EINSTEIN is a system to detect and report network intrusions. It supports Federal agencies' efforts to protect their computer networks. EINSTEIN monitors participating agencies' network gateways for traffic patterns that indicate the presence of computer worms or other unwanted traffic. By collecting traffic information at agency gateways, EINSTEIN gives government analysts and participating agencies a big-picture view, synthesized of potentially malicious activity across Federal networks.
Before EINSTEIN was introduced, federal agencies reported cyber threats to the Department of Homeland Security (DHS) manually and on an ad hoc basis. It was usually done after the agency systems were affected by the attack. To remedy this, DHS, in collaboration with the National Security Agency (NSA), created EINSTEIN. EINSTEIN's mandate derived from a combination of statutes, presidential directives, and agency memoranda. The first mandates for EINSTEIN came in 2002 with the Homeland Security Act of 2002 and Homeland Security Presidential Directive 7. In 2007, the Office of Management and Budget required all federal executive agencies to develop a comprehensive plan of action to defend against cyber threats. Coinciding with these statutory and administrative directives, DHS and NSA launched EINSTEIN in three phases, each increasingly more sophisticated than the last.
EINSTEIN 1.0 Edit
Department of Homeland Security rolled out EINSTEIN 1.0 in 2004 to automate the process by which federal agencies reported cyber threats to the U.S. Computer Emergency Readiness Team (US-CERT), the operational arm of DHS's cybersecurity division. Under EINSTEIN 1.0, federal agencies voluntarily sent "flow records" of Internet network activity to DHS so it could monitor the Internet traffic across the federal .gov domain. These flow records included basic routing information such as the IP addresses of the connecting computer and the federal computer connected to. US-CERT used this information to detect and mitigate malicious activity that threatened federal networks. This information was shared with both public and private actors on the DHS website.
EINSTEIN 2.0 Edit
In an effort to upgrade EINSTEIN's capabilities, DHS launched EINSTEIN 2.0, which is capable of alerting US-CERT of malicious network intrusions in near-real time. Sensors installed at all federal agency Internet access points make a copy of all network activity coming to and from federal networks, including addressing information and the content of the communication. These data are later scanned for the presence of "signatures," patterns that correspond to a known threat, such as denial of service attacks, network backdoors, malware, worms, Trojan horses, and routing anomalies. The system triggers an alert when it senses malicious activity. All the data corresponding with the trigger, including the content of the communication, are saved. Personnel at US-CERT then analyze the stored messages and act accordingly.
EINSTEIN 3 Edit
In 2010, DHS began testing EINSTEIN 3 on one federal agency. In addition to detecting cyber threats, this newest iteration also is designed to block and respond to these threats before any harm is done. US-CERT is also testing the ability of EINSTEIN 3 to provide real-time information sharing with other federal agencies and the NSA.
- ↑ Department of Homeland Security, Privacy Impact Assessment EINSTEIN Program: Collecting, Analyzing, and Sharing Computer Security Information Across the Federal Civilian Government, at 3 (full-text).
- ↑ Id. at 1.
- ↑ Office of Management and Budget, Memorandum for the Heads of Executive Departments and Agencies: Implementation of Trusted Internet Connections (TIC) (OMB Memorandum M-08-05) (Nov. 20, 2007).
- ↑ Privacy Impact Assessment EINSTEIN Program: Collecting, Analyzing, and Sharing Computer Security Information Across the Federal Civilian Government, at 4.
- ↑ Id. at 6-7.
- ↑ See http://www.us-cert.gov/cas/techalerts/ for an example of cybersecurity alerts provided to the public.
- ↑ Privacy Impact Assessment EINSTEIN Program: Collecting, Analyzing, and Sharing Computer Security Information Across the Federal Civilian Government, at 1.
- ↑ Id. at 9. For more information on intrusion detection systems, see NIST Special Publication 800-94.
- ↑ Id. at 9-5.
- ↑ Id. at 10.
- ↑ According to the Department of Homeland Security, the name of the agency is classified. Department of Homeland Security, Privacy Impact Assessment: Initiative Three Exercicse, at 3 (2010) (full-text).
- ↑ Id. at 3.
- ↑ Id. at 3.
- Cybersecurity: Selected Legal Issues, at 14-15.