.gif)
Einstein (US-CERT program)
Encyclopedia
Einstein is an intrusion detection system that monitors the network gateways of government departments and agencies
in the United States
for unauthorized traffic. The software was developed by the United States Computer Emergency Readiness Team
(US-CERT), which is the operational arm of the National Cyber Security Division
(NCSD) of the United States Department of Homeland Security
(DHS). The first version examined network traffic while the expansion in development could look at content.
Einstein is the product of U.S. congressional and presidential actions of the early 2000s including the E-Government Act of 2002
which sought to improve U.S. government services on the Internet. Originating at the National Institute of Standards and Technology
and subsequently moved to the General Services Administration
, the Federal Computer Incident Response Capability (FedCIRC) was one of four watch centers that were protecting federal information technology when the act designated it the primary incident response center. With FedCirc at its core, US-CERT formed in 2003 as a partnership between the newly created DHS and the CERT Coordination Center
which is at Carnegie Mellon University
and funded by the U.S. Department of Defense
. US-CERT delivered Einstein to meet statutory and administrative requirements that DHS help protect federal computer networks and the delivery of essential government services.
Einstein's mandate originated in the Homeland Security Act
and the Federal Information Security Management Act
, both in 2002, and the presidential directive
named Homeland Security Presidential Directive (HSPD) 7 which was issued on December 17, 2003. On November 20, 2007, "in accordance with" an Office of Management and Budget (OMB) memo, Einstein version 2 was required for all federal agencies, except "not to include" the Department of Defense and United States Intelligence Community
agencies in the executive branch
.
Einstein was designed to resolve the six common security weaknesses that were collected from federal agency reports and identified by the OMB in or before its report for 2001 to the U.S. Congress. In addition, the program addresses detection of computer worm
s, anomalies in inbound and outbound traffic, configuration management as well as real-time trends analysis which US-CERT offers to U.S. departments and agencies on the "health of the Federal.gov domain". Einstein was designed to collect session
data including:
US-CERT may ask for additional information in order to find the cause of anomalies Einstein finds. The results of US-CERT's analysis are then given to the agency for disposition.
The new version, called EINSTEIN 2, will have a "system to automatically detect malicious network activity, creating alerts when it is triggered". Einstein 2 will use "the minimal amount" necessary of predefined attack signatures which will come from internal, commercial and public sources. The Einstein 2 sensor monitors each participating agency's Internet access point, "not strictly...limited to" Trusted Internet Connections, using both commercial and government-developed software. Einstein could be enhanced to create an early warning system to predict intrusions.
US-CERT may share Einstein 2 information with "federal executive agencies" according to "written standard operating procedures" and only "in a summary form". Because US-CERT has no intelligence or law enforcement mission it will notify and provide contact information to "law enforcement, intelligence, and other agencies" when an event occurs that falls under their responsibility.
The NSA is moving forward to begin a program known as “Einstein 3,” which will monitor “government computer traffic on private sector sites.” (AT&T is being considered as the first private sector site.) The program plan, which was devised under the Bush administration, is controversial, given the history of the NSA and the warrantless wiretapping scandal. Many DHS officials fear that the program should not move forward because of “uncertainty about whether private data can be shielded from unauthorized scrutiny.”
Some believe the program will invade the privacy of individuals too much.
In the Privacy Impact Assessment (PIA) for Einstein 2 published in 2008, DHS gave a general notice to people who use U.S. federal networks. DHS assumes that Internet users do not expect privacy in the "To" and "From" addresses of their email or in the "IP addresses of the websites they visit" because their service providers use that information for routing. DHS also assumes that people have at least a basic understanding of how computers communicate and know the limits of their privacy rights when they choose to access federal networks. The Privacy Act of 1974
does not apply to Einstein 2 data because its system of records generally do not contain personal information and so are not indexed or queried by the names of individual persons. A PIA for the first version is also available from 2004.
DHS is seeking approval for an Einstein 2 retention schedule in which flow records, alerts, and specific network traffic related to an alert may be maintained for up to three years, and if, for example in the case of a false alert, data is deemed unrelated or potentially collected in error, it can be deleted.
According to the DHS privacy assessment for US-CERT's 24x7 Incident Handling and Response Center in 2007, US-CERT data is provided only to those authorized users who "need to know such data for business and security purposes" including security analysts, system administrators and certain DHS contractors. Incident data and contact information are never shared outside of US-CERT and contact information is not analyzed. To secure its data, US-CERT's center began a DHS certification and accreditation process in May 2006 and expected to complete it by the first quarter of fiscal year 2007. As of March 2007, the center had no retention schedule approved by the National Archives and Records Administration
and until it does, has no "disposition schedule"—its "records must be considered permanent and nothing may be deleted".
Federal government of the United States
The federal government of the United States is the national government of the constitutional republic of fifty states that is the United States of America. The federal government comprises three distinct branches of government: a legislative, an executive and a judiciary. These branches and...
in the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
for unauthorized traffic. The software was developed by the United States Computer Emergency Readiness Team
United States Computer Emergency Readiness Team
The United States Computer Emergency Readiness Team is part of the National Cyber Security Division of the United States' Department of Homeland Security....
(US-CERT), which is the operational arm of the National Cyber Security Division
National Cyber Security Division
The National Cyber Security Division is a division of the Office of Cyber Security & Communications, within the United States Department of Homeland Security's Directorate for National Protection and Programs...
(NCSD) of the United States Department of Homeland Security
United States Department of Homeland Security
The United States Department of Homeland Security is a cabinet department of the United States federal government, created in response to the September 11 attacks, and with the primary responsibilities of protecting the territory of the United States and protectorates from and responding to...
(DHS). The first version examined network traffic while the expansion in development could look at content.
Mandate
E-Government Act of 2002
The E-Government Act of 2002 , is a United States statute enacted on December 17, 2002, with an effective date for most provisions of April 17, 2003...
which sought to improve U.S. government services on the Internet. Originating at the National Institute of Standards and Technology
National Institute of Standards and Technology
The National Institute of Standards and Technology , known between 1901 and 1988 as the National Bureau of Standards , is a measurement standards laboratory, otherwise known as a National Metrological Institute , which is a non-regulatory agency of the United States Department of Commerce...
and subsequently moved to the General Services Administration
General Services Administration
The General Services Administration is an independent agency of the United States government, established in 1949 to help manage and support the basic functioning of federal agencies. The GSA supplies products and communications for U.S...
, the Federal Computer Incident Response Capability (FedCIRC) was one of four watch centers that were protecting federal information technology when the act designated it the primary incident response center. With FedCirc at its core, US-CERT formed in 2003 as a partnership between the newly created DHS and the CERT Coordination Center
CERT Coordination Center
The CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with Internet security problems....
which is at Carnegie Mellon University
Carnegie Mellon University
Carnegie Mellon University is a private research university in Pittsburgh, Pennsylvania, United States....
and funded by the U.S. Department of Defense
United States Department of Defense
The United States Department of Defense is the U.S...
. US-CERT delivered Einstein to meet statutory and administrative requirements that DHS help protect federal computer networks and the delivery of essential government services.
Einstein's mandate originated in the Homeland Security Act
Homeland Security Act
The Homeland Security Act of 2002, , 116 Stat. 2135 was introduced in the aftermath of the September 11 attacks and subsequent mailings of anthrax spores. The HSA was cosponsored by 118 members of Congress. It was signed into law by President George W...
and the Federal Information Security Management Act
Federal Information Security Management Act of 2002
The Federal Information Security Management Act of 2002 is a United States federal law enacted in 2002 as Title III of the E-Government Act of 2002 . The act recognized the importance of information security to the economic and national security interests of the United States...
, both in 2002, and the presidential directive
Presidential directive
Presidential Directives, better known as Presidential Decision Directives or PDD are a form of an executive order issued by the President of the United States with the advice and consent of the National Security Council...
named Homeland Security Presidential Directive (HSPD) 7 which was issued on December 17, 2003. On November 20, 2007, "in accordance with" an Office of Management and Budget (OMB) memo, Einstein version 2 was required for all federal agencies, except "not to include" the Department of Defense and United States Intelligence Community
United States Intelligence Community
The United States Intelligence Community is a cooperative federation of 16 separate United States government agencies that work separately and together to conduct intelligence activities considered necessary for the conduct of foreign relations and the protection of the national security of the...
agencies in the executive branch
United States Federal Executive Departments
The United States federal executive departments are among the oldest primary units of the executive branch of the federal government of the United States—the Departments of State, War, and the Treasury all being established within a few weeks of each other in 1789.Federal executive...
.
Adoption
Einstein was deployed in 2004 and until 2008 was voluntary. By 2005, three federal agencies participated and funding was available for six additional deployments. By December 2006, eight agencies participated in Einstein and by 2007, DHS itself was adopting the program department-wide. By 2008, Einstein was deployed at fifteen of the nearly six hundred agencies, departments and Web resources in the U.S. government.Features
When it was created, Einstein was "an automated process for collecting, correlating, analyzing, and sharing computer security information across the Federal civilian government." Einstein does not protect the network infrastructure of the private sector. As described in 2004, its purpose is to "facilitate identifying and responding to cyber threats and attacks, improve network security, increase the resiliency of critical, electronically delivered government services, and enhance the survivability of the Internet."Einstein was designed to resolve the six common security weaknesses that were collected from federal agency reports and identified by the OMB in or before its report for 2001 to the U.S. Congress. In addition, the program addresses detection of computer worm
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
s, anomalies in inbound and outbound traffic, configuration management as well as real-time trends analysis which US-CERT offers to U.S. departments and agencies on the "health of the Federal.gov domain". Einstein was designed to collect session
Session (computer science)
In computer science, in particular networking, a session is a semi-permanent interactive information interchange, also known as a dialogue, a conversation or a meeting, between two or more communicating devices, or between a computer and user . A session is set up or established at a certain point...
