Companies that operate critical infrastructures and do not voluntarily allow the federal government to install monitoring software on their networks to detect possible cyberattacks would face the "wild" internet on their own and place us all at risk, a top Pentagon official seemed to say Wednesday.

Defense Deputy Secretary William Lynn III, speaking at the Strategic Command Cyber Symposium in Nebraska, said we need to think imaginatively about how to use the National Security Agency's Einstein monitoring systems on critical private-sector networks – such as those in the financial, utility and communication industries – in order to protect us.

"Operators of critical infrastructure could opt in to a government-sponsored security regime," Lynn said. Otherwise, "individual users who do not want to enroll could stay in the wild wild west of the unprotected internet."

Failure to protect the power grids, transportation system, or financial sector, he said, "could lead to physical damage and economic disruption on a massive scale."

Privacy and civil liberties groups, however, have raised concerns about the Einstein systems with regard to what information they would collect and share with the government and what oversight, if any, would be put in place to ensure that federal privacy and wiretapping laws are not violated.

The Einstein programs are intrusion-detection and response systems developed by the National Security Agency. The government is in the process of deploying Einstein 2 to federal networks to inspect traffic for malicious threats, but there has been talk of deploying it to private-sector networks as well. Intrusion-detection systems are already a standard tool in the defense arsenal of private-sector businesses, and the government has been unclear about how its system surpasses those already available to companies.

Einstein 2 is designed to perform automated full-packet inspection of traffic entering and exiting government networks using signature-based intrusion-detection technology, according to the government's secret cybersecurity plan, part of which was recently declassied. The system has the ability to alert the government's Computer Emergency Readiness Team (US-CERT) in real time, if it detects potentially harmful activity.

Einstein 3 is another system in development that aims to go one step further to block cyberattacks in real time. According to the government, Einstein 3 will allow US-CERT to automatically share information about threats with other federal agencies "and, when deemed necessary by DHS, to send alerts that do not contain the content of communications to the National Security Agency (NSA) so that DHS efforts may be supported by NSA exercising its lawfully authorized missions."

In 2008, DHS's Privacy Office published a Privacy Impact Assessment (.pdf) on early versions of Einstein 2, but has not published one on Einstein 3. The assessment left many questions unanswered, such as the extent of the NSA's role in the programs and whether information obtained by the monitoring systems will be shared with law enforcement or other intelligence agencies.

Photo courtesy U.S. Defense Department

See also: