for consideration as well.

According to the DHS privacy impact assessment report, the idea is that alerts and other information provided to the DHS cybersecurity office by the ISP providing the managed service “will generally contain the following information: unique ID for the alert, participating agency, indicator/action pair that produced the alert, data and timestamp of the alert, netflow record, and if applicable, identification of quarantined or captured/stored data associated with the alert.”  

Participating departments and agencies are expected to enter into a “memorandum of understanding” with DHS to authorize the application of these intrusion-prevention capabilities by DHS and lists of identified IP addresses will be verified by DHS.EPIC) based in Washington, D.C., say they have questions about EINSTEIN 3.

However, some privacy-advocacy groups, including the Electronic Privacy Information Center (

“We’re not sure entirely where this information is flowing when the government puts it into a database,” says Amie Stepanovich, director, EPIC domestic surveillance project, who has read the EINSTEIN 3 privacy impact assessment report. The ability of the government to intercept and sort through any collected data could include not just official business but intercepted communications that involve personal contacts as well, she points out.

Stepanovich says the secretive EINSTEIN program appears to operate under what’s known as National Security Presidential Directive 54 (NSPD-54), an as-yet undisclosed cybersecurity directive signed by George W. Bush in 2008 whose contents have not yet been made public. She noted EPIC has an ongoing lawsuit to compel the government to make NSPD-54  available to the public.

Originally called the National Cybersecurity Protection System, the EINSTEIN project started in 2004 as a way to automatically collect computer network security information from voluntarily participating federal executive agencies by means of EINSTEIN 1. EINSTEIN 2, launched in 2008, evolved further into “a network intrusion detection system that monitors for malicious activity in network traffic to and from participating federal executive agencies” to assist the U.S. Computer Emergency Readiness Team (US-CERT). That’s according to the “Privacy Compliance Review of the EINSTEIN Program” published Jan. 3, 2012 by DHS.

Both EINSTEIN 1 and 2 continue to operate for their distinct purposes, according to the DHS report. EINSTEIN 1 collects network flow records, which identify the source Internet Protocol (IP) address of the computer that connects to the federal system, recording port source, communications time, federal destination IP address and other protocol information. EINSTEIN 2 makes use of custom signatures based upon known malicious traffic to detect attacks. The DHS report from January 2012 said EINSTEIN 2 can collect some PII, including email header and the body of the email message, when  custom signature indicates a cyberthreat. The Jan. 2012 privacy compliance review by DHS indicated any information collected related to a cyberthreat will be maintained for up to three years.

There has been some external sharing of information collected by EINSTEIN 2, including with India and Israel, and DHS Privacy Office recommended that US-CERT stipulate what PII is to be shared in the reports and retention rates in memorandums of understanding with all foreign partners.

DHS was not immediately available to discuss the EINSTEIN program and when EINSTEIN 3 will be in deployment.privacy impact assessment that the updated EINSTEIN 3 is expected to be available as a managed security service provided by ISPs under the direction of DHS.

The DHS Office of Cybersecurity & Communications in the National Protection and Programs Directorate is making it clear in its publicly available

Other recent public information also suggests what’s occurred behind the scenes with EINSTEIN.

The U.S. General Accountability Office (GAO)  report titled “Cybersecurity: National Strategy, Roles and Responsibilities Need to Be Better Defined and More Effectively Implemented,” which was published in February of this year, says that  53 federal agencies are now using EINSTEIN 2 intrusion-detection sensors. It didn’t state which ones.

The GAO’s cybersecurity report says the EINSTEIN 2 project involved deploying sensors to inspect Internet traffic entering federal systems for unauthorized accesses and malicious content. EINSTEIN 3’s goal is to “identify and characterize malicious network traffic to enhance cybersecurity analysis, situational awareness, and security response.”

According to the GAO report, DHS staff have also stated that the department “is incorporating an EINSTEIN 3 accelerated (E3A) strategy” that allows for accelerated deployment of intrusion-prevention services through an ISP-based managed security service.

“According to DHS, the E3A approach represents a shift from DHS’s previous partnership with the National Security Agency for implementation of National Security Agency-developed intrusion technology to a partnership between DHS and commercial providers for the utilization of commercial intrusion-prevention technologies,” the GAO report states. But it’s not disclosed which ISPs or commercial providers are partnering on EINSTEIN 3.

The GAO report says the EINSTEIN program so far has helped DHS “improve situational awareness of activity across the federal government,” as  DHS “developed performance measures to monitor and track agency responses to EINSTEIN alerts.” For example, DHS is said to track when an agency respond to an alert, and the length of time of each alert.

However, the GAO report indicated DHS has a long way to go to have a fully effective IDS/IPS in EINSTEIN.

”DHS stated that while it has made progress in developing its predictive analysis through the EINSTEIN program, it remains challenged in fully developing this capability,” the GAO report said. “DHS plans to test tools for predictive analysis across federal agencies and private networks and systems by the first quarter of fiscal year 2013.”

The GAO report of February 2013 points out that in 2010, the DHS inspector general reported that the tools US-CERT used did not allow for real-time analyses of network traffic. The inspector general recommended that DHS establish a capability to share real-time EINSTEIN information with federal agency partners to assist them in the analyses of network traffic. The inspector general recommended that DHS establish a capability to share real-time EINSTEIN information with federal agency partners to assist them in the analysis and mitigation of incidents.

According to the GAO, in response to the inspector general report, DHS stated that while it plans to upgrade its capabilities to share real-time information with multiple stakeholders and better analyze cyber incidents,”these capabilities are not expected to be fully operational until fiscal year 2018.”

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: emessmer@nww.com.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2013 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)