Einstein (US-CERT program)

Last updated
EINSTEIN System
Original author(s) US-CERT
Developer(s) CISA
Initial release2004
Type network security and computer security
Website www.cisa.gov/einstein

The EINSTEIN System (part of the National Cybersecurity Protection System) is a network intrusion detection and prevention system that monitors the networks of US federal government departments and agencies. The system is developed and managed by the Cybersecurity and Infrastructure Security Agency (formerly NPPD/United States Computer Emergency Readiness Team (US-CERT) [1] ) in the United States Department of Homeland Security (DHS). [2]

Contents

The program was originally developed to provide "situational awareness" for the civilian agencies and to "facilitate identifying and responding to cyber threats and attacks, improve network security, increase the resiliency of critical, electronically delivered government services, and enhance the survivability of the Internet." [1] The first version examined basic network traffic and subsequent versions examined content. [3]

EINSTEIN does not protect the network infrastructure of the private sector. [4]

History

The Federal Computer Incident Response Capability (FedCIRC) was one of four watch centers that were protecting federal information technology [5] when the E-Government Act of 2002 designated it the primary incident response center. [6] With FedCIRC at its core, US-CERT was formed in 2003 as a partnership between the newly created DHS and the CERT Coordination Center which is at Carnegie Mellon University and funded by the U.S. Department of Defense. [5] US-CERT delivered EINSTEIN to meet statutory and administrative requirements that DHS help protect federal computer networks and the delivery of essential government services. [1] EINSTEIN was implemented to determine if the government was under cyber attack. EINSTEIN does this by collecting flow data from all civilian agencies and compared that flow data to a baseline.

  1. If one Agency reported a cyber event, the 24/7 Watch at US-CERT could look at the incoming flow data and assist resolution.
  2. If one Agency was under attack, US-CERT Watch could quickly look at other Agency feeds to determine if it was across the board or isolated.

During EINSTEIN 1, it was determined that the civilian agencies did not know the entirety of what their registered IPv4 space included. This was obviously a security concern. Once an Agency's IPv4 space was validated, it was immediately clear that the Agency had more external Internet Connections or Gateways than could be reasonably instrumented and protected. This gave birth to the Office of Management and Budget's Trusted Internet Connections (TIC) Initiative. The initiative expected to reduce the government's 4,300 access points to 50 or fewer by June 2008. [7] [8]

Therefore, a new version of EINSTEIN was planned to "collect network traffic flow data in real time and also analyze the content of some communications, looking for malicious code, for example in e-mail attachments." [9] Three constraints on EINSTEIN that the DHS is trying to address are the large number of access points to U.S. agencies, the low number of agencies participating, and the program's "backward-looking architecture". [10] The expansion is known to be one of at least nine measures to protect federal networks. [11]

Mandate

The National Strategy to Secure Cyberspace (February 2003) featured the new cabinet-level United States Department of Homeland Security as the lead agency protecting IT. US-cyberspace-strategy-cover-Feb2003.jpg
The National Strategy to Secure Cyberspace (February 2003) featured the new cabinet-level United States Department of Homeland Security as the lead agency protecting IT.

EINSTEIN is the product of U.S. congressional and presidential actions of the early 2000s including the E-Government Act of 2002 which sought to improve U.S. government services on the Internet.

The Consolidated Appropriations Act of 2016 [13] added 6 USC 663(b)(1), which requires the Secretary of Homeland Security to "deploy, operate, and maintain" a capability to detect and prevent cybersecurity risks in network traffic in federal information systems. [14]

The use of these systems is mandated for federal agencies by 6 USC 663 'Agency Responsibilities'. Agencies must adopt updates to the system within 6 months. The Department of Defense, Intelligence Community, and other "national security systems" are exempt.

