Should The Government Monitor Private Networks?

The Department of Homeland Security’s and the National Security Agency is considering the extension of its Einstein technology, which is designed to detect and prevent electronic attacks on federal networks. It’s is understandable for the government to monitor its own systems for malicious code and intrusions, but It’s quite another for the government to monitor private networks for those intrusions. Einstein grew out of a still-classified executive order, called National Security Presidential Directive 54 that President Bush signed in 2008.

As of today, not much is known about how Einstein works, and the House Intelligence Committee once charged that descriptions were overly “vague” because of “excessive classification.” The White House did confirm this week that the latest version, called Einstein 3, involves attempting to prevent in-progress cyber attacks by sharing information with the National Security Agency.

Expanding Einstein 3 to the private sector would amount to a partial outsourcing of security, and federal involvement in privately operated networks may spark privacy or surveillance concerns. This is a positive for people without the security know-how to fend off cyber attacks. Past reports have said that Einstein 3 has the ability to read the content of emails and other private messages, and that AT&T was asked to test the system.

At the RSA Conference, Homeland Security Secretary Janet Napolitano stressed the need for more cooperation between the government and the private sector on cyber security, saying that “we need to have a system that works together.” On February 26, during a House appropriations hearing, Napolitano refused to discuss Einstein 3 unless the hearing were closed to the public. “I don’t want to comment publicly on Einstein 3, per se, here in an unclassified setting,” she said. “What I would suggest, perhaps, is a classified briefing for members of the subcommittee who are interested.”

Some privacy concerns about Einstein have popped up before. An American Bar Association panel said this about Einstein 3 in a September 2009 report: “Because government communications are commingled with the private communications of non-governmental actors who use the same system, great caution will be necessary to insure that privacy and civil liberties concerns are adequately considered.”

Einstein has been likened to a new “Manhattan Project,” and the Washington Post reported that the accompanying cyber security initiative represented the “single largest request for funds” in last year’s classified intelligence budget. The Electronic Privacy Information Center has filed a lawsuit (PDF) to obtain the text of the order.

Homeland Security has published (PDF) a privacy impact assessment for a less capable system called Einstein 2–which aimed to do intrusion detection and not prevention, but has not done so for Einstein 3.
The department did, however, prepare a general set of guidelines (PDF) for privacy and civil liberties in June 2009. In addition, the Bush Justice Department wrote a memo (PDF) saying Einstein 2 “complies with” the U.S. Constitution and federal wiretap laws.

That justification for Einstein 2 “turned on the consent of employees in the government that are being communicated with, and on the notion that a person who communicates with the government can’t then complain that the government read the communication.

Should Einstein be extended to the private sector?

Check the pdfs at:, for:
1. Homeland Security’s published document about the privacy impact assessment Einstein 2.
2. Electronic Privacy Information Center’s Lawsuit.
3. General set of guidelines prepared by Homeland Security, for privacy and civil liberties.
4. Memo of the Bush Justice Department about Einstein 2.

Leave a Comment