Einstein (US-CERT program)

The Federal Computer Incident Response Capability (FedCIRC) was one of four watch centers that were protecting federal information technology when the E-Government Act of 2002 designated it the primary incident response center. With FedCIRC at its core, US-CERT was formed in 2003 as a partnership between the newly created DHS and the CERT Coordination Center which is at Carnegie Mellon University and funded by the U.S. Department of Defense. Therefore, a new version of EINSTEIN was planned to "collect network traffic flow data in real time and also analyze the content of some communications, looking for malicious code, for example in e-mail attachments." Three constraints on EINSTEIN that the DHS is trying to address are the large number of access points to U.S. agencies, the low number of agencies participating, and the program's "backward-looking architecture". The expansion is known to be one of at least nine measures to protect federal networks. ==Mandate==

as the lead agency protecting IT. EINSTEIN is the product of U.S. congressional and presidential actions of the early 2000s including the E-Government Act of 2002 which sought to improve U.S. government services on the Internet. The Consolidated Appropriations Act of 2016 added 6 USC 663(b)(1), which requires the Secretary of Homeland Security to "deploy, operate, and maintain" a capability to detect and prevent cybersecurity risks in network traffic in federal information systems. The use of these systems is mandated for federal agencies by 6 USC 663 'Agency Responsibilities'. Agencies must adopt updates to the system within 6 months. The Department of Defense, Intelligence Community, and other "national security systems" are exempt. ==Adoption==

EINSTEIN was deployed in 2004 By 2005, three federal agencies participated and funding was available for six additional deployments. By December 2006, eight agencies participated in EINSTEIN and by 2007, DHS itself was adopting the program department-wide. By 2008, EINSTEIN was deployed at fifteen of the nearly six hundred agencies, departments and Web resources in the U.S. government. As of September 2022, 248 federal agencies use EINSTEIN 1 and 2 "representing approximately 2.095 million users, or 99% of the total user population" and 257 agencies use E3A. ==EINSTEIN 1==

When it was created, EINSTEIN was "an automated process for collecting, correlating, analyzing, and sharing computer security information across the Federal civilian government." EINSTEIN 1 was designed to resolve the six common security weaknesses In addition, the program addresses detection of computer worms, anomalies in inbound and outbound traffic, configuration management as well as real-time trends analysis which CISA offers to U.S. departments and agencies on the "health of the Federal.gov domain". CISA may ask for additional information in order to find the cause of anomalies EINSTEIN finds. The results of CISA's analysis are then given to the agency for disposition. ==EINSTEIN 2==

EINSTEIN 2 was deployed in 2008 and "identifies malicious or potentially harmful computer network activity in federal government network traffic based on specific known signatures" and generates around 30,000 alerts a day. The EINSTEIN 2 sensor monitors each participating agency's Internet access point, "not strictly...limited to" Trusted Internet Connections, using both commercial and government-developed software. EINSTEIN could be enhanced to create an early warning system to predict intrusions. CISA may share EINSTEIN 2 information with "federal executive agencies" according to "written standard operating procedures". CISA has no intelligence or law enforcement mission but will notify and provide contact information to "law enforcement, intelligence, and other agencies" when an event occurs that falls under their responsibility. ==EINSTEIN 3==

Version 3.0 of EINSTEIN has been discussed to prevent attacks by "shoot[ing] down an attack before it hits its target." Since 2010, The NSA was moving forward to begin a program known as “EINSTEIN 3,” which would monitor “government computer traffic on private sector sites.” (AT&T was being considered as the first private sector site.) The program plan, which was devised under the Bush administration, was controversial, given the history of the NSA and the warrantless wiretapping scandal. Many DHS officials feared that the program should not move forward because of “uncertainty about whether private data could be shielded from unauthorized scrutiny.” Some believed the program would invade the privacy of individuals too much. ==Privacy==

Image:Einstein-2-PIA-20080519.png|thumb|upright|alt=screenshot of a booklet PDF with seal and lettering|The Privacy Impact Assessment for EINSTEIN version 2 describes the program in detail. DHS assumes that Internet users do not expect privacy in the "To" and "From" addresses of their email or in the "IP addresses of the websites they visit" because their service providers use that information for routing. DHS also assumes that people have at least a basic understanding of how computers communicate and know the limits of their privacy rights when they choose to access federal networks. As of April 2013, DHS still had no retention schedule but was working "with the NPPD records manager to develop disposition schedules". An update was issued in May 2016. ==2020 federal government data breach==

Einstein failed to detect the 2020 United States federal government data breach. ==See also==