Adoption

EINSTEIN was deployed in 2004 [1] and until 2008 was voluntary. [15] By 2005, three federal agencies participated and funding was available for six additional deployments. By December 2006, eight agencies participated in EINSTEIN and by 2007, DHS itself was adopting the program department-wide. [16] By 2008, EINSTEIN was deployed at fifteen [17] of the nearly six hundred agencies, departments and Web resources in the U.S. government. [18]

As of September 2022, 248 federal agencies use EINSTEIN 1 and 2 "representing approximately 2.095 million users, or 99% of the total user population" and 257 agencies use E3A. [19]

EINSTEIN 1

When it was created, EINSTEIN was "an automated process for collecting, correlating, analyzing, and sharing computer security information across the Federal civilian government." [1]

EINSTEIN 1 was designed to resolve the six common security weaknesses [1] that were collected from federal agency reports and identified by the OMB in or before its report for 2001 to the U.S. Congress. [20] In addition, the program addresses detection of computer worms, anomalies in inbound and outbound traffic, configuration management as well as real-time trends analysis which CISA offers to U.S. departments and agencies on the "health of the Federal.gov domain". [1] EINSTEIN was designed to collect session data including: [1]

Around 2019, CISA expanded the system to include application layer information, such as HTTP URLs and SMTP headers.. [21]

CISA may ask for additional information in order to find the cause of anomalies EINSTEIN finds. The results of CISA's analysis are then given to the agency for disposition. [1]

EINSTEIN 2

EINSTEIN 2 was deployed in 2008 and "identifies malicious or potentially harmful computer network activity in federal government network traffic based on specific known signatures" and generates around 30,000 alerts a day. [19]

The EINSTEIN 2 sensor monitors each participating agency's Internet access point, "not strictly...limited to" Trusted Internet Connections, using both commercial and government-developed software. [22] EINSTEIN could be enhanced to create an early warning system to predict intrusions. [10]

CISA may share EINSTEIN 2 information with "federal executive agencies" according to "written standard operating procedures". CISA has no intelligence or law enforcement mission but will notify and provide contact information to "law enforcement, intelligence, and other agencies" when an event occurs that falls under their responsibility. [22]

EINSTEIN 3

Version 3.0 of EINSTEIN has been discussed to prevent attacks by "shoot[ing] down an attack before it hits its target." [23] The NSA is moving forward to begin a program known as “EINSTEIN 3,” which will monitor “government computer traffic on private sector sites.” (AT&T is being considered as the first private sector site.) The program plan, which was devised under the Bush administration, is controversial, given the history of the NSA and the warrantless wiretapping scandal. Many DHS officials fear that the program should not move forward because of “uncertainty about whether private data can be shielded from unauthorized scrutiny.” [24] Some believe the program will invade the privacy of individuals too much. [25]

Privacy

The Privacy Impact Assessment for EINSTEIN version 2 describes the program in detail. Einstein-2-PIA-20080519.png
The Privacy Impact Assessment for EINSTEIN version 2 describes the program in detail.

In the Privacy Impact Assessment (PIA) for EINSTEIN 2 published in 2008, DHS gave a general notice to people who use U.S. federal networks. [22] DHS assumes that Internet users do not expect privacy in the "To" and "From" addresses of their email or in the "IP addresses of the websites they visit" because their service providers use that information for routing. DHS also assumes that people have at least a basic understanding of how computers communicate and know the limits of their privacy rights when they choose to access federal networks. [22] The Privacy Act of 1974 does not apply to EINSTEIN 2 data because its system of records generally does not contain personal information and so is not indexed or queried by the names of individual persons. [22] A PIA for the first version is also available from 2004. [1]

