Friday, November 14, 2008

DHS Conversation Follow-up: Summary of Einstein and TIC

I’ve received a series of follow-up emails, phone and texts asking about “Einstein” and Trusted Internet Connection (TIC).

These inquiries were initiated from people reviewing a quick blog/twitter discussion between myself and Martin Mckeay. BTW if you haven’t read his follow-up posts about the conversation with Secretary Chertoff, you should take the time (he provides an audio recording of the conversation and links to the summaries provided by the other attendees as well).

Ok back to the subject… (Note: Even though I have more background on both programs than most people do - All of the information presented in this blog is based on publicly available information.)

DHS Under Secretary Robert Jamison (DHS National Protection and Programs Directorate) referenced the Einstein v2 program in his blog while he defending the significant improvements that DHS has made over the past few years. DHS published a ”Privacy Impact Assessment” for Einstein 2 back in May of 2008.

I think if you read through the privacy impact assessment you’ll gain sufficient understanding of the program. Einstein basically captures and stores Flow Data (Session Data) and with Einstein v2 the technology adds very basic IDS capabilities and some limited packet capture.

The technology itself isn’t the key factor in the program (after all IDS has lived, died, resurrected, ascended many times over the years). It is the use of the technology across the government in conjunction with the Trusted Internet Connection (TIC) program and the significant growth of US-CERT to provide a better analytical capability that adds the necessary “teeth” to the overall program.

TIC - My previous post has the necessary references to learn more about TIC previous blog article. The short summary is that TIC is part of the Whitehouse/OMB program to consolidate Internet Gateways across the Government. Reducing access points and providing for more centralized access, lowering costs and most importantly to me - increasing visibility. Einstein is one of the many technical requirements of TICAP (TIC Access Providers) to implement in order to be a certified TICAP. The other technical requirements can be found in this TIC Capability Matrix excel document.

DHS said they were going to look closely at DoD and model after their capabilities (awesome). DISA’s 09 O&M budget estimates provide some good insight to their methodology. Obviously DoD has a different motivation (offensive and defensive) for information security, but the foundation is there.

I’m not going to start an tie in Federal Desktop Computing Core (FDCC) and other related programs into this other than to say - the government is trying to take a more holistic approach to its defensive posture. Given the state of much of the government’s security posture (have you read recent GAO audits?) there is still a long way to go. Recently, it seems that both the funding and congressional support is there to make the programs move forward in a manner that finally goes beyond unfunded and ill-defined mandates. Any way you look at it, cyber security over the next few years in the government space should be a fun ride.

Now with that information out there - I’m off to try and comprehend President-Elect Obama’s cybersecurity stance (or at least as much of it that is published) so I can try and understand what the next steps are cyber security across the government. Who knows - maybe he’ll read his twitter account and ask a few of us to provide ask questions and provide our opinions!

No comments: