Einstein (US-CERT program)

Infobox Software
name = EINSTEIN



caption =
author =
developer = US-CERT
released = 2004
latest release version =
latest release date =
latest preview version =
latest preview date =
operating system =
platform =
language =
genre = network security and computer security
license =
website = [http://www.us-cert.gov/federal/analytical.html Analytical Tools and Programs] at US-CERT for government users

Einstein also known as the EINSTEIN Program is an intrusion detection system that monitors the network gateways of government departments and agencies in the United States for unauthorized traffic. The software was developed by the United States Computer Emergency Readiness Team (US-CERT), which is the operational arm of the National Cyber Security Division [cite web|title=About US-CERT|url=http://www.us-cert.gov/aboutus.html|publisher=U.S. Department of Homeland Security|accessdate=2008-05-18] (NCSD) of the United States Department of Homeland Security (DHS). [cite news|author=Miller, Jason|title=Einstein keeps an eye on agency networks|url=http://www.fcw.com/print/13_16/news/102730-1.html|work=Federal Computer Week|publisher=1105 Media, Inc.|date=May 21, 2007|accessdate=2008-05-13] The first version examined network traffic while the expansion in development could look at content.cite web|author=Lieberman, Joe and Susan Collins|title=Lieberman and Collins Step Up Scrutiny of Cyber Security Initiative|url=http://hsgac.senate.gov/public/index.cfm?Fuseaction=PressReleases.Detail&PressRelease_id=a32aba11-4443-4577-b9a5-3b2ea2c2f826&Month=5&Year=2008|date=May 2, 2008|publisher=U.S. Senate Homeland Security and Governmental Affairs Committee|accessdate=2008-05-14]

Mandate

Einstein is the product of U.S. congressional and presidential actions of the early 2000s including the E-Government Act of 2002 which sought to improve U.S. government services on the Internet. Originating at the National Institute of Standards and Technology and subsequently moved to the General Services Administration, FedCirc was one of four watch centers that were protecting federal information technology when the act designated it the primary incident response center. [cite web|title=About E-GOV: The E-Government Act of 2002|url=http://www.whitehouse.gov/omb/egov/g-4-act.html|publisher=U.S. Office of Management and Budget|accessdate=2008-05-16] With FedCirc at its core, US-CERT formed in 2003 as a partnership between the newly created DHS and the CERT Coordination Center which is funded at Carnegie Mellon University by the U.S. Department of Defense.cite news|author=Gail Repsher Emery and Wilson P. Dizard III|title=Homeland Security unveils new IT security team|url=http://www.gcn.com/online/vol1_no1/23534-1.html|work=Government Computer News|publisher=1105 Media, Inc.|date=September 15, 2003|accessdate=2008-05-16] US-CERT delivered Einstein to meet statutory and administrative requirements that DHS help protect federal computer networks and the delivery of essential government services.

Einstein's mandate originated in the Homeland Security Act and the Federal Information Security Management Act, both in 2002, and the presidential directive named Homeland Security Presidential Directive (HSPD) 7 which was issued on December 17, 2003. [cite press release|author=Bush, George W.|title=Homeland Security Presidential Directive/Hspd-7|url=http://www.whitehouse.gov/news/releases/2003/12/20031217-5.html|publisher=Office of the Press Secretary via whitehouse.gov|date=December 17, 2003|accessdate=2008-05-18] On November 20, 2007, "in accordance with" an Office of Management and Budget (OMB) memo,cite web|author=Johnson, Clay III|title=Implementation of Trusted Internet Connections (TIC), Memorandum for the Heads of Executive Departments and Agencies (M-08-05)|url=http://www.whitehouse.gov/omb/memoranda/fy2008/m08-05.pdf|format=PDF|date=November 20, 2007|publisher=Office of Management and Budget|accessdate=2008-06-13] Einstein version 2 was required for all federal agencies, except "not to include" the Department of Defense and United States Intelligence Community agencies in the executive branch. [The CIA, an " [http://www.cia.gov/redirects/ciaredirect.html independent] " agency, is not mentioned, in cite web|author=US-CERT|title=Privacy Impact Assessment for EINSTEIN 2|url=http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_einstein2.pdf|format=PDF|date=May 19, 2008|pages=4|publisher=U.S. Department of Homeland Security|accessdate=2008-06-12]

Adoption

Einstein was deployed in 2004 and until 2008 was voluntary.cite news|author=Vijayan, Jaikumar|title=Q&A: Evans says feds steaming ahead on cybersecurity plan, but with privacy in mind|url=http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9066019|work=Computerworld|publisher=IDG|date=February 29, 2008|accessdate=2008-05-13] By 2005, three federal agencies participated and funding was available for six additional deployments. By December 2006, eight agencies participated in Einstein and by 2007, DHS itself was adopting the program department-wide. [cite web|author=Office of the Inspector General|title=Challenges Remain in Securing the Nation’s Cyber Infrastructure|url=http://www.dhs.gov/xoig/assets/mgmtrpts/OIG_07-48_Jun07.pdf|page=12|format=PDF|date=June 2007|publisher=U.S. Department of Homeland Security|accessdate=2008-05-18] By 2008, Einstein was deployed at fifteen [cite press release|title=Fact Sheet: U.S. Department of Homeland Security Five-Year Anniversary Progress and Priorities|url=http://www.dhs.gov/xnews/releases/pr_1204819171793.shtm|publisher=U.S. Department of Homeland Security|date=March 6, 2008|accessdate=2008-05-18] of the nearly six hundred agencies, departments and Web resources in the U.S. government. [Apart from 106 listings for "Website" or "Home Page", 486 listings appear in cite web|title=A-Z Index of U.S. Government Departments and Agencies|url=http://www.usa.gov/Agencies/Federal/All_Agencies/index.shtml|publisher= U.S. General Services Administration|accessdate=2008-05-18]

Features

When it was created, Einstein was "an automated process for collecting, correlating, analyzing, and sharing computer security information across the Federal civilian government."cite web|author=US-CERT|title=Privacy Impact Assessment: EINSTEIN Program|url=http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_eisntein.pdf|format=PDF|date=September 2004|publisher=U.S. Department of Homeland Security, National Cyber Security Division|accessdate=2008-05-13] Einstein does not protect the network infrastructure of the private sector.cite news|author=Nakashima, Ellen|url=http://www.washingtonpost.com/wp-dyn/content/article/2008/01/25/AR2008012503261_pf.html|title=Bush Order Expands Network Monitoring: Intelligence Agencies to Track Intrusions|work=The Washington Post|publisher=The Washington Post Company|date=January 26, 2008|accessdate=2008-05-18] As described in 2004, its purpose is to "facilitate identifying and responding to cyber threats and attacks, improve network security, increase the resiliency of critical, electronically delivered government services, and enhance the survivability of the Internet."

Einstein was designed to resolve the six common security weaknesses that were collected from federal agency reports and identified by the OMB in or before its report for 2001 to the U.S. Congress. [cite web|author=Office of Management and Budget|page=11|title=FY 2001 Report to Congress on Federal Government Information Security Reform|publisher=Office of Information and Regulatory Affairs|url=http://www.whitehouse.gov/omb/inforeg/fy01securityactreport.pdf|format=PDF|date=undated|accessdate=2008-05-14] In addition, the program addresses detection of computer worms, anomalies in inbound and outbound traffic, configuration management as well as real-time trends analysis which US-CERT offers to U.S. departments and agencies on the "health of the Federal.gov domain". Einstein was designed to collect session data including:

* Autonomous system numbers (ASN)
* ICMP type and code
* Packet length
* Protocol
* Sensor identification and connection status (the location of the source of the data)
* Source and destination IP address
* Source and destination port
* TCP flag information
* Timestamp and duration information

US-CERT may ask for additional information in order to find the cause of anomalies Einstein finds. The results of US-CERT's analysis are then given to the agency for disposition.

Einstein 2

Three constraints on Einstein that the DHS is trying to address are the large number of access points to U.S. agencies, the low number of agencies participating, and the program's "backward-looking architecture".cite press release|title=Remarks by Homeland Security Secretary Michael Chertoff to the 2008 RSA Conference|url=http://www.dhs.gov/xnews/speeches/sp_1208285512376.shtm|publisher=U.S. Department of Homeland Security|date=April 8, 2008|accessdate=2008-05-13] An OMB "Trusted Internet Connections" initiative was expected to reduce the government's 4,300 access points to 50 or fewer by June 2008. [cite news|author=Vijayan, Jaikumar|title=Feds downplay privacy fears on plan to expand monitoring of government networks|url=http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9065698|work=Computerworld|publisher=IDG|date=February 28, 2008|accessdate=2008-05-13] cite news|author=Mosquera, Mary|title=OMB: Agencies must shed more gateways|url=http://www.fcw.com/online/news/153102-1.html|date=July 10, 2008|work=Federal Computer Week|publisher=Media, Inc.|accessdate=2008-07-10] After agencies reduced access points by over 60% and requested more than their target, OMB reset their goal to the latter part of 2009 with the number to be determined. A new version of Einstein was planned to "collect network traffic flow data in real time and also analyze the content of some communications, looking for malicious code, for example in e-mail attachments." [cite news|author=Waterman, Shaun|title=Analysis: Einstein and U.S. cybersecurity|url=http://www.upi.com/International_Security/Emerging_Threats/Analysis/2008/03/03/analysis_einstein_and_us_cybersecurity/2343/|publisher=United Press International|date=March 8, 2008|accessdate=2008-05-13] The expansion is known to be one of at least nine measures to protect federal networks.cite press release|title=Fact Sheet: Protecting Our Federal Networks Against Cyber Attacks|url=http://www.dhs.gov/xnews/releases/pr_1207684277498.shtm|date=April 8, 2008|publisher=U.S. Department of Homeland Security|accessdate=2008-05-13]

The new version, called EINSTEIN 2, will have a "system to automatically detect malicious network activity, creating alerts when it is triggered". [cite web|title=E P I C A l e r t|url=http://epic.org/alert/EPIC_Alert_15.11.html|publisher=Electronic Privacy Information Center|date=May 30, 2008|volume=15.11|accessdate=2008-06-13] Einstein 2 will use "the minimal amount" necessary of predefined attack signatures which will come from internal, commercial and public sources. The Einstein 2 sensor monitors each participating agency's Internet access point, "not strictly...limited to" Trusted Internet Connections, using both commercial and government-developed software. Einstein could be enhanced to create an early warning system to predict intrusions.

US-CERT may share Einstein 2 information with "federal executive agencies" according to "written standard operating procedures" and only "in a summary form". Because US-CERT has no intelligence or law enforcement mission it will notify and provide contact information to "law enforcement, intelligence, and other agencies" when an event occurs that falls under their responsibility.

Einstein 3

Version 3.0 of Einstein has been discussed to prevent attacks by stopping them before they happen.cite news|title= Homeland Security seeks cyber counterattack system|url=http://www.cnn.com/2008/TECH/10/04/chertoff.cyber.security/|date=October 4, 2008|work=CNN|publisher=Turner Broadcasting System|accessdate=2008-10-07]

Privacy

In the Privacy Impact Assessment (PIA) for Einstein 2 published in 2008, DHS gave a general notice to people who use U.S. federal networks.cite web|author=US-CERT|title=Privacy Impact Assessment for EINSTEIN 2|url=http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_einstein2.pdf|format=PDF|date=May 19, 2008|publisher=U.S. Department of Homeland Security|accessdate=2008-06-12] DHS assumes that Internet users do not expect privacy in the "To" and "From" addresses of their email or in the "IP addresses of the websites they visit" because their service providers use that information for routing. DHS also assumes that people have at least a basic understanding of how computers communicate and know the limits of their privacy rights when they choose to access federal networks. The Privacy Act of 1974 does not apply to Einstein 2 data because its system of records generally do not contain personal information and so are not indexed or queried by the names of individual persons. A PIA for the first version is also available from 2004.

DHS is seeking approval for an Einstein 2 retention schedule in which flow records, alerts, and specific network traffic related to an alert may be maintained for up to three years, and if, for example in the case of a false alert, data is deemed unrelated or potentially collected in error, it can be deleted.

According to the DHS privacy assessment for US-CERT's 24x7 Incident Handling and Response Center in 2007, US-CERT data is provided only to those authorized users who "need to know such data for business and security purposes" including security analysts, system administrators and certain DHS contractors. Incident data and contact information are never shared outside of US-CERT and contact information is not analyzed. To secure its data, US-CERT's center began a DHS certification and accreditation process in May 2006 and expected to complete it by the first quarter of fiscal year 2007. As of March 2007, the center had no retention schedule approved by the National Archives and Records Administration and until it does, has no "disposition schedule"—its "records must be considered permanent and nothing may be deleted". [cite web|title=Privacy Impact Assessment for the 24x7 Incident Handling and Response Center|publisher=U.S. Department of Homeland Security|url=http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_nppd_24x7.pdf|format=PDF|date=March 29, 2007|accessdate=2008-05-14]

ee also

*National Security Directive

Notes

External links

*cite web|author=US-CERT|title=Privacy Impact Assessment for EINSTEIN 2|url=http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_einstein2.pdf|format=PDF|date=May 19, 2008|publisher=U.S. Department of Homeland Security|accessdate=2008-06-12
*cite web|author=US-CERT|title=Privacy Impact Assessment: EINSTEIN Program|url=http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_eisntein.pdf|format=PDF|date=September 2004|publisher=U.S. Department of Homeland Security, National Cyber Security Division|accessdate=2008-05-13
*cite web|title=Privacy Impact Assessment for the 24x7 Incident Handling and Response Center|publisher=U.S. Department of Homeland Security|url=http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_nppd_24x7.pdf|format=PDF|date=March 29, 2007|accessdate=2008-05-14
*cite web|title=Einstein|publisher=TechTarget|url=http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci1309040,00.html|accessdate=2008-05-14