DHS is seeking approval for an EINSTEIN 2 retention schedule in which flow records, alerts, and specific network traffic related to an alert may be maintained for up to three years, and if, for example in the case of a false alert, data is deemed unrelated or potentially collected in error, it can be deleted. [22] According to the DHS privacy assessment for US-CERT's 24x7 Incident Handling and Response Center in 2007, US-CERT data is provided only to those authorized users who "need to know such data for business and security purposes" including security analysts, system administrators and certain DHS contractors. Incident data and contact information are never shared outside of US-CERT and contact information is not analyzed. To secure its data, US-CERT's center began a DHS certification and accreditation process in May 2006 and expected to complete it by the first quarter of fiscal year 2007. As of March 2007, the center had no retention schedule approved by the National Archives and Records Administration and until it does, has no "disposition schedule"—its "records must be considered permanent and nothing may be deleted". [26] As of April 2013, DHS still had no retention schedule but was working "with the NPPD records manager to develop disposition schedules". [27] An update was issued in May 2016. [28]

2020 federal government data breach

Einstein failed to detect the 2020 United States federal government data breach. [29]

See also

Related Research Articles

<span class="mw-page-title-main">United States Department of Homeland Security</span> United States federal department

The United States Department of Homeland Security (DHS) is the U.S. federal executive department responsible for public security, roughly comparable to the interior or home ministries of other countries. Its stated missions involve anti-terrorism, border security, immigration and customs, cyber security, and disaster prevention and management.

The United States Computer Emergency Readiness Team (US-CERT) is an organization within the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Specifically, US-CERT is a branch of the Office of Cybersecurity and Communications' (CS&C) National Cybersecurity and Communications Integration Center (NCCIC).

<span class="mw-page-title-main">National Cyber Security Division</span>

The National Cyber Security Division (NCSD) is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Cybersecurity and Infrastructure Security Agency. Formed from the Critical Infrastructure Assurance Office, the National Infrastructure Protection Center, the Federal Computer Incident Response Center, and the National Communications System, NCSD opened on June 6, 2003. The NCSD mission is to collaborate with the private sector, government, military, and intelligence stakeholders to conduct risk assessments and mitigate vulnerabilities and threats to information technology assets and activities affecting the operation of the civilian government and private sector critical cyber infrastructures. NCSD also provides cyber threat and vulnerability analysis, early warning, and incident response assistance for public and private sector constituents. NCSD carries out the majority of DHS’ responsibilities under the Comprehensive National Cybersecurity Initiative. The FY 2011 budget request for NCSD is $378.744 million and includes 342 federal positions. The current director of the NCSD is John Streufert, former chief information security officer (CISO) for the United States Department of State, who assumed the position in January 2012.

An information assurance vulnerability alert (IAVA) is an announcement of a computer application software or operating system vulnerability notification in the form of alerts, bulletins, and technical advisories identified by US-CERT, https://www.us-cert.gov/ US-CERT is managed by National Cybersecurity and Communications Integration Center (NCCIC), which is part of Cybersecurity and Infrastructure Security Agency (CISA), within the U.S. Department of Homeland Security (DHS). CISA, which includes the National Cybersecurity and Communications Integration Center (NCCIC) realigned its organizational structure in 2017, integrating like functions previously performed independently by the U.S. Computer Emergency Readiness Team (US-CERT) and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT). These selected vulnerabilities are the mandated baseline, or minimum configuration of all hosts residing on the GIG. US-CERT analyzes each vulnerability and determines if it is necessary or beneficial to the Department of Defense to release it as an IAVA. Implementation of IAVA policy will help ensure that DoD Components take appropriate mitigating actions against vulnerabilities to avoid serious compromises to DoD computer system assets that would potentially degrade mission performance.

<span class="mw-page-title-main">Hugo Teufel III</span> American lawyer

Hugo Teufel III is an American lawyer and former government official.

<span class="mw-page-title-main">Jeff Moss (hacker)</span> American computer security expert (born 1975)

Jeff Moss, also known as Dark Tangent, is an American hacker, computer and internet security expert who founded the Black Hat and DEF CON computer security conferences.

Managed Trusted Internet Protocol Service (MTIPS) was developed by the US General Services Administration (GSA) to allow US Federal agencies to physically and logically connect to the public Internet and other external connections in compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) Initiative.

