The Department of Homeland Security (DHS) has the mission to provide a common baseline of security across the federal civilian executive branch and to help agencies manage their cyber risk. This common baseline is provided in part through the EINSTEIN system. EINSTEIN serves two key roles in federal government cybersecurity. First, EINSTEIN detects and blocks cyber attacks from compromising federal agencies. Second, EINSTEIN provides DHS with the situational awareness to use threat information detected in one agency to protect the rest of the government and to help the private sector protect itself.
A useful analogy for understanding EINSTEIN is that of physical protections at a government facility. The first phase of EINSTEIN, known as EINSTEIN 1, is similar to a camera at the entrance to the facility that records cars entering and leaving and identifies unusual changes in the number of cars. EINSTEIN 2 adds the ability to detect suspicious cars based upon a watch list. EINSTEIN 2 does not stop the cars, but it sets off an alarm. In sum, EINSTEIN 1 and 2 detect potential cyber attacks before they can enter the facility. The latest phase of the program, known as EINSTEIN 3A, is akin to a guard post at the highway that leads to multiple government facilities. EINSTEIN 3A uses classified information to look at the cars and compare them with a watch list. EINSTEIN 3A then actively blocks prohibited cars from entering the facility. Using classified information allows EINSTEIN 3A to detect and block many of the most significant cybersecurity threats.
The EINSTEIN system is used to protect federal civilian executive branch agencies. It is not used by the Department of Defense or the Intelligence Community. All of the EINSTEIN systems use widely available commercial technology.
Importantly, EINSTEIN is not a silver bullet. Security cannot be achieved through only one type of tool. That is why security professionals believe in defense-in-depth: employing multiple tools in combination to manage the risks of cyber attacks. EINSTEIN provides perimeter defense for federal civilian executive branch agencies, but it will never be able to block every cyber attack. For example, it must be complemented with systems and tools inside agency networks, such as Continuous Diagnostics and Mitigation (CDM), and by proactive efforts from each federal agency to implement cybersecurity best practices such as multi-factor authentication and employee training.
The first iteration of EINSTEIN was developed in 2003. EINSTEIN 1 monitors the flow of network traffic transiting to and from federal civilian executive branch agencies. In technical terms, EINSTEIN 1 records and analyzes netflow records. This capability allows DHS to identify potentially malicious activity and to conduct critical forensic analysis after an incident occurs.
EINSTEIN 2, first deployed in 2008, identifies malicious or potentially harmful computer network activity in federal government network traffic based on specific known signatures. In technical terms, it is an intrusion detection system. On a typical day, EINSTEIN 2 sensors generate approximately 30,000 alerts about potential cyber attacks. These alerts are each evaluated by DHS security personnel to determine whether the alert represents a compromise and if further remediation is needed. If so, DHS works with the victim agency to address the intrusion.
EINSTEIN 1 and 2 are fully deployed and screening all federal civilian executive branch traffic that is routed through a Trusted Internet Connection (a secure gateway between each agency’s internal network and the Internet). In 2015, this is estimated to be over 90% of all federal civilian Internet traffic.
EINSTEIN 3 Accelerated (E3A)
In 2010, DHS began planning for the design and development of an intrusion prevention capability (previously referred to as EINSTEIN 3) to identify and block cyber attacks. This new system would use classified signatures to protect government networks. As noted, using classified indicators allows DHS to detect and block many of the most significant cyber attacks.
In 2012, DHS transitioned to a new approach in which major Internet Service Providers (ISPs) provide intrusion prevention security services for federal civilian agencies using widely available commercial technology. This capability is called EINSTEIN 3 Accelerated (E3A). E3A allows DHS to both detect cyber attacks targeting federal civilian government networks and actively prevent potential compromises.
The E3A program also serves as a platform to aggregate federal civilian executive branch traffic so that DHS can implement new and advanced protections. In other words, by putting all federal government traffic through a few locations, DHS can easily add security tools to those locations. To this end, DHS is piloting protections that will automatically identify possible cyber attacks for further analysis, even if the precise attack has not been seen before. DHS is examining technologies from the private sector to evolve to this next stage of network defense.
DHS integrates privacy protections into all of its programs from the outset and employs a layered approach to privacy oversight for the department’s cybersecurity activities. It starts with the Department’s Chief Privacy Officer and extends through the National Protection and Programs Directorate (NPPD)’s Component Privacy Officer, the Director of Privacy Technology, and dedicated privacy staff across the department. Privacy Impact Assessments (PIAs) are conducted on each DHS program in order to identify and mitigate privacy risks at the beginning of and throughout the development life cycle of a program or system. PIAs help the public understand what personally identifiable information the Department is collecting, why it is being collected, and how it will be used, shared, accessed, and stored. PIAs use the Fair Information Practice Principles (FIPPs) to assess and mitigate any impact on an individual’s privacy. PIAs for EINSTEIN 1, EINSTEIN 2, E3A can be found on the Cybersecurity and Privacy page.