A new Department of Homeland Security-supported information security service that scans private sector networks could expand domestic surveillance, civil liberties groups say, citing documents associated with the activity.
Under the "Enhanced Cybersecurity Services" program, DHS feeds government intelligence about network threats to approved Internet Service Providers so they can immunize corporate subscribers. The program, made available nationwide last June, is voluntary.
Now, DHS has announced a new service under the program that ISPs can offer called "netflow analysis."
A November 2015 privacy impact assessment of the added feature is short on details about what kind of customer information may be shared with the government, and critics have spotted loopholes that, they say, may allow the National Security Agency to spy on Internet users.
Andy Ozment, assistant secretary for DHS cybersecurity and communications, said in a Jan. 26 blog post the new function will allow ISPs "to more effectively identify and analyze malicious activity transiting their customers’ networks.”
The participating providers currently include AT&T, CenturyLink, Lockheed Martin and Verizon.
Ozment, in his blog entry, emphasized that none of the Enhanced Cybersecurity Services, “ECS” for short, involve government monitoring of private networks or communications. On Monday, DHS officials reiterated that federal personnel do not watch customer Internet traffic under the program.
In some cases, metadata about communications, such as malicious attachments, and anonymous performance statistics may be passed back to DHS and other agencies for further scrutiny, according to the seven-page privacy assessment.
"Even if we’re told that there are protections and safeguards, the lack of transparency and the intimate ties to agencies and secret surveillance programs feel like major red flags," said Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a digital privacy group and a fierce critic of NSA surveillance.
That description of information sharing gave Tien pause. "Much evidence indicates that AT&T is a primary partner of the U.S. intelligence community and the law enforcement community. And of course, Verizon was revealed as a participant in the Section 215 phone records programs,” he said, referring to when ex-NSA contractor Edward Snowden in 2013 leaked a secret court order requiring a Verizon entity to turn over all customer call logs under that section of the Patriot Act.
In August 2015, The New York Times and ProPublica published documents from Snowden indicating NSA has relied on AT&T, more than any other telecom, to spy on wide swaths of Internet traffic passing through the United States.
The Nuts and Bolts of What’s Shared
The summaries may lead DHS to investigate indicators, such as email metadata, Web addresses or attachments, to write up shareable hallmarks of hacker campaigns, the policy adds.
Also, DHS may provide the metrics to "U.S. government entities with cybersecurity responsibilities" -- a group that includes NSA, the FBI and the National Institute for Standards and Technology, among others -- for the purpose of evaluating the program.
Last week, the Government Accountability Office issued a scathing audit of the government's version of the program, known as EINSTEIN, asserting the $6 billion system does not scan for 94 percent of commonly known vulnerabilities, among other performance problems.
The new netflow service pushes out an additional category of threat insights from the government, primarily concerning malicious IP addresses, according to a DHS official, who spoke on background to provide technical information. The ISPs then cross reference "this information against their customer netflow records in order to identify issues requiring attention or remediation," the official said in an email to Nextgov on Monday. "Netflow analysis is important because it provides an additional avenue, in the form of an extra set" of government-cultivated intelligence to flag potential threats.
The two existing services – email filtering and blocking malicious "domain name system" servers from connecting to subscriber networks – will continue to be offered.
The Enhanced Cybersecurity Services program evolved from a 2011 pilot project strictly for defense contractors that was opened up to 16 critical U.S. sectors in 2013, followed by enterprises of all sizes last June. Companies can sign up with ISPs for any or all of the system's features.
AT&T declined to comment on matters of national security, as a policy, but stressed the firm's commitment to keeping personal data confidential.
"We take our responsibility to protect our customers' privacy seriously," AT&T spokesman Jim Greer said. "We respond to government requests for information pursuant to court orders or other mandatory processes and, in rare cases, on a legal and voluntary basis when a person’s life is in danger and time is of the essence – like in a kidnapping situation."
Verizon declined to comment.
According to DHS, the threat summaries reported back to Homeland Security do not contain so-called personally identifiable information, or PII, and the metrics data is anonymous. The performance statistics do “not identify the company or aspects of their network architecture or the data contained therein,” the official said.
What Does 'No PII' Mean?
The department’s 2013 privacy impact assessment for the program, which remains in effect, states email addresses, domain names, or IP addresses are the types of details that could be considered personal information.
Regardless, “I’m not confident I know what DHS means by 'no PII,'" Lee said.
"When we’re talking about the government, and some very big and smart agencies with lots of computers that may as a result of the latest cybersecurity bill have all sorts of access to this data," he said, referring to the 2015 Cybersecurity Information Sharing Act. "Everyone should be asking, how re-identifiable is this data?"
Jeramie D. Scott, national security counsel for the Electronic Privacy Information Center, said he wants more information about how DHS will make sure the ISPs and Lockheed Martin protect subscriber information.
"There’s probably good value in analyzing the network data flows," but "it is commercial service providers doing the monitoring with the support of the government, thus greater transparency is needed about the exact role of the commercial providers," he said. "The new privacy assessment falls short in providing detailed information about how privacy risks are mitigated when commercial providers [are] doing the monitoring at the behest of the government."
Responding to interest group concerns, Homeland Security officials on Monday reiterated that netflow analysis does not allow DHS or other government agencies to surveil data transiting private networks.
"DHS does not have access to any ECS customer data or traffic," the official said. The anonymous statistics sent back to the government might include, for instance, how many times a particular attempted intrusion was prevented, according to DHS. The data shared "does not identify the company or aspects of their network architecture or the data contained therein," the official said.
The commercial services were designed with numerous privacy and civil liberties protections in mind, the official added.
Civil liberties groups were not heartened by Homeland Security's assurances about the confidentiality of the program.
"The government not having access to any customer data or traffic is a positive, but it's not clear whether" the telecoms involved in this program "properly mitigate the privacy risks," Scott said.
DHS points to the fact that the ISPs are a buffer between the traffic and the government, and that the flows are voluntary, "but that isn't comforting," Lee said. "Many users," because the terms of service contain a lot of fine print, "agree to many data flows that they're not really aware of. And there are valid questions about the covert assistance that companies like Verizon or AT&T provide" the government.