Einstein (US-CERT program)

The EINSTEIN System (part of the National Cybersecurity Protection System) is a network intrusion detection and prevention system that monitors the networks of US federal government departments and agencies. The system is developed and managed by the Cybersecurity and Infrastructure Security Agency (formerly NPPD/United States Computer Emergency Readiness Team (US-CERT) ) in the United States Department of Homeland Security (DHS).

The program was originally developed to provide "situational awareness" for the civilian agencies and to "facilitate identifying and responding to cyber threats and attacks, improve network security, increase the resiliency of critical, electronically delivered government services, and enhance the survivability of the Internet." The first version examined basic network traffic and subsequent versions examined content.

EINSTEIN does not protect the network infrastructure of the private sector.

History
The Federal Computer Incident Response Capability (FedCIRC) was one of four watch centers that were protecting federal information technology when the E-Government Act of 2002 designated it the primary incident response center. With FedCIRC at its core, US-CERT was formed in 2003 as a partnership between the newly created DHS and the CERT Coordination Center which is at Carnegie Mellon University and funded by the U.S. Department of Defense. US-CERT delivered EINSTEIN to meet statutory and administrative requirements that DHS help protect federal computer networks and the delivery of essential government services. EINSTEIN was implemented to determine if the government was under cyber attack. EINSTEIN does this by collecting flow data from all civilian agencies and compared that flow data to a baseline. During EINSTEIN 1, it was determined that the civilian agencies did not know the entirety of what their registered IPv4 space included. This was obviously a security concern. Once an Agency's IPv4 space was validated, it was immediately clear that the Agency had more external Internet Connections or Gateways than could be reasonably instrumented and protected. This gave birth to the Office of Management and Budget's Trusted Internet Connections (TIC) Initiative. The initiative expected to reduce the government's 4,300 access points to 50 or fewer by June 2008.
 * 1) If one Agency reported a cyber event, the 24/7 Watch at US-CERT could look at the incoming flow data and assist resolution.
 * 2) If one Agency was under attack, US-CERT Watch could quickly look at other Agency feeds to determine if it was across the board or isolated.

Therefore, a new version of EINSTEIN was planned to "collect network traffic flow data in real time and also analyze the content of some communications, looking for malicious code, for example in e-mail attachments." Three constraints on EINSTEIN that the DHS is trying to address are the large number of access points to U.S. agencies, the low number of agencies participating, and the program's "backward-looking architecture". The expansion is known to be one of at least nine measures to protect federal networks.

Mandate


EINSTEIN is the product of U.S. congressional and presidential actions of the early 2000s including the E-Government Act of 2002 which sought to improve U.S. government services on the Internet.

The Consolidated Appropriations Act of 2016 added 6 USC 663(b)(1), which requires the Secretary of Homeland Security to "deploy, operate, and maintain" a capability to detect and prevent cybersecurity risks in network traffic in federal information systems.

The use of these systems is mandated for federal agencies by 6 USC 663 'Agency Responsibilities'. Agencies must adopt updates to the system within 6 months. The Department of Defense, Intelligence Community, and other "national security systems" are exempt.

Adoption
EINSTEIN was deployed in 2004 and until 2008 was voluntary. By 2005, three federal agencies participated and funding was available for six additional deployments. By December 2006, eight agencies participated in EINSTEIN and by 2007, DHS itself was adopting the program department-wide. By 2008, EINSTEIN was deployed at fifteen of the nearly six hundred agencies, departments and Web resources in the U.S. government.

As of September 2022, 248 federal agencies use EINSTEIN 1 and 2 "representing approximately 2.095 million users, or 99% of the total user population" and 257 agencies use E3A.

EINSTEIN 1
When it was created, EINSTEIN was "an automated process for collecting, correlating, analyzing, and sharing computer security information across the Federal civilian government."

EINSTEIN 1 was designed to resolve the six common security weaknesses that were collected from federal agency reports and identified by the OMB in or before its report for 2001 to the U.S. Congress. In addition, the program addresses detection of computer worms, anomalies in inbound and outbound traffic, configuration management as well as real-time trends analysis which CISA offers to U.S. departments and agencies on the "health of the Federal.gov domain". EINSTEIN was designed to collect session data including:

Around 2019, CISA expanded the system to include application layer information, such as HTTP URLs and SMTP headers..
 * Autonomous system numbers (ASN)
 * ICMP type and code
 * Packet length
 * Protocol
 * Sensor identification and connection status (the location of the source of the data)
 * Source and destination IP address
 * Source and destination port
 * TCP flag information
 * Timestamp and duration information

CISA may ask for additional information in order to find the cause of anomalies EINSTEIN finds. The results of CISA's analysis are then given to the agency for disposition.

EINSTEIN 2
EINSTEIN 2 was deployed in 2008 and "identifies malicious or potentially harmful computer network activity in federal government network traffic based on specific known signatures" and generates around 30,000 alerts a day.

The EINSTEIN 2 sensor monitors each participating agency's Internet access point, "not strictly...limited to" Trusted Internet Connections, using both commercial and government-developed software. EINSTEIN could be enhanced to create an early warning system to predict intrusions.

CISA may share EINSTEIN 2 information with "federal executive agencies" according to "written standard operating procedures". CISA has no intelligence or law enforcement mission but will notify and provide contact information to "law enforcement, intelligence, and other agencies" when an event occurs that falls under their responsibility.

EINSTEIN 3
Version 3.0 of EINSTEIN has been discussed to prevent attacks by "shoot[ing] down an attack before it hits its target." The NSA is moving forward to begin a program known as “EINSTEIN 3,” which will monitor “government computer traffic on private sector sites.” (AT&T is being considered as the first private sector site.) The program plan, which was devised under the Bush administration, is controversial, given the history of the NSA and the warrantless wiretapping scandal. Many DHS officials fear that the program should not move forward because of “uncertainty about whether private data can be shielded from unauthorized scrutiny.” Some believe the program will invade the privacy of individuals too much.

Privacy
In the Privacy Impact Assessment (PIA) for EINSTEIN 2 published in 2008, DHS gave a general notice to people who use U.S. federal networks. DHS assumes that Internet users do not expect privacy in the "To" and "From" addresses of their email or in the "IP addresses of the websites they visit" because their service providers use that information for routing. DHS also assumes that people have at least a basic understanding of how computers communicate and know the limits of their privacy rights when they choose to access federal networks. The Privacy Act of 1974 does not apply to EINSTEIN 2 data because its system of records generally does not contain personal information and so is not indexed or queried by the names of individual persons. A PIA for the first version is also available from 2004.

DHS is seeking approval for an EINSTEIN 2 retention schedule in which flow records, alerts, and specific network traffic related to an alert may be maintained for up to three years, and if, for example in the case of a false alert, data is deemed unrelated or potentially collected in error, it can be deleted. According to the DHS privacy assessment for US-CERT's 24x7 Incident Handling and Response Center in 2007, US-CERT data is provided only to those authorized users who "need to know such data for business and security purposes" including security analysts, system administrators and certain DHS contractors. Incident data and contact information are never shared outside of US-CERT and contact information is not analyzed. To secure its data, US-CERT's center began a DHS certification and accreditation process in May 2006 and expected to complete it by the first quarter of fiscal year 2007. As of March 2007, the center had no retention schedule approved by the National Archives and Records Administration and until it does, has no "disposition schedule"—its "records must be considered permanent and nothing may be deleted". As of April 2013, DHS still had no retention schedule but was working "with the NPPD records manager to develop disposition schedules". An update was issued in May 2016.

2020 federal government data breach
Einstein failed to detect the 2020 United States federal government data breach.