Center for Democracy and Technology Report – EINSTEIN INTRUSION DETECTION SYSTEM: QUESTIONS THAT SHOULD BE ADDRESSED

Background on the National Security Agency's Einstein system: "NSA's Cyber Overkill"

This is the introduction to the report - full pdf file here: http://cdt.org/security/20090728_einstein_rpt.pdf

July 2009

This paper calls on the government to release information about the Einstein intrusion detection system for government computers. It poses questions about the role of the National Security Agency in the Einstein program, the scope of the latest version of the Einstein system, the legal authority for the system, and the impact of Einstein on the privacy of people who communicate with the government.

It also calls for the release of any legal opinions and certifications about the lawfulness of Einstein intrusion detection activities, and for release of the privacy guidelines governing the system and of privacy training materials given the people who may come into contact with information derived from Einstein.

Recent press reports in the Washington Post1 and Wall Street Journal2 indicate that the federal government is putting in place a new intrusion detection system to
help secure civilian networks in the .gov space. This system, dubbed “Einstein 3,” is the successor to an existing system – “Einstein 2” -- now deployed by the Department of Homeland Security and soon to be deployed by other federal agencies. While Einstein 2 poses privacy concerns that have not yet been fully resolved, Einstein 3 both heightens those concerns and poses additional questions of its own.

According to a May 19, 2008 Privacy Impact Assessment,3 Einstein 2 detects malicious computer code in network traffic using pre-defined signatures of such code and alerts the U.S. Computer Emergency Readiness Team (“US CERT”). Some of those signatures include personally identifiable information (“PII”) and some of the alerts from Einstein 2 to US CERT also include PII. Previously unknown attack signatures cannot be detected by Einstein 2, and, as a result, anything new gets through the system until the database of attack signatures is updated to include it. According to the PIA, Einstein 2 will be deployed at participating federal agency Internet Access Points.4

Like Einstein 2, Einstein 3 will rely on pre-defined signatures of malicious code that may contain PII. However, Einstein 3, unlike its predecessor, will have the added capability of reading the content of email and other Internet traffic, according to the Wall Street Journal story. This raises serious privacy concerns.

In addition, while its predecessor merely detected and reported malicious code, Einstein 3 is to have the capability of intercepting threatening Internet traffic before it reaches a government system, raising additional concerns. This capability is reportedly based on a National Security Agency program. According to press accounts, Einstein 3 will operate inside the networks of the telecoms, but it is not clear whether this is the same as Einstein 2 or not. According to the press accounts, AT&T would be contracted by the government to test portions of Einstein 3 and is seeking assurance from the Department of Justice that this activity does not violate the law.

Some policymakers are reportedly studying potential changes to current surveillance law to permit the scanning of private Internet traffic, for security purposes only, without an individualized court order. The Senate version of the Intelligence Authorization Act for FY 2010, S. 1494, reported on July 22, does not propose any such changes. Instead, it calls for reports to Congress about the privacy impact of Einstein and any other similar cybersecurity programs as well as information about the legal authorities for the programs and about any audits that have been conducted or are planned for the programs.4

1 http://www.washingtonpost.com/wpdyn/
content/article/2009/07/02/AR2009070202771_pf.html.
2 http://online.wsj.com/article/SB124657680388089139.html#printMode.
3 http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_einstein2.pdf.
4 It is unclear to CDT whether this means that Einstein 2 operates on privately owned and
operated equipment or on government equipment. More importantly, it is unclear whether the
point at which Einstein is deployed handles only government traffic or could carry both
government and private-to-private traffic.

CONTINUED: http://cdt.org/security/20090728_einstein_rpt.pdf