What is the National Cybersecurity Protection System (NCPS)?

 Find out how the US Government is using centralised systems to fight cyber threats...

Founded in 2003 by the United States Computer Emergency Readiness Team (US-CERT), the National Cybersecurity Protection System (NCPS) is a central hub for the analysing potentially malicious cyber activity and if appropriate, formulating a response.

Prior to its founding, federal agencies reported cyber threats directly to the Department of Homeland Security (DHS) on an ad hoc basis – normally once an attack had already happened.

This was inefficient in almost every sense, from the possibility that multiple agencies could be reporting the same thing separately, to the lack of transparency about threats at an inter-agency level, to the fact there was no universal standard or system in place to provide effective network monitoring and defense. NCPS and its operational arm, EINSTEIN, were established to remedy this.

How does NCPS work?

While it’s a multi-agency initiative, the NCPS is administered by the DHS through its Cybersecurity and Infrastructure Security Agency (CISA) division. In the words of the agency, NCPS is “an integrated system-of-systems that delivers a range of capabilities, including intrusion detection, analytics, intrusion prevention, and information sharing capabilities” focused on protecting the civilian Federal Government’s IT infrastructure (as opposed to military IT infrastructure) from cyber threats. There are four mission areas where the NCPS provides key support capabilities to the wider DHS cybersecurity mission. These are:

  • Detection
  • Analytics
  • Information Sharing
  • Prevention

Detection is a signature-based grid that passively monitors networks for potential malicious activity. These signatures are derived from various sources including commercial and public IT security information, as well as information from other federal agencies. The National Cybersecurity and Communications Integration Center (NCCIC) provides another important piece of the puzzle, providing signatures based on analysis it has carried out independently and cybersecurity alerts it has generated. All this is delivered through two elements of the EINSTEIN system – E1 and E2 – which is explored in greater detail below.

Analytics provides analysts working at the DHS Office of Cybersecurity and Communications (CS&C) with the ability to compile and analyze information about various cyber threats and trends. This includes the provision of a Security Information and Event Management (SIEM) solution, which helps streamline processes and identify related events that may otherwise have gone unnoticed, as well as offering visualization tools.

Using this information, the CS&C analysts are able to keep the public informed about potential threats that may affect them. As the name would suggest, the NCPS Information Sharing system enables the exchange of information relating to cyber threat and cyber incidents between DHS cybersecurity analysts and their cybersecurity partners.

The aim of Information Sharing is threefold – first to prevent cybersecurity incidents from happening, second to improve cooperation and collaboration so that if and when an incident does occur it can be responded to rapidly and effectively, and third to improve efficiency through greater use of automated information sharing. Finally, the NCPS Intrusion Prevention capabilities – which form part of EINSTEIN 3 Accelerated (E3A) provide active network defence capabilities and can prevent or limit the intrusion of malicious actors into federal networks and systems.

What is the EINSTEIN system?

EINSTEIN is the operational name for NCPS’ capabilities. It consists of three elements, released in phases between 2004 and 2015: EINSTEIN 1 (E1), EINSTEIN 2 (E2) and EINSTEIN 3 Accelerated (E3A). As its name would suggest, EINSTEIN 1 was the first iteration of the EINSTEIN project and at launch was known simply as EINSTEIN. Developed in 2003, it monitors network traffic flowing between federal civilian agencies, allowing the DHS to identify and analyze suspicious activity and determine whether it is malicious. It can also conduct forensic analysis after an event such as infection by malware or a hacking attempt has occurred. During the implementation of EINSTEIN 1, it became apparent that most agencies had many more IP gateways than they had realised, which meant the EINSTEIN system as it stood wasn’t sufficient to protect the network by itself.

This led to the creation of EINSTEIN 2. EINSTEIN 2 is an intrusion detection system that works alongside E1 and looks for specific signatures of known malicious activity, for example, a worm, ransomware or other malware. According to CISA, E1 and E2 screen all traffic that travels between federal civilian agencies’ internal networks and the internet through its Trusted Internet Connection (TIC) gateway. They generate approximately 30,000 alerts about cyber attacks each year, which analysed by DHS security personnel to determine if there is a real threat and what action needs to be taken. EINSTEIN 3 Accelerated is an evolution of a plan to create a system that could identify and block cyber attacks using classified signatures, known as EINSTEIN 3. In 2012, two years after the original E3 was mooted, the DHS decided instead to include major Internet service providers (ISPs), which would provide intrusion prevention systems using commercially available technology, rather than trying to build a bespoke system itself. This is E3A, the third part of the EINSTEIN puzzle.

Future developments

The NCPS and in particular EINSTEIN are constant works in progress. From the addition of E2 and E3A to the E1 framework and the creation of NCPS to bring it all together, it’s evident that as new ways of managing and analysing the flow of data between federal agencies and the public Internet emerge, new layers and systems will be added. Currently, it’s hard to say what these may be, although E3A demonstrates that CISA is open to using commercially available software administered by non-governmental agencies. Therefore, developments in the business and consumer space are likely to influence any “EINSTEIN 4” or other evolution of NCPS in the future.

Featured Resources

Modern governance: The how-to guide

Equipping organisations with the right tools for business resilience

Free Download

Cloud operational excellence

Everything you need to know about optimising your cloud operations

Watch now

A buyer’s guide to board management software

How the right software can improve your board’s performance

The real world business value of Oracle autonomous data warehouse

Lead with a 417% five-year ROI

Download now

Recommended

Federal Reserve warns foreign centralised digital currencies could decrease global use of dollar
digital currency

Federal Reserve warns foreign centralised digital currencies could decrease global use of dollar

21 Jan 2022
Singapore and Madrid named biggest movers in latest data centre rankings
data centres

Singapore and Madrid named biggest movers in latest data centre rankings

20 Jan 2022
US airlines warn of “catastrophic” crisis days before 5G rollout
5G

US airlines warn of “catastrophic” crisis days before 5G rollout

18 Jan 2022
US delays 5G rollout over aviation safety concerns
5G

US delays 5G rollout over aviation safety concerns

4 Jan 2022

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
Synology DiskStation DS2422+ review: A cube of great capacity
network attached storage (NAS)

Synology DiskStation DS2422+ review: A cube of great capacity

10 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022