Rumor Control

The Center for Internet Security (CIS) receives funding through various means, including direct sales of various cybersecurity best practices tools and resources, like CIS SecureSuite Membership and CIS Hardened Images, and cybersecurity services like CIS Endpoint Security Services. CIS also receives funding from various government and non-profit grant programs designed to improve the overall cybersecurity posture of U.S. State, Local, Tribal, and Territorial (SLTT) government organizations. CIS operates the Multi-State Information Sharing and Analysis Centers (MS-ISAC) in a cost-share model including federal funding and CIS funds.

Generally, the Cybersecurity and Infrastructure Security Agency (CISA) has visibility into certain data that is derived from sensors/services that are funded via the Cooperative Agreement subject to confidentiality obligations. For example, CISA may request and receive the full set of Albert Network Monitoring and Management data only for those Albert deployments funded via the Cooperative Agreement, which represents approximately 20% of the deployed Albert sensor fleet.

Albert: Roughly 80% of deployed Albert sensors are paid for by U.S. state and local governments. For these SLTT-funded sensors, Albert alert data and Albert NetFlow metadata is shared with Federal partners only with the explicit approval of the individual hosting state or local organization.

The deployment of the remaining Albert sensors is funded by Congressional appropriation through the Multi-State Information Sharing and Analysis Centers (MS-ISAC) to support cyber defense across the U.S. below the federal level. For these CISA-funded sensors, information shared with federal partners is limited to Albert alert data and Albert NetFlow metadata.

NCSR: For the Nationwide Cybersecurity Review (NCSR), CISA currently sees only anonymized data, such as threat data and self-reported maturity scores by sector. To date, this data is anonymized, so there is no organization-specific information included.

An IDS is industry-standard technology for network defense. The National Institute of Standards and Technology (NIS) defines an Intrusion Detection System (IDS) as “a security service that monitors and analyzes network or system events for the purpose of finding, and providing real-time or near real-time warning of, attempts to access system resources in an unauthorized manner.” Also known as a network intrusion detection system (NIDS), an IDS often comes in the form of a piece of hardware, such as a computer or server, or a dedicated appliance.

An IDS sits on a network to watch for malicious or suspicious network activity that it sees. In most cases, it performs this monitoring by utilizing signatures, or pre-defined patterns determined to be malicious. If network traffic matches the pattern, the IDS generates an alert.

An IDS is different from an intrusion prevention system (IPS). The latter can stop traffic; it’s “active.” Meanwhile, an IDS cannot interfere with network activity; it’s “passive.” It’s therefore imperative that whoever receives the alert takes action in some way.

Albert is an intrusion detection system (IDS) based on open-source technology with a particular focus on threats to SLTT community organizations. Albert sensors monitor network traffic, to look for matches against a set of “signatures” that indicate the network traffic contains known cyber threats. Albert does not interfere or change the network traffic in any way and cannot inspect the contents of encrypted communications. The process proceeds as follows:

• An organization that hosts an Albert sensor selects the network segments to be monitored by the Albert sensor and configures their network to send a copy of the selected network traffic to the Albert Intrusion Detection System (IDS) sensor for inspection using what is called a “mirror port” or “network tap.” This parallel configuration means that normal network traffic and speeds are unaffected by Albert.
• CIS deploys (~25,000) daily threat “signatures” based on current cyber threat intelligence and reported cyber incidents to all Albert sensors to assist in identification of known malicious and anomalous activity.
• If an Albert sensor detects a match to a known threat signature in network traffic, an alert is sent to the CIS Security Operations Center (SOC) for analysis.
• Cybersecurity experts at the CIS SOC analyze the Albert alert and escalate to the SLTT Community partner if it is determined to be a credible threat. Escalated alerts are communicated in an average of less than five minutes. The SLTT Community partner can then decide how they want to handle the alert. As a passive IDS, Albert can take no responsive action against threats it detects. 

Albert sensors, in combination with a layered “defense in depth” approach to cybersecurity, have proven to be highly effective in protecting against cyber threats, including known ransomware. While no IDS can detect 100% of malicious traffic, this powerful capability detects virtually all known threats that have documented IDS signatures.

As a signature-based IDS, Albert is as effective as the signatures with which it is configured. CIS subscribes to the latest commercially-available signature sets, subsequently deploying those signature sets to Albert. CIS works diligently to also research and develop custom signatures to deploy to Albert that are specifically tuned to the threats that may impact U.S. SLTT government and community organizations.

Another factor leading to Albert’s effectiveness is the speed at which the 24x7x365 CIS Security Operations Center (SOC) reviews and notifies monitored organizations of threats the Albert sensor detects. The CIS SOC notifies the monitored organization with an industry-leading average of less than five minutes when the Albert sensor alerts on potential malicious or anomalous activity. This response speed enables cybersecurity defenders to quickly take action to defend their networks and contain threats to reduce the impact of a successful attack.

Albert sensors and associated SOC support are approximately one third the cost of alternative commercial products and monitoring services, and the average alert response time of under five minutes is much quicker than alternative services.

Yes, Albert is a secure, highly-effective network intrusion detection system designed for the public sector. In a 2022 third-party evaluation of Albert by Counter Hack, security testers reported that “the current incarnation of the Albert sensor is, perhaps, the most secure tool we have ever tested.” 

Albert can only alert the CIS SOC of any network traffic that triggers one of the signatures deployed to detect malicious or anomalous activity. Albert cannot alter, block, or impede the network traffic of an organization as it is only monitoring a copy of the organization’s network traffic and not the actual network traffic itself.

No, Albert does not communicate with or to any systems – voting or otherwise – within a monitored organization's network environment. Albert monitors a copy of network traffic that the customer configures for delivery to the Albert sensor. It then communicates any suspicious or malicious activity back to the CIS SOC. 

Albert sends to customers a Monthly Activity Report (MAR). It contains monthly and Year-to-Date (YTD) metrics for the activity detected and alerted on by the Albert sensor and by the 24x7x365 SOC. Customers may also request other ad-hoc reporting if they're looking for something more specific or that’s tailored to their reporting needs. 

Cybersecurity services like Albert or Endpoint Detection and Response (EDR), which protect the day-to-day administrative systems that election offices use every day (email, voter registration systems, etc.) do not interact in any way with voting systems. Per the American Council for Election Technology (ACET), voting systems are air-gapped, or disconnected from, the internet. Furthermore, as a passive intrusion detection system (IDS), Albert does not have the technical ability to take action on or modify network traffic in any way, even on the non-voting systems it protects.

Cybersecurity services like Albert and Endpoint Detection and Response (EDR) are concerned exclusively with malicious* activity, and expert analysts from CIS only deal with instances of known or suspected malicious activity detected on the non-voting systems these services monitor. At no point is a CIS employee able to see the contents of email traffic, voter registration databases, or any other sensitive data stored by election offices unless some component of that data is deemed malicious. Even with data deemed malicious, CIS employees are looking only at a subset of the data rather than the data as a whole. For example, a CIS analyst may see a malicious line of code within a file but would not see the full contents of the file.

*Malicious is the common cybersecurity term referring to any unauthorized activity that attempts to harm the confidentiality, integrity, or availability of information systems, networks, or data.

In the work to support the election community, CIS receive significant oversight