Founded in 2003 by the United States Computer Emergency Readiness Team (US-CERT), the National Cybersecurity Protection System (NCPS) is a central hub for the analysing potentially malicious cyber activity and if appropriate, formulating a response.
Prior to its founding, federal agencies reported cyber threats directly to the Department of Homeland Security (DHS) on an ad hoc basis – normally once an attack had already happened.
This was inefficient in almost every sense, from the possibility that multiple agencies could be reporting the same thing separately, to the lack of transparency about threats at an inter-agency level, to the fact there was no universal standard or system in place to provide effective network monitoring and defense. NCPS and its operational arm, EINSTEIN, were established to remedy this.
How does NCPS work?
While it’s a multi-agency initiative, the NCPS is administered by the DHS through its Cybersecurity and Infrastructure Security Agency (CISA) division. In the words of the agency, NCPS is “an integrated system-of-systems that delivers a range of capabilities, including intrusion detection, analytics, intrusion prevention, and information sharing capabilities” focused on protecting the civilian Federal Government’s IT infrastructure (as opposed to military IT infrastructure) from cyber threats. There are four mission areas where the NCPS provides key support capabilities to the wider DHS cybersecurity mission. These are:
- Detection
- Analytics
- Information Sharing
- Prevention
Detection is a signature-based grid that passively monitors networks for potential malicious activity. These signatures are derived from various sources including commercial and public IT security information, as well as information from other federal agencies. The National Cybersecurity and Communications Integration Center (NCCIC) provides another important piece of the puzzle, providing signatures based on analysis it has carried out independently and cybersecurity alerts it has generated. All this is delivered through two elements of the EINSTEIN system – E1 and E2 – which is explored in greater detail below.
Analytics provides analysts working at the DHS Office of Cybersecurity and Communications (CS&C) with the ability to compile and analyze information about various cyber threats and trends. This includes the provision of a Security Information and Event Management (SIEM) solution, which helps streamline processes and identify related events that may otherwise have gone unnoticed, as well as offering visualization tools.
Using this information, the CS&C analysts are able to keep the public informed about potential threats that may affect them. As the name would suggest, the NCPS Information Sharing system enables the exchange of information relating to cyber threat and cyber incidents between DHS cybersecurity analysts and their cybersecurity partners.
The aim of Information Sharing is threefold – first to prevent cybersecurity incidents from happening, second to improve cooperation and collaboration so that if and when an incident does occur it can be responded to rapidly and effectively, and third to improve efficiency through greater use of automated information sharing. Finally, the NCPS Intrusion Prevention capabilities – which form part of EINSTEIN 3 Accelerated (E3A) provide active network defence capabilities and can prevent or limit the intrusion of malicious actors into federal networks and systems.
What is the EINSTEIN system?
EINSTEIN is the operational name for NCPS’ capabilities. It consists of three elements, released in phases between 2004 and 2015: EINSTEIN 1 (E1), EINSTEIN 2 (E2) and EINSTEIN 3 Accelerated (E3A). As its name would suggest, EINSTEIN 1 was the first iteration of the EINSTEIN project and at launch was known simply as EINSTEIN. Developed in 2003, it monitors network traffic flowing between federal civilian agencies, allowing the DHS to identify and analyze suspicious activity and determine whether it is malicious. It can also conduct forensic analysis after an event such as infection by malware or a hacking attempt has occurred. During the implementation of EINSTEIN 1, it became apparent that most agencies had many more IP gateways than they had realised, which meant the EINSTEIN system as it stood wasn’t sufficient to protect the network by itself.
This led to the creation of EINSTEIN 2. EINSTEIN 2 is an intrusion detection system that works alongside E1 and looks for specific signatures of known malicious activity, for example, a worm, ransomware or other malware. According to CISA, E1 and E2 screen all traffic that travels between federal civilian agencies’ internal networks and the internet through its Trusted Internet Connection (TIC) gateway. They generate approximately 30,000 alerts about cyber attacks each year, which analysed by DHS security personnel to determine if there is a real threat and what action needs to be taken. EINSTEIN 3 Accelerated is an evolution of a plan to create a system that could identify and block cyber attacks using classified signatures, known as EINSTEIN 3. In 2012, two years after the original E3 was mooted, the DHS decided instead to include major Internet service providers (ISPs), which would provide intrusion prevention systems using commercially available technology, rather than trying to build a bespoke system itself. This is E3A, the third part of the EINSTEIN puzzle.
Future developments
The NCPS and in particular EINSTEIN are constant works in progress. From the addition of E2 and E3A to the E1 framework and the creation of NCPS to bring it all together, it’s evident that as new ways of managing and analysing the flow of data between federal agencies and the public Internet emerge, new layers and systems will be added. Currently, it’s hard to say what these may be, although E3A demonstrates that CISA is open to using commercially available software administered by non-governmental agencies. Therefore, developments in the business and consumer space are likely to influence any “EINSTEIN 4” or other evolution of NCPS in the future.
