What is the National Cybersecurity Protection System (NCPS)?

 Find out how the US Government is using centralised systems to fight cyber threats...

Founded in 2003 by the United States Computer Emergency Readiness Team (US-CERT), the National Cybersecurity Protection System (NCPS) is a central hub for the analysing potentially malicious cyber activity and if appropriate, formulating a response.

Prior to its founding, federal agencies reported cyber threats directly to the Department of Homeland Security (DHS) on an ad hoc basis – normally once an attack had already happened.

This was inefficient in almost every sense, from the possibility that multiple agencies could be reporting the same thing separately, to the lack of transparency about threats at an inter-agency level, to the fact there was no universal standard or system in place to provide effective network monitoring and defense. NCPS and its operational arm, EINSTEIN, were established to remedy this.

How does NCPS work?

While it’s a multi-agency initiative, the NCPS is administered by the DHS through its Cybersecurity and Infrastructure Security Agency (CISA) division. In the words of the agency, NCPS is “an integrated system-of-systems that delivers a range of capabilities, including intrusion detection, analytics, intrusion prevention, and information sharing capabilities” focused on protecting the civilian Federal Government’s IT infrastructure (as opposed to military IT infrastructure) from cyber threats. There are four mission areas where the NCPS provides key support capabilities to the wider DHS cybersecurity mission. These are:

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below
  • Detection
  • Analytics
  • Information Sharing
  • Prevention

Detection is a signature-based grid that passively monitors networks for potential malicious activity. These signatures are derived from various sources including commercial and public IT security information, as well as information from other federal agencies. The National Cybersecurity and Communications Integration Center (NCCIC) provides another important piece of the puzzle, providing signatures based on analysis it has carried out independently and cybersecurity alerts it has generated. All this is delivered through two elements of the EINSTEIN system – E1 and E2 – which is explored in greater detail below.

Analytics provides analysts working at the DHS Office of Cybersecurity and Communications (CS&C) with the ability to compile and analyze information about various cyber threats and trends. This includes the provision of a Security Information and Event Management (SIEM) solution, which helps streamline processes and identify related events that may otherwise have gone unnoticed, as well as offering visualization tools.

Using this information, the CS&C analysts are able to keep the public informed about potential threats that may affect them. As the name would suggest, the NCPS Information Sharing system enables the exchange of information relating to cyber threat and cyber incidents between DHS cybersecurity analysts and their cybersecurity partners.

The aim of Information Sharing is threefold – first to prevent cybersecurity incidents from happening, second to improve cooperation and collaboration so that if and when an incident does occur it can be responded to rapidly and effectively, and third to improve efficiency through greater use of automated information sharing. Finally, the NCPS Intrusion Prevention capabilities – which form part of EINSTEIN 3 Accelerated (E3A) provide active network defence capabilities and can prevent or limit the intrusion of malicious actors into federal networks and systems.

What is the EINSTEIN system?

EINSTEIN is the operational name for NCPS’ capabilities. It consists of three elements, released in phases between 2004 and 2015: EINSTEIN 1 (E1), EINSTEIN 2 (E2) and EINSTEIN 3 Accelerated (E3A). As its name would suggest, EINSTEIN 1 was the first iteration of the EINSTEIN project and at launch was known simply as EINSTEIN. Developed in 2003, it monitors network traffic flowing between federal civilian agencies, allowing the DHS to identify and analyze suspicious activity and determine whether it is malicious. It can also conduct forensic analysis after an event such as infection by malware or a hacking attempt has occurred. During the implementation of EINSTEIN 1, it became apparent that most agencies had many more IP gateways than they had realised, which meant the EINSTEIN system as it stood wasn’t sufficient to protect the network by itself.

Advertisement - Article continues below

This led to the creation of EINSTEIN 2. EINSTEIN 2 is an intrusion detection system that works alongside E1 and looks for specific signatures of known malicious activity, for example, a worm, ransomware or other malware. According to CISA, E1 and E2 screen all traffic that travels between federal civilian agencies’ internal networks and the internet through its Trusted Internet Connection (TIC) gateway. They generate approximately 30,000 alerts about cyber attacks each year, which analysed by DHS security personnel to determine if there is a real threat and what action needs to be taken. EINSTEIN 3 Accelerated is an evolution of a plan to create a system that could identify and block cyber attacks using classified signatures, known as EINSTEIN 3. In 2012, two years after the original E3 was mooted, the DHS decided instead to include major Internet service providers (ISPs), which would provide intrusion prevention systems using commercially available technology, rather than trying to build a bespoke system itself. This is E3A, the third part of the EINSTEIN puzzle.

Future developments

The NCPS and in particular EINSTEIN are constant works in progress. From the addition of E2 and E3A to the E1 framework and the creation of NCPS to bring it all together, it’s evident that as new ways of managing and analysing the flow of data between federal agencies and the public Internet emerge, new layers and systems will be added. Currently, it’s hard to say what these may be, although E3A demonstrates that CISA is open to using commercially available software administered by non-governmental agencies. Therefore, developments in the business and consumer space are likely to influence any “EINSTEIN 4” or other evolution of NCPS in the future.

Featured Resources

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Three keys to maximise application migration and modernisation success

Harness the benefits that modernised applications can offer

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

The 3 approaches of Breach and Attack Simulation technologies

A guide to the nuances of BAS, helping you stay one step ahead of cyber criminals

Download now
Advertisement

Recommended

Visit/business-strategy/careers-training/354596/the-tech-skills-you-need-to-succeed-in-the-us
Careers & training

The tech skills you need to succeed in the US

21 Jan 2020
Visit/policy-legislation/data-protection/354454/box-ceo-most-internet-users-will-ditch-privacy-for-online
data protection

Box CEO: Most internet users will ditch privacy for online services

3 Jan 2020
Visit/business/business-strategy/354445/what-tech-does-it-take-to-make-a-business-succeed-in-the-us
Business strategy

What tech does it take to make a business succeed in the US?

3 Jan 2020
Visit/infrastructure/network-internet/354446/what-is-google-fiber
Network & Internet

What is Google Fiber?

2 Jan 2020

Most Popular

Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/web-browser/30394/what-is-http-error-503-and-how-do-you-fix-it
web browser

What is HTTP error 503 and how do you fix it?

7 Jan 2020
Visit/policy-legislation/general-data-protection-regulation-gdpr/354577/data-protection-fines-hit-ps100m
General Data Protection Regulation (GDPR)

Data protection fines hit £100m during first 18 months of GDPR

20 Jan 2020