data including:
- Autonomous system numbersAutonomous system (Internet)Within the Internet, an Autonomous System is a collection of connected Internet Protocol routing prefixes under the control of one or more network operators that presents a common, clearly defined routing policy to the Internet....
(ASN) - ICMP type and code
- Packet length
- Protocol
- Sensor identification and connection status (the location of the source of the data)
- Source and destination IP addressIP addressAn Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
- Source and destination port
- TCP flag information
- TimestampTimestampA timestamp is a sequence of characters, denoting the date or time at which a certain event occurred. A timestamp is the time at which an event is recorded by a computer, not the time of the event itself...
and duration information
US-CERT may ask for additional information in order to find the cause of anomalies Einstein finds. The results of US-CERT's analysis are then given to the agency for disposition.
Einstein 2
Three constraints on Einstein that the DHS is trying to address are the large number of access points to U.S. agencies, the low number of agencies participating, and the program's "backward-looking architecture". An OMB "Trusted Internet Connections" initiative was expected to reduce the government's 4,300 access points to 50 or fewer by June 2008. After agencies reduced access points by over 60% and requested more than their target, OMB reset their goal to the latter part of 2009 with the number to be determined. A new version of Einstein was planned to "collect network traffic flow data in real time and also analyze the content of some communications, looking for malicious code, for example in e-mail attachments." The expansion is known to be one of at least nine measures to protect federal networks.The new version, called EINSTEIN 2, will have a "system to automatically detect malicious network activity, creating alerts when it is triggered". Einstein 2 will use "the minimal amount" necessary of predefined attack signatures which will come from internal, commercial and public sources. The Einstein 2 sensor monitors each participating agency's Internet access point, "not strictly...limited to" Trusted Internet Connections, using both commercial and government-developed software. Einstein could be enhanced to create an early warning system to predict intrusions.
US-CERT may share Einstein 2 information with "federal executive agencies" according to "written standard operating procedures" and only "in a summary form". Because US-CERT has no intelligence or law enforcement mission it will notify and provide contact information to "law enforcement, intelligence, and other agencies" when an event occurs that falls under their responsibility.
Einstein 3
Version 3.0 of Einstein has been discussed to prevent attacks by "shoot[ing] down an attack before it hits its target."The NSA is moving forward to begin a program known as “Einstein 3,” which will monitor “government computer traffic on private sector sites.” (AT&T is being considered as the first private sector site.) The program plan, which was devised under the Bush administration, is controversial, given the history of the NSA and the warrantless wiretapping scandal. Many DHS officials fear that the program should not move forward because of “uncertainty about whether private data can be shielded from unauthorized scrutiny.”
Some believe the program will invade the privacy of individuals too much.
Privacy
Privacy Act of 1974
The Privacy Act of 1974, 5 U.S.C. § 552a, Public Law No. 93-579, establishes a Code of Fair Information Practice that governs the collection, maintenance, use, and dissemination of personally identifiable information about individuals that is maintained in systems of records by federal agencies...
does not apply to Einstein 2 data because its system of records generally do not contain personal information and so are not indexed or queried by the names of individual persons. A PIA for the first version is also available from 2004.
DHS is seeking approval for an Einstein 2 retention schedule in which flow records, alerts, and specific network traffic related to an alert may be maintained for up to three years, and if, for example in the case of a false alert, data is deemed unrelated or potentially collected in error, it can be deleted.
According to the DHS privacy assessment for US-CERT's 24x7 Incident Handling and Response Center in 2007, US-CERT data is provided only to those authorized users who "need to know such data for business and security purposes" including security analysts, system administrators and certain DHS contractors. Incident data and contact information are never shared outside of US-CERT and contact information is not analyzed. To secure its data, US-CERT's center began a DHS certification and accreditation process in May 2006 and expected to complete it by the first quarter of fiscal year 2007. As of March 2007, the center had no retention schedule approved by the National Archives and Records Administration
National Archives and Records Administration
The National Archives and Records Administration is an independent agency of the United States government charged with preserving and documenting government and historical records and with increasing public access to those documents, which comprise the National Archives...
and until it does, has no "disposition schedule"—its "records must be considered permanent and nothing may be deleted".