DHS planning Einstein pilot with commercial ISP

The Department of Homeland Security is apparently ready to move forward with a pilot of capabilities to test its Einstein 3 intrusion detection and prevention system. The plan is to work with a commercial service provider that is a designated Access Provider under the Trusted Internet Connection (the DHS acronym is “TICAP”) program to route live network traffic through the Einstein system and validate its technical capabilities as well as the ability to route traffic flows and provide alerts and other appropriate notifications. Given the sensitivity of the program and the well-established privacy concerns over the prospect of the NSA and other government analysts poring over the full content of Internet traffic flowing to or from government networks, DHS conducted a special Privacy Impact Analysis (PIA) just for the pilot program. In the PIA,  DHS lays out the objectives for the pilot “exercise”:

  1. The ability of a TICAP to redirect agency-specific Internet traffic through the Exercise technology. 
  2. The ability of US-CERT, utilizing the Exercise technology, to analyze redirected agency-specific traffic to detect cyber threats, and to respond appropriately to those threats.
  3. The ability of US-CERT to develop techniques for supporting future EINSTEIN capabilities.
  4. The ability of US-CERT to potentially share cybersecurity-related information with appropriate organizations in real-time to coordinate the cybersecurity activities of the federal government.
  5. The ability of a TICAP to deliver the traffic back to the particular participating agency in a timely and efficient fashion.

One notable aspect of the network configuration planned for the pilot is that DHS will identify traffic associated with a particular federal agency (using IP addresses allocated to that agency) and re-direct the traffic to a secure monitoring environment where the Einstein system will be installed. Such a configuration effectively pulls the relevant traffic out the service provider’s network, performs whatever analysis the system can do, and then puts the traffic back on the network where it presumably can proceed along whatever appropriate route it was heading down in the first place. This is a subtle yet significant deviation from a truly in-line deployment (which might be envisioned for the Einstein system in some future production implementation) and simultaneously allows DHS to focus on traffic for one agency at a time and would seem to minimize the amount of traffic overall passing through the Einstein system. Looking ahead to some possible future scenarios, such a configuration might let DHS and the NSA optimize their detection and prevention operations based on whatever agency is the source or target of the network traffic being analyzed.