After a series of stinging government hacks, the Department of Homeland Security said scans of incoming Internet traffic from the public would be amped up. It has been unclear how this monitoring might affect the privacy of citizens and employees.
Now, a little-noticed National Archives and Records Administration assessment offers some insight: Any surveillance data collected that does not trigger alarms will be erased pronto, according to a pending records disposal plan.
DHS’ National Cybersecurity Protection System, better known as EINSTEIN, collects streams of traffic containing, among other things, emails and Web-surfing habits, to flag patterns indicative of known malicious attacks.
On June 9, NARA tentatively green-lighted a DHS request to "destroy or delete immediately" information "inadvertently collected or captured by any or all NCPS capabilities that are determined not to be related to known or suspected cyberthreats or vulnerabilities."
Such data typically includes anything from authorized online banking sessions to, some federal employees suspect, porn-site visits.
"It’s likely they are bulk-collecting data and to avoid any accusations of monitoring things they aren't chartered to monitor, they must purge the data," said Jason Lewis, chief collections and intelligence officer at LookingGlass Cyber Solutions. EINSTEIN "casts a wide collection net, so they have to delete information they didn't intend to capture."
Last year, Archives gave DHS permission to trash data after three years, if the information had no research value. A DHS official told Nextgov the newly released plan was part of that original records disposal schedule, but NARA "inadvertently missed the inclusion of this file plan in its approval" at that time.
Deeper network surveillance was in the works even before the Office of Personnel Management hacks laid bare intimate details on federal employees, contractors and their families. The latest iteration of EINSTEIN, E3A, is expected to roll out governmentwide by the end of 2015, according to the White House.
"The department works to ensure that privacy, confidentiality, civil rights and civil liberties are not diminished by our security initiatives," the Homeland Security official said. "DHS only retains data that is related to known or suspected cybersecurity threats. DHS has no business need for any other data that may be inadvertently captured by National Cybersecurity Protection System capabilities, such as EINSTEIN, and is proposing to destroy them immediately."
For instance, social media interactions that turn up when EINSTEIN harvests data probably do not need to be retained, Lewis said.
"If someone accesses Facebook to do an update, that might be benign traffic, but if someone accesses Facebook and a piece of malware tries to infect the computer, that is something they would probably alert on," he said.
Data destruction is a way of freeing up storage that has the added benefit of enhancing privacy, some security analysts said.
“This is an engineering decision, not a policy decision. Storing data takes time, effort and resources," said Ron Gula, chief executive officer of Tenable Network Security. "Stored data also presents an attractive target for rival nation states and cyber criminals and can be stolen."
He pointed to OPM, where hackers poached a database that had stockpiled 1.1 million fingerprints from personnel screened to handle classified information.
"Limiting data retention to a specific timeframe makes the engineering easier and makes it easier for the agency to keep inadvertently collected" personal and other sensitive information secure, Gula said.
Privacy experts praised the move to wipe nonthreat data collected.
“To the extent this information includes personally identifiable information that DHS does not need for cybersecurity reasons, disposing of it immediately is a good practice," said Gregory Nojeim, senior counsel with the Center for Democracy and Technology. "It builds confidence that the EINSTEIN program is about cybersecurity and not about surveillance for other reasons."
But other security experts warned getting rid of any network data during an ongoing probe into what happened at OPM could obliterate clues.
When OPM detected suspicious behavior with its own sensors, DHS retroactively fed intelligence about the threat into EINSTEIN to determine the extent of the attack.
"Given the recent OPM breach, discarding such data during an ongoing forensic investigation seems unwise, even if there are sound technical and cost reasons, if for no other reason than potentially negative public perception surrounding accountability and control,” said Ivan Shefrin, a vice president at cyber startup TaaSera.