Can It Really Work? Problems with Extending EINSTEIN 3 to Critical Infrastructure

In 2004 the increasing number of attacks on U.S. federal civilian agency computer systems caused the government to begin an active effort to protect federal civilian agencies against cyber intrusions. This classified program, EINSTEIN, sought to do real-time, or near real-time, automatic collection, correlation, and analysis of computer intrusion information as a first step in protecting federal civilian agency computer systems. EINSTEIN grew into a series of programs, EINSTEIN, EINSTEIN 2, and EINSTEIN 3, all based on intrusion-detection and intrusion-prevention systems (IDS and IPS). Then there was public discussion of extending the EINSTEIN system to privately held critical infrastructure.

Extending an EINSTEIN-like program to the private sector raises serious technical and managerial issues. Scale matters, as do the different missions of the private sector and the public one. Expanding EINSTEIN-type technology to critical infrastructure is complicated by the complex legal and regulatory landscapes for such systems. There are simply fundamental differences between communication networks supporting the U.S. federal government and those supporting the private-sector critical infrastructures that create serious difficulties in attempting to extend EINSTEIN-type technologies beyond the federal sector. This paper examines the technology's limitations, pointing out the problems involved in expanding EINSTEIN beyond its original mandate.

Suggested Citation: Suggested Citation

Bellovin, Steven M. and Bradner, Scott O. and Diffie, Whitfield and Landau, Susan and Rexford, Jennifer, Can It Really Work? Problems with Extending EINSTEIN 3 to Critical Infrastructure (May 17, 2011). Available at SSRN: https://ssrn.com/abstract=1844904 or http://dx.doi.org/10.2139/ssrn.1844904