How Einstein changes the way government does business

The Department of Commerce is revising its confidentiality agreement for statistical data survey respondents to reflect the fact that the Department of Homeland Security could see some of that data if it is captured by the Einstein system.

computer network
 

The Department of Commerce has long granted confidentiality to people who submit sensitive survey data about international investments or foreign transactions. But Commerce is now revising its confidentiality agreements because of Einstein.

Einstein, the Department of Homeland Security's comprehensive system of preventing and mitigating cyber threats to federal civilian networks, scans electronic traffic in and out of agencies like the Commerce Department. As a result, it could capture a survey email sent to Commerce's Bureau of Economic Analysis if that email contains malware or other threat indicators.

"Because it is possible that such packets entering or leaving BEA's information system may contain a small portion of confidential statistical data, it can no longer promise its respondents that their responses will be seen only by BEA personnel or its sworn agents," states the Federal Register announcement that Commerce is revising its confidentiality language.

"However, BEA can promise, in accordance with provisions of the Federal Cybersecurity Enhancement Act of 2015, that such information can be used only to protect information and information systems from cybersecurity risks," the announcement states.

Commerce and DHS signed a memorandum of agreement that allowed DHS to deploy the latest version of Einstein -- known as "3A" -- across the agency in exchange for protections that DHS will respect the confidentiality of any data it captures.

A Commerce spokesperson told FCW that the language change reflects the agency's commitment to transparency, and that it believes that Einstein 3A increases the security of data submitted by survey respondents.

Former federal CIO Tony Scott told FCW that confidentiality and the protection of privacy was hotly debated in the Obama administration as DHS expanded the reach of Einstein.

"We had agencies saying that 'we shouldn't have Einstein because if there is malware in there, somebody at DHS is going to see the email and it violates our agreements with these people and it violates our confidentiality clause,'" Scott said.

"The other side of the coin is, 'Hey you need an Einstein because there's a strong likelihood that somebody's email is going to have malware in it and the risk is you're now going to expose everybody's data' -- the very thing that you're trying to protect you just poured gas on the fire by not having Einstein in place," he added.

Scott said initially agencies like DOC or the Department of Labor wanted DHS to adopt the exact same language that they used internally to protect the confidentiality of data.

"The whole system would shut down pretty quickly…if it was viewed or perceived that confidentiality was completely out the window and lost [the statistical agencies would] get different and less reliable information coming in from these sources," he said.

"In the end what we ended up with was each of the agencies that have these statistical agencies within them signing an agreement with DHS to do Einstein and to lay out the processes and procedures by which the DHS agent, if they ran across malware, would act," said Scott.

Scott said he is not aware of a case where DHS and statistical agencies were not able to come to terms on confidentiality and the deployment of Einstein, and that ultimately DHS has strong internal protocols to protect data that is captured by the scans.

One former DHS official told FCW that the Einstein system is designed to scrub captured emails of personal information since the only concern is the threat indicator, and therefore there is little risk of DHS personnel seeing the content of confidential surveys.

Stakeholders and the public have until April 17 to comment on the proposed changes to the Department of Commerce's confidentiality agreement.