The Comprehensive National Cybersecurity Initiative (CNCI) outlines U.S. cybersecurity goals across multiple agencies including the Department of Homeland Security, the Office of Management and Budget, and the National Security Agency. The initiative was established by President George W. Bush in January 2008 in National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23).

The National Cybersecurity Alliance (NCA), is an American nonprofit 501(c)(3) organization which promotes cyber security awareness and education. The NCA works with various stakeholders across government, industry, and civil society promoting partnerships between the federal government and technology corporations. NCA's primary federal partner is the Cybersecurity and Infrastructure Security Agency within the U.S. Department of Homeland Security.

<span class="mw-page-title-main">DHS Cyber Security Division</span>

The Cyber Security Division (CSD) is a division of the Science and Technology Directorate (S&T Directorate) of the United States Department of Homeland Security (DHS). Within the Homeland Security Advanced Research Projects Agency, CSD develops technologies to enhance the security and resilience of the United States' critical information infrastructure from acts of terrorism. S&T supports DHS component operational and critical infrastructure protections, including the finance, energy, and public utility sectors, as well as the first responder community.

<span class="mw-page-title-main">Cybersecurity Information Sharing Act</span>

The Cybersecurity Information Sharing Act is a United States federal law designed to "improve cybersecurity in the United States through enhanced sharing of information about cybersecurity threats, and for other purposes". The law allows the sharing of Internet traffic information between the U.S. government and technology and manufacturing companies. The bill was introduced in the U.S. Senate on July 10, 2014, and passed in the Senate on October 27, 2015. Opponents question CISA's value, believing it will move responsibility from private businesses to the government, thereby increasing vulnerability of personal private information, as well as dispersing personal private information across seven government agencies, including the NSA and local police.

<span class="mw-page-title-main">Homeland Security Cybersecurity Boots-on-the-Ground Act</span> Bill of the 113th United States Congress

The Homeland Security Cybersecurity Boots-on-the-Ground Act is a bill that would require the United States Department of Homeland Security (DHS) to undertake several actions designed to improve the readiness and capacity of DHS’s cybersecurity workforce. DHS would also be required to create a strategy for recruiting and training additional cybersecurity employees.

The Center for Internet Security (CIS) is a US 501(c)(3) nonprofit organization, formed in October 2000. Its mission statement professes that the function of CIS is to " help people, businesses, and governments protect themselves against pervasive cyber threats."

The National Cybersecurity and Communications Integration Center (NCCIC) is part of the Cybersecurity Division of the Cybersecurity and Infrastructure Security Agency, an agency of the U.S. Department of Homeland Security. It acts to coordinate various aspects of the U.S. federal government's cybersecurity and cyberattack mitigation efforts through cooperation with civilian agencies, infrastructure operators, state and local governments, and international partners.

<span class="mw-page-title-main">Cybersecurity and Infrastructure Security Agency</span> Agency of the United States Department of Homeland Security

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government's cybersecurity protections against private and nation-state hackers.

<span class="mw-page-title-main">Matthew Travis</span> American businessman & government official

Matthew Travis is a businessman and former American government official. He served as the Deputy Director for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). Travis served as Deputy Under Secretary for the National Protection and Programs Directorate (NPPD) before the agency became CISA on November 16, 2018.

Internet security awareness or Cyber security awareness refers to how much end-users know about the cyber security threats their networks face, the risks they introduce and mitigating security best practices to guide their behavior. End users are considered the weakest link and the primary vulnerability within a network. Since end-users are a major vulnerability, technical means to improve security are not enough. Organizations could also seek to reduce the risk of the human element. This could be accomplished by providing security best practice guidance for end users' awareness of cyber security. Employees could be taught about common threats and how to avoid or mitigate them.

<span class="mw-page-title-main">2020 United States federal government data breach</span> US federal government data breach

In 2020, a major cyberattack suspected to have been committed by a group backed by the Russian government penetrated thousands of organizations globally including multiple parts of the United States federal government, leading to a series of data breaches. The cyberattack and data breach were reported to be among the worst cyber-espionage incidents ever suffered by the U.S., due to the sensitivity and high profile of the targets and the long duration in which the hackers had access. Within days of its discovery, at least 200 organizations around the world had been reported to be affected by the attack, and some of these may also have suffered data breaches. Affected organizations worldwide included NATO, the U.K. government, the European Parliament, Microsoft and others.

<span class="mw-page-title-main">Jen Easterly</span> American government official

Jen Easterly is an American intelligence and former military official who is serving as the director of the Cybersecurity and Infrastructure Security Agency in the Biden administration. She was confirmed by a voice vote in the Senate on July 12, 2021.

Operational collaboration is a cyber resilience framework that leverages public-private partnerships to reduce the risk of cyber threats and the impact of cyberattacks on United States cyberspace. This operational collaboration framework for cyber is similar to the Federal Emergency Management Agency (FEMA)'s National Preparedness System which is used to coordinate responses to natural disasters, terrorism, chemical and biological events in the physical world.

References

  1. 1 2 3 4 5 6 7 8 9 10 US-CERT (September 2004). "Privacy Impact Assessment: EINSTEIN Program" (PDF). U.S. Department of Homeland Security, National Cyber Security Division. Archived (PDF) from the original on 2008-05-14. Retrieved 2008-05-13.
  2. Miller, Jason (May 21, 2007). "Einstein keeps an eye on agency networks". Federal Computer Week. 1105 Media, Inc. Archived from the original on December 19, 2007. Retrieved 2008-05-13.
  3. Lieberman, Joe and Susan Collins (May 2, 2008). "Lieberman and Collins Step Up Scrutiny of Cyber Security Initiative". U.S. Senate Homeland Security and Governmental Affairs Committee. Archived from the original on January 12, 2009. Retrieved 2008-05-14.
  4. Nakashima, Ellen (January 26, 2008). "Bush Order Expands Network Monitoring: Intelligence Agencies to Track Intrusions". The Washington Post. Archived from the original on 2017-06-24. Retrieved 2008-05-18.
  5. 1 2 Gail Repsher Emery and Wilson P. Dizard III (September 15, 2003). "Homeland Security unveils new IT security team". Government Computer News. 1105 Media, Inc. Archived from the original on January 23, 2013. Retrieved 2008-05-16.
  6. "About E-GOV: The E-Government Act of 2002". U.S. Office of Management and Budget. Archived from the original on 2016-03-05. Retrieved 2008-05-16.
  7. Vijayan, Jaikumar (February 28, 2008). "Feds downplay privacy fears on plan to expand monitoring of government networks". Computerworld. IDG. Archived from the original on February 16, 2009. Retrieved 2008-05-13.
  8. Mosquera, Mary (July 10, 2008). "OMB: Agencies must shed more gateways". Federal Computer Week. Media, Inc. Archived from the original on July 13, 2008. Retrieved 2008-07-10.
  9. Waterman, Shaun (March 8, 2008). "Analysis: Einstein and U.S. cybersecurity". United Press International. Archived from the original on 2008-06-05. Retrieved 2008-05-13.
  10. 1 2 "Remarks by Homeland Security Secretary Michael Chertoff to the 2008 RSA Conference" (Press release). U.S. Department of Homeland Security. April 8, 2008. Archived from the original on May 14, 2008. Retrieved 2008-05-13.
  11. "Fact Sheet: Protecting Our Federal Networks Against Cyber Attacks" (Press release). U.S. Department of Homeland Security. April 8, 2008. Archived from the original on May 14, 2008. Retrieved 2008-05-13.
  12. "The National Strategy to Secure Cyberspace" (PDF). U.S. government via Department of Homeland Security. February 2003. p. 16. Archived from the original (PDF) on 2008-02-12. Retrieved 2008-05-18.
  13. "Public Law 114-113" (PDF). Congress.gov. 2015-12-18. p. 724. Archived (PDF) from the original on 2023-07-20. Retrieved 2023-07-16.
  14. "6 USC 663: Federal intrusion detection and prevention system". US House of Representatives. Archived from the original on 2023-07-16. Retrieved 2023-07-16.
  15. Vijayan, Jaikumar (February 29, 2008). "Q&A: Evans says feds steaming ahead on cybersecurity plan, but with privacy in mind". Computerworld. IDG. Archived from the original on May 2, 2008. Retrieved 2008-05-13.
  16. Office of the Inspector General (June 2007). "Challenges Remain in Securing the Nation's Cyber Infrastructure" (PDF). U.S. Department of Homeland Security. p. 12. Archived from the original (PDF) on 2008-05-15. Retrieved 2008-05-18.
  17. "Fact Sheet: U.S. Department of Homeland Security Five-Year Anniversary Progress and Priorities" (Press release). U.S. Department of Homeland Security. March 6, 2008. Archived from the original on May 14, 2008. Retrieved 2008-05-18.
  18. Apart from 106 listings for "Website" or "Home Page", 486 listings appear in "A-Z Index of U.S. Government Departments and Agencies". U.S. General Services Administration. Archived from the original on 2019-03-18. Retrieved 2008-05-18.
  19. 1 2 "EINSTEIN | CISA". www.cisa.gov. Archived from the original on 2023-07-16. Retrieved 2023-07-16.
  20. Office of Management and Budget (n.d.). "FY 2001 Report to Congress on Federal Government Information Security Reform" (PDF). Office of Information and Regulatory Affairs. p. 11. Retrieved 2008-05-14.
  21. "Privacy Impact Assessment for the National Cybersecurity Protection System (NCPS) - Intrusion Detection - DHS/CISA/PIA-033" (PDF). cisa.gov. September 25, 2019. p. 4. Archived (PDF) from the original on 2023-07-18. Retrieved 2023-07-18.
  22. 1 2 3 4 5 6 7 US-CERT (May 19, 2008). "Privacy Impact Assessment for EINSTEIN 2" (PDF). U.S. Department of Homeland Security. Archived (PDF) from the original on 2008-06-12. Retrieved 2008-06-12.
  23. "Homeland Security seeks cyber counterattack system". CNN. Turner Broadcasting System. October 4, 2008. Archived from the original on 2008-10-15. Retrieved 2008-10-07.
  24. Nakashima, Ellen (2009-07-03). "DHS Cybersecurity Plan Will Involve NSA, Telecoms". The Washington Post. Archived from the original on 2011-02-04. Retrieved 2010-05-01.
  25. Radack, Jesselyn (2009-07-14). "NSA's Cyber Overkill: A Project to Safeguard Governmental Computers, Run by the NSA, is too Big a Threat to Americans' Privacy". Los Angeles Times. Archived from the original on 2009-07-19. Retrieved 2009-07-27.
  26. "Privacy Impact Assessment for the 24x7 Incident Handling and Response Center" (PDF). U.S. Department of Homeland Security. March 29, 2007. Archived (PDF) from the original on 2008-05-14. Retrieved 2008-05-14.
  27. "Privacy Impact Assessment for EINSTEIN 3 - Accelerated (E3A)" (PDF). U.S. Department of Homeland Security. April 19, 2013. Archived (PDF) from the original on 2013-05-13. Retrieved 2013-12-29.
  28. "Privacy Impact Assessment Update for EINSTEIN 3 - Accelerated (E3A)" (PDF). Archived (PDF) from the original on 2016-08-26. Retrieved 2016-08-17.
  29. "Russians outsmart US government hacker detection system". The Independent. December 16, 2020. Archived from the original on December 18, 2020. Retrieved December 16, 2020.