Similar to Departments and Agencies that utilize Networx MTIPS, those using a TIC will already have a contractual relationship in place with their ISP, usually a Networx ISP. Pursuant to that relationship, the ISP, in its ordinary course of business, will use routing tables to ensure that only traffic intended for the Department or Agency’s IP addresses is routed to the Department or Agency’s networks. And the Department or Agency remains responsible for ensuring that only traffic intended for, or originating from, that Department or Agency is routed through the EINSTEIN sensor.
Since EINSTEIN collects network flow information for all traffic traversing a sensor, if, in a rare case the required contractual routing protections fail, in the normal course only network flow information associated with the improperly routed traffic would be collected. This mechanism minimizes the possibility of capturing or releasing Personally Identifiable Information (PII). If improperly routed network traffic matched a pattern of known malicious activity an alert would be triggered. In the event of an alert, and upon further inspection and investigation with the Department or Agency receiving the incorrectly routed traffic, a US-CERT analyst would be able to identify an incorrectly routed traffic error. US-CERT would then work with NCSD’s Network Security Deployment and Federal Network Security branches, the relevant Department or Agency, the ISP and, if necessary, the MTIPS vendor, to remedy the routing problem. In the unlikely event that an ISP’s routing tables mistakenly assign a government IP address to a commercial client, a routing loop would result. The routing loop would cause errors and break the commercial customer’s connection. When the ISP detects the routing loop or the customer reports its broken connections to the ISP, the ISP would correct the error in its ordinary course of business.