DHS Cyber Program Repels Threats in Real Time

Maksim Kabakou/Shutterstock.com

CenturyLink becomes the first company to go live with intrusion prevention -- the third phase of the "Einstein" scanning program.

CenturyLink has begun automatically blocking malicious operations on federal networks, under a controversial Department of Homeland Security program that monitors Internet traffic governmentwide. 

The progress comes after delays due to contract negotiations. DHS in 2013 tapped five telecommunications companies to computerize threat deflection, including major players AT&T and Verizon. 

CenturyLink becomes the first company to go live with intrusion prevention -- the third phase of the "Einstein" scanning program. The company, as of Monday, is delivering services to nine civilian agencies, representing about a quarter of federal users, DHS and CenturyLink tell Nextgov

The company has "the first fully operational" system that is "actively providing cybersecurity services to federal civilian agencies’ end-users,” CenturyLink officials said in a statement. 

The project is ahead of schedule, DHS officials said. Einstein 3 Accelerated, or E3A, was slated for completion in 2018 but now is projected to reach full operating capability as early as 2015. DHS has inked memorandums of agreement with 42 other agencies. 

DHS would not name the agencies or comment on negotiations with other Internet service providers. AT&T and Verizon declined to address the program, saying they do not comment on customer matters.

The whole Einstein project, as of Aug. 31, was expected to cost nearly $3 billion, according to federal spending databases

The contract issues complicating rollout included the "general readiness of the ISPs to meet the functional, security, and operational requirements of E3A," a March DHS inspector general report determined. 

Einstein 3 is designed to quarantine emails and block malicious Web domains that "spoof" legitimate sites, according to CenturyLink. The service defends the perimeter of federal civilian networks. It senses aberrant activity using threat "signatures," or tell-tale signs of a hacker derived from U.S. intelligence and private research. These indicators can include certain email headers or IP addresses, according to a DHS privacy assessment of Einstein. 

Under a one-year task order, CenturyLink is adding the blocking features to agencies' existing Einstein services. Einstein 1 analyzes traffic flows; Einstein 2 alerts security professionals to suspected threats using intrusion detection technology.

DHS ultimately expects to deploy phase 3 across all federal agencies. 

The new system consists of commercial technologies and government-developed software. A "sinkholing" application prevents malware on dot-gov networks from copying data to rogue Internet domains by redirecting users to safe servers, according to DHS.

The email filtering tool scans messages destined for dot-gov networks for dubious attachments and links, before delivering them. Infected messages are either quarantined or redirected to DHS cyber analysts for further scrutiny. 

Homeland Security has plans to discard all Einstein records at least three years old, as earlier reported. DHS officials have decided they have no research significance. But some security analysts say DHS would be disposing of a wealth of historical threat data. And privacy experts say destroying the records could eliminate evidence the governmentwide surveillance system does not yield results.  

(Image via Maksim Kabakou/Shutterstock.com)