DHS-Supported Scans of Private Networks Prompt Suspicions of Domestic Surveillance

A reflection of the Department of Homeland Security logo in the eyeglasses of a cybersecurity analyst.

A reflection of the Department of Homeland Security logo in the eyeglasses of a cybersecurity analyst. Mark J. Terrill/AP File Photo

Featured eBooks
The IT Modernization Mission
Read Now

Ransomware Threat

Read Now

What's Next For Government Cloud

Read Now

Federal Agencies Exploring Computing at the Edge

Read Now
Aliya Sternstein By Aliya Sternstein,
Senior Correspondent

By Aliya Sternstein

|

Under the "Enhanced Cybersecurity Services" program, DHS feeds government intelligence about network threats to approved Internet Service Providers so they can immunize corporate subscribers.

A new Department of Homeland Security-supported information security service that scans private sector networks could expand domestic surveillance, civil liberties groups say, citing documents associated with the activity. 

Under the "Enhanced Cybersecurity Services" program, DHS feeds government intelligence about network threats to approved Internet Service Providers so they can immunize corporate subscribers. The program, made available nationwide last June, is voluntary.  

Now, DHS has announced a new service under the program that ISPs can offer called "netflow analysis."

A November 2015 privacy impact assessment of the added feature is short on details about what kind of customer information may be shared with the government, and critics have spotted loopholes that, they say, may allow the National Security Agency to spy on Internet users.

Andy Ozment, assistant secretary for DHS cybersecurity and communications, said in a Jan. 26 blog post the new function will allow ISPs "to more effectively identify and analyze malicious activity transiting their customers’ networks.”

The participating providers currently include AT&T, CenturyLink, Lockheed Martin and Verizon.

Ozment, in his blog entry, emphasized that none of the Enhanced Cybersecurity Services, “ECS” for short, involve government monitoring of private networks or communications. On Monday, DHS officials reiterated that federal personnel do not watch customer Internet traffic under the program. 

In some cases, metadata about communications, such as malicious attachments, and anonymous performance statistics may be passed back to DHS and other agencies for further scrutiny, according to the seven-page privacy assessment.  

"Even if we’re told that there are protections and safeguards, the lack of transparency and the intimate ties to agencies and secret surveillance programs feel like major red flags," said Lee Tien, a senior staff attorney at the Electronic Frontier Foundation, a digital privacy group and a fierce critic of NSA surveillance.

The privacy policy states there may be "limited voluntary reporting back to DHS" and other agencies involved in cybersecurity, such as NSA, with the permission of the ISP and the customer paying for the service.

That description of information sharing gave Tien pause. "Much evidence indicates that AT&T is a primary partner of the U.S. intelligence community and the law enforcement community. And of course, Verizon was revealed as a participant in the Section 215 phone records programs,” he said, referring to when ex-NSA contractor Edward Snowden in 2013 leaked a secret court order requiring a Verizon entity to turn over all customer call logs under that section of the Patriot Act.  

In August 2015, The New York Times and ProPublica published documents from Snowden indicating NSA has relied on AT&T, more than any other telecom, to spy on wide swaths of Internet traffic passing through the United States.

The Nuts and Bolts of What’s Shared

Per the DHS privacy policy, data shared may include "summary information" about the fact that a potential threat was detected, as well as "anonymized and aggregated cybersecurity metrics information" to gauge the effectiveness of the service.

The summaries may lead DHS to investigate indicators, such as email metadata, Web addresses or attachments, to write up shareable hallmarks of hacker campaigns, the policy adds.

Also, DHS may provide the metrics to "U.S. government entities with cybersecurity responsibilities" -- a group that includes NSA, the FBI and the National Institute for Standards and Technology, among others -- for the purpose of evaluating the program.

Last week, the Government Accountability Office issued a scathing audit of the government's version of the program, known as EINSTEIN, asserting the $6 billion system does not scan for 94 percent of commonly known vulnerabilities, among other performance problems.

The new netflow service pushes out an additional category of threat insights from the government, primarily concerning malicious IP addresses, according to a DHS official, who spoke on background to provide technical information. The ISPs then cross reference "this information against their customer netflow records in order to identify issues requiring attention or remediation," the official said in an email to Nextgov on Monday. "Netflow analysis is important because it provides an additional avenue, in the form of an extra set" of government-cultivated intelligence to flag potential threats.

The two existing services – email filtering and blocking malicious "domain name system" servers from connecting to subscriber networks – will continue to be offered.

The Enhanced Cybersecurity Services program evolved from a 2011 pilot project strictly for defense contractors that was opened up to 16 critical U.S. sectors in 2013, followed by enterprises of all sizes last June. Companies can sign up with ISPs for any or all of the system's features.

AT&T declined to comment on matters of national security, as a policy, but stressed the firm's commitment to keeping personal data confidential.

"We take our responsibility to protect our customers' privacy seriously," AT&T spokesman Jim Greer said. "We respond to government requests for information pursuant to court orders or other mandatory processes and, in rare cases, on a legal and voluntary basis when a person’s life is in danger and time is of the essence – like in a kidnapping situation." 

Verizon declined to comment.

According to DHS, the threat summaries reported back to Homeland Security do not contain so-called personally identifiable information, or PII, and the metrics data is anonymous. The performance statistics do “not identify the company or aspects of their network architecture or the data contained therein,” the official said.

What Does 'No PII' Mean?

The department’s 2013 privacy impact assessment for the program, which remains in effect, states email addresses, domain names, or IP addresses are the types of details that could be considered personal information.

Regardless, “I’m not confident I know what DHS means by 'no PII,'" Lee said.

"When we’re talking about the government, and some very big and smart agencies with lots of computers that may as a result of the latest cybersecurity bill have all sorts of access to this data," he said, referring to the 2015 Cybersecurity Information Sharing Act. "Everyone should be asking, how re-identifiable is this data?"

Jeramie D. Scott, national security counsel for the Electronic Privacy Information Center, said he wants more information about how DHS will make sure the ISPs and Lockheed Martin protect subscriber information.

"There’s probably good value in analyzing the network data flows," but "it is commercial service providers doing the monitoring with the support of the government, thus greater transparency is needed about the exact role of the commercial providers," he said. "The new privacy assessment falls short in providing detailed information about how privacy risks are mitigated when commercial providers [are] doing the monitoring at the behest of the government."

Responding to interest group concerns, Homeland Security officials on Monday reiterated that netflow analysis does not allow DHS or other government agencies to surveil data transiting private networks.

"DHS does not have access to any ECS customer data or traffic," the official said. The anonymous statistics sent back to the government might include, for instance, how many times a particular attempted intrusion was prevented, according to DHS. The data shared "does not identify the company or aspects of their network architecture or the data contained therein," the official said.

The commercial services were designed with numerous privacy and civil liberties protections in mind, the official added.

Civil liberties groups were not heartened by Homeland Security's assurances about the confidentiality of the program.

"The government not having access to any customer data or traffic is a positive, but it's not clear whether" the telecoms involved in this program "properly mitigate the privacy risks," Scott said.

DHS points to the fact that the ISPs are a buffer between the traffic and the government, and that the flows are voluntary, "but that isn't comforting," Lee said. "Many users," because the terms of service contain a lot of fine print, "agree to many data flows that they're not really aware of. And there are valid questions about the covert assistance that companies like Verizon or AT&T provide" the government.

NEXT STORY: Hackers Social Engineer Amazon Worker, Bug Wendy’s Payment System and Defraud Boeing Supplier

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.