DHS use of deep packet inspection technology in new net security system raises serious privacy questions

Department of Homeland Security is preparing to deploy a much more powerful version of its EINSTEIN intrusion-detection system that can capture e-mail content and personally identifiable data

By Ellen Messmer, Network World
April 24, 2013 03:26 PM ET

Network World - To protect the federal civilian agencies against cyberthreats, the Department of Homeland Security (DHS) is preparing to deploy a  more powerful version of its EINSTEIN intrusion-detection system that’s supposed to detect attacks and malware, especially associated with e-mail. But since this version of EINSTEIN is acknowledged by DHS to be able to read electronic content, it’s raising privacy concerns.

The DHS recognizes there are privacy implications and just issued a “privacy impact assessment” report about what it calls EINSTEIN 3 Accelerated, the intrusion detection and prevention system expected to be made available as a managed security service from ISPs to monitor the “.gov” traffic to and from civilian agencies and Executive Branch departments, such as Treasury. DHS says EINSTEIN 3 may collect “personally identifiable information” (PII)  in some instances where this network security system will not just monitor but also prevent threats by blocking traffic in order to detect a cyberthreat or potential cyberthreat.  
[SECURITY: Top SSL VPN tools]
[MORE: No humor zone: 33 things you should never say to a TSA agent]
[RELATED: DHS chief Napolitano: Algorithms a big key in solving security, Big Data puzzle]
In its “privacy impact assessment” for EINSTEIN 3 published April 19, DHS states appropriate privacy-protection controls related to PII have been established. DHS says it has procedures in place where analysts will know how to “minimize (i.e., overwrite, redact, or replace) PII data that is not necessary to understand the cyber threat.”
But EINSTEIN 3 is anticipated to include packet-inspection tools that “allow an analyst to look at the content of the threat data, which enables a more comprehensive analysis. Packet capture may contain information that could be considered PII-like malicious data from or associated with email messages or attachments,” the DHS privacy-impact assessment notes.
“DHS is only using this information to better identify a known or suspected cyber threat against computer networks,” states the DHS privacy impact assessment which cites the main contacts as Brendan Goode, director, network security deployment, Office of Cybersecurity & Communications, National Protection and Programs Directorate at DHS and the DHS acting chief privacy officer, Jonathan Cantor.
In their privacy-impact statement, the DHS acknowledges EINSTEIN 3’s threat-prevention capabilities “may include deep-packet inspection by ISPs. DHS will approve indicators to be transferred to ISPs for deployment in E3A to ensure that indicators are specific to a particular type of traffic and are not overly broad in their data collection requirements.”
These “indicators” are expected to be configured by ISPs into “signatures” related to pattern-matching to detect “known or suspected malicious traffic to and from the participating agencies.” ISPs that participate in EINSTEIN 3 are being asked to submit their own “cyber threat indicators” to DHS for consideration as well.

• 1

  DHS use of deep packet inspection technology in new net security system raises serious privacy questions

  Department of Homeland Security is preparing to deploy a much more powerful version of its EINSTEIN intrusion-detection system that can capture e-mail content and personally identifiable data

  By Ellen Messmer, Network World
  April 24, 2013 03:26 PM ET
  Page 2 of 4
  According to the DHS privacy impact assessment report, the idea is that alerts and other information provided to the DHS cybersecurity office by the ISP providing the managed service “will generally contain the following information: unique ID for the alert, participating agency, indicator/action pair that produced the alert, data and timestamp of the alert, netflow record, and if applicable, identification of quarantined or captured/stored data associated with the alert.”  
  Participating departments and agencies are expected to enter into a “memorandum of understanding” with DHS to authorize the application of these intrusion-prevention capabilities by DHS and lists of identified IP addresses will be verified by DHS.
  However, some privacy-advocacy groups, including the Electronic Privacy Information Center (EPIC) based in Washington, D.C., say they have questions about EINSTEIN 3.
  “We’re not sure entirely where this information is flowing when the government puts it into a database,” says Amie Stepanovich, director, EPIC domestic surveillance project, who has read the EINSTEIN 3 privacy impact assessment report. The ability of the government to intercept and sort through any collected data could include not just official business but intercepted communications that involve personal contacts as well, she points out.
  Stepanovich says the secretive EINSTEIN program appears to operate under what’s known as National Security Presidential Directive 54 (NSPD-54), an as-yet undisclosed cybersecurity directive signed by George W. Bush in 2008 whose contents have not yet been made public. She noted EPIC has an ongoing lawsuit to compel the government to make NSPD-54  available to the public.
  Originally called the National Cybersecurity Protection System, the EINSTEIN project started in 2004 as a way to automatically collect computer network security information from voluntarily participating federal executive agencies by means of EINSTEIN 1. EINSTEIN 2, launched in 2008, evolved further into “a network intrusion detection system that monitors for malicious activity in network traffic to and from participating federal executive agencies” to assist the U.S. Computer Emergency Readiness Team (US-CERT). That’s according to the “Privacy Compliance Review of the EINSTEIN Program” published Jan. 3, 2012 by DHS.
  Both EINSTEIN 1 and 2 continue to operate for their distinct purposes, according to the DHS report. EINSTEIN 1 collects network flow records, which identify the source Internet Protocol (IP) address of the computer that connects to the federal system, recording port source, communications time, federal destination IP address and other protocol information. EINSTEIN 2 makes use of custom signatures based upon known malicious traffic to detect attacks. The DHS report from January 2012 said EINSTEIN 2 can collect some PII, including email header and the body of the email message, when  custom signature indicates a cyberthreat. The Jan. 2012 privacy compliance review by DHS indicated any information collected related to a cyberthreat will be maintained for up to three years.
  There has been some external sharing of information collected by EINSTEIN 2, including with India and Israel, and DHS Privacy Office recommended that US-CERT stipulate what PII is to be shared in the reports and retention rates in memorandums of understanding with all foreign partners.
• 2
• 3
• 4
• Next >