DHS (Department of Homeland Security) plans to partner with a commercial Internet Service Provider and another government agency to pilot technology developed by the National Security Agency to automate the process of detecting cyber intrusions into civilian agencies’ systems, making it possible to thwart the attacks before damage is done.

Jane Lute, the department’s deputy secretary, told an audience at the Black Hat security conference that she wants “to create a safe, secure, resilient place where we can thrive…The goal here is not control. It’s confidence.”

Last month, DHS Sectary Janet Napolitano told an audience in Washington, D.C., that “We need the legal tools to do things like monitor the recruitment of terrorists via the Internet,” without going into details about who would be considered a “terrorist” and how that surveillance would take place.

United States Computer Emergency Readiness Team (US-CERT), formed in 2003, serves to provide as a channel of communication between the public and private sectors in order to protect the US cyberspace interface. In particular, US-CERT should share real-time information from its intrusion detection system with federal partners to help them analyze and defend against threats. The DHS National Protection and Programs Directorate (NPPD) generally agreed with the IG recommendations to improve US-CERT’s performance but did not agree with the specific recommendation to share real-time information.


EINSTEIN, being the name of their system, is an intrusion detection system (IDS) which monitors and analyzes Internet traffic as it moves in and out of United States federal government networks. It filters packets at the gateway and reports anomalies to the US-CERT at DHS.

Further version of EINSTEIN provides the federal government with a cohesive view of Internet threats and a centralized point of authority for dealing with potential threats.

Lute referred to these controversies only in passing, saying “we’re deploying Einstein 2 throughout the dot-gov.”
But it’s Einstein 3 that has attracted the most interest. Few details are known, and the House Intelligence Committee once charged (PDF) that public descriptions were overly “vague” because of “excessive classification.” The White House has confirmed that Einstein 3 involves attempting to thwart in-progress cyber attacks by sharing information with the National Security Agency, and some reports have suggested it can read the content of e-mails and other messages.

EINSTEIN 3, which is the improved version of it’s previous two versions is now being tested in a pilot program. It automatically detects and responds to cyber threats “before harm is done.” EINSTEIN 3 has supplemental signatures developed by the National Security Agency (NSA) and uses real-time deep packet inspection (dpi). In addition to notifying US-CERT when a network intrusion is attempted, EINSTEIN 3 will also alert the agencies.

Public View:

Lute asked the thousands of security researchers, programmers, marketers, and other professionals in town for Black Hat to work with the federal government. “We’ve identified the cyber mission as essential…We’re committed to doing whatever we can to harness the ideas, energy of this group.”

The public view of the Internet needs to shift from Wild West metaphors to a more secure space, she said. “Will there be rules?” Lute said, then added: “There will be rules! There will be rules.”

During a brief question period at the end, not all the audience members seemed to be enthusiastic about Lott’s view of the helpfulness of Homeland Security.