Legal Issues Relating To The Testing, USE, and Deployment of An Intrusion-Detection System (Einstein 2.0) To Protect Unclassified Computer Networks In The Executive Branch
| Decision Date | 09 January 2009 |
| Docket Number | 09-1 |
| Citation | 33 Op. O.L.C. 1 |
| Parties | LEGAL ISSUES RELATING TO THE TESTING, USE, AND DEPLOYMENT OF AN INTRUSION-DETECTION SYSTEM (EINSTEIN 2.0) TO PROTECT UNCLASSIFIED COMPUTER NETWORKS IN THE EXECUTIVE BRANCH |
| Court | Opinions of the Office of Legal Counsel of the Department of Justice |
An intrusion-detection system known as EINSTEIN 2.0 used to protect civilian unclassified networks in the Executive Branch against malicious network activity complies with the Fourth Amendment to the Constitution, the Wiretap Act, the Foreign Intelligence Surveillance Act, the Stored Communications Act, and the pen register and trap and trace provisions of chapter 206 of title 18, United States Code provided that certain log-on banners or computer-user agreements are consistently adopted, implemented, and enforced by executive departments and agencies using the system.
MEMORANDUM OPINION FOR THE COUNSEL TO THE PRESIDENTAs part of the Comprehensive National Cybersecurity Initiative, the Department of Homeland Security ("DHS"), in coordination with the Office of Management and Budget, is in the process of establishing an intrusion-detection system known as EINSTEIN 2.0 in order to detect unauthorized network intrusions and data exploitations against the Executive Branch's civilian unclassified computer systems ("Federal Systems").[1] In January 2007, you asked this Office to undertake a legal review of proposed EINSTEIN 2.0 operations; since that time we have provided ongoing informal advice regarding the legality of those operations, which are now underway. This memorandum formalizes the informal advice we have provided regarding whether EINSTEIN 2.0 operations comply with the Fourth Amendment to the Constitution of the United States, title III of the Omnibus Crime Control and Safe Streets Act of 1968, Pub. L. No. 90-351, 82 Stat. 211, 18 U.S.C. § 2510 et seq. (2006), as amended ("the Wiretap Act"), the Foreign Intelligence Surveillance Act, Pub. L. No. 95-511, 92 Stat. 1783, 50 U.S.C.A. § 1801 et seq. (West 2008), as amended ("FISA"), the Stored Communications Act, Pub. L No. 99-508, Tit. II, 100 Stat. 1848 (1986), 18 U.S.C. § 2701 et seq. (2006), as amended ("SCA"), and the pen register and trap and trace provisions of title 18 United States Code, 18 U.S.C. § 3121 et seq. (2006) as amended ("Pen/Trap Act").
We examine these legal issues in the context of an executive department's or agency's use of a model computer log-on banner or a model computer-user agreement developed by lawyers from the Department of Justice ("DOJ") DHS, and other departments and agencies with expertise in cybersecurity issues. We conclude that as long as executive departments and agencies participating in EINSTEIN 2.0 operations consistently adopt, implement, and enforce the model log-on banner or computer-user agreement-or log-on banners or computer-user agreements with terms that are substantially equivalent to those models-the use of EINSTEIN 2.0 technology to detect computer network intrusions and exploitations against Federal Systems complies with the Fourth Amendment, the Wiretap Act, FISA, the SCA, and the Pen/Trap Act. [ 2]
I.
Over the past several years, Federal Systems have been subject to sophisticated and well-coordinated computer network intrusions and exploitations on an unprecedented scale. The Intelligence Community has determined that those malicious network activities pose a grave threat to national security. See also Center for Strategic and International Studies, Securing Cyberspace 11-15 (2008) (discussing national security implications of federal network vulnerabilities). Those malicious network activities occur at the hands of hostile foreign nations (including foreign intelligence services), transnational criminal groups and enterprises, and individual computer hackers. Recent intrusions and exploitations have resulted in the theft of significant amounts of unclassified data from many executive departments and agencies, as well as information regarding the vulnerabilities of Federal Systems. The unclassified networks of the Departments of Defense, State, Homeland Security, and Commerce, among others, have suffered intrusions against their networks and exploitations of their data. Accordingly, the Homeland Security Council has determined that the deployment of a multi-layered network defense system is necessary to protect Federal Systems against these ongoing computer intrusions and exploitations carried out by a broad array of cyber adversaries.
The first layer of this network-defense system is known as EINSTEIN 1.0 and already is in place across segments of several Executive Branch agencies. EINSTEIN 1.0 is a semi-automated process for detecting-albeit after the fact-inappropriate or unauthorized inbound and outbound network traffic between participating departments and agencies and the Internet. The United States Computer Emergency Readiness Team ("US-CERT"), an organizational component of DHS, administers EINSTEIN 1.0.
EINSTEIN 1.0 analyzes only "packet header" information-and not packet "payload" (content) information-for inbound and outbound Internet traffic of participating agencies.[2] The header information collected by EINSTEIN 1.0 technology includes: the source and destination IP addresses for the packet, the size of the data packet, the specific Internet protocol used (for e-mail, the Simple Mail Transfer Protocol and, for use of the World Wide Web, the Hypertext Transport Protocol), and the date and time of transmission of the packet (known as "the date/time stamp"). EINSTEIN 1.0 collects this information only after packets already have been sent or received by a user and, thus, does not provide real-time information regarding network intrusions and exploitations against Federal Systems. US-CERT analysts examine the header information to identify suspicious inbound and outbound Internet traffic, particularly network backdoors and intrusions, network scanning activities, and computer network exploitations using viruses, worms, spyware, bots, Trojan horses, and other "malware." [ 3]
EINSTEIN 1.0 contains several limitations. First, it does not provide real-time reporting regarding intrusions and exploitations against Federal Systems. Second, it does not cover all Federal Systems, and, therefore, does not provide complete awareness regarding malicious network activity directed against those systems. Third, because EINSTEIN 1.0 does not scan packet content, it does not offer complete intrusion and exploitation detection functionality.
We understand that many executive departments and agencies supplement EINSTEIN 1.0 with their own intrusion-detection systems, which are designed to identify network intrusions and exploitations conducted against their own computer systems. In addition, individual departments and agencies also operate their own network filters to block certain unauthorized content, such as Internet pornography and file-sharing activities, among others. We understand, however, that there is little or no coordination or communication among Executive Branch entities conducting these individualized network defense activities. Accordingly, multiple departments facing the same intrusion or exploitation might have no idea that they are all facing a coordinated malicious network operation. Nor would departments or agencies that have not yet been subject to the intrusion or exploitation have advanced warning of the activity, such that they could upgrade their defenses. Hence, the lack of cybersecurity collaboration within the Executive Branch leads to inefficient network defensive measures that contribute to the ongoing vulnerability of Federal Systems.
To rectify this situation, DHS, in conjunction with OMB, is deploying throughout the Executive Branch an intrusion-detection system known as EINSTEIN 2.0 to provide greater coordination and situational awareness regarding malicious network activities directed against Federal Systems. EINSTEIN 2.0 is a robust system that is expected to overcome the technical limitations of EINSTEIN 1.0. EINSTEIN 2.0 technology is comprised of computers ("sensors") configured with commercial "off-the-shelf intrusion-detection software as well as government-developed software. That technology will be located at certain Internet access points known as Trusted Internet Connections ("TICs"), which connect Federal Systems to the Internet.
EINSTEIN 2.0 intrusion-detection sensors will observe in near-real time the packet header and packet content of all incoming and outgoing Internet traffic of Federal Systems ("Federal Systems Internet Traffic") for the "signatures" of malicious computer code used to gain access to or to exploit Federal Systems.[3] See generally NIST Special Publication No. 800-94 (2007) (discussing signature-based detection techniques). Because Internet traffic is IP-address based, we understand that only Federal Systems Internet Traffic destined to or sent from an IP address associated with an executive department or agency participating in EINSTEIN 2.0 ("EINSTEIN 2.0 Participant") would be scanned by EINSTEIN 2.0 technology. Thus, EINSTEIN 2.0 technology will scan only the Federal Systems Internet Traffic for EINSTEIN 2.0 Participants that connect to the Internet at TICs.
DHS has the responsibility for determining which signatures to program into the EINSTEIN 2.0 sensors, pursuant to procedures developed by DHS. Signatures may be derived [ 4] from several sources, including commercial computer security services, publicly available computer security information privately...
To continue reading
Request your trial