DHS rethinks privacy in cyber analytics
The Department of Homeland Security's Privacy Office offers recommendations for basic privacy best practices for in cybersecurity software that uses analytics to track malicious activity on computer networks.
DHS wants to track cyber threats in real time across network environments using machine algorithms that can detect strange traffic patterns associated with malicious reconnaissance, compromised accounts or data exfiltration.
It also wants to insure the capabilities adhere to privacy rules.
Algorithmic analytics track the behavior of network traffic. 'That differentiates the technique from signature-based programs like Einstein. And, according to DHS, it could improve detection rates and speeds, as well as boost responses to hostile network activity in federal agency and protected networks.
The program was detailed in a Feb. 8 public meeting of the DHS Privacy Office as the agency sought to insure protection of personally identifiable information as analytic tracking technology moves forward at the agency.
Commercial companies have been using algorithmic analytics through front-end authentication, transaction monitoring, risk-scoring queries and other technologies, according to DHS documents.
DHS also has been sizing up other emerging detection technology that industry can leverage.
For instance, in January, it pushed out new detection tools to commercial industry that rely on the agency's technology. Andy Ozment, DHS' assistant secretary for cybersecurity and communications, said the agency had added Netflow Analysis to its Enhanced Cybersecurity Services program, which can allow companies to "more effectively identify and analyze malicious activity transiting their customers' networks."
Through the voluntary ECS program, DHS shares classified or sensitive information on cyberthreats with companies that use the information to block infiltration attempts. Firms have the option of providing DHS with anonymized feedback on what cyber intelligence is effective in thwarting threats.
DHS also has an applied research pilot project called "Logical Response Aperture," which tests automated security analytics and countermeasures.
DHS said in documents distributed at the Feb. 8 meeting that algorithmic analytics programs could be extended to federal systems, and also used for data flowing from major partners like the companies in its voluntary Defense Industrial Base Exploratory Cybersecurity Initiative.
However, such protections also come with privacy issues that need to be sorted out. DHS said privacy guidelines and benchmarks for algorithmic analytics must be addressed at the agency quickly, since a number of private-sector companies are adopting similar models.
In Jan. 2015, DHS chief privacy office asked the DHS Privacy and Integrity Advisory Committee to look at the privacy issues involved with using algorithmic analytics and to provide guidance.
IBM Center for the Business of Government Executive Director Dan Chenok, who chairs DPIAC's Cyber Subcommittee, submitted the committee's findings at the Feb. 8 DHS Privacy Office public meeting.
During the meeting, committee members stressed the data collected by algorithmic analytics was only a "piece of a piece" of netflow traffic -- just the portion that showed anomalous behavior, and not all traffic going in and out. They also noted that the technology did no't track the behavior of people using a network, but rather traffic behavior patterns.
The DPIAC adopted privacy recommendations that include limiting personnel who work with the data generated, developing control for accessing both the logs and underlying data, notifying users of the technology's use, and making the criteria for what is being collected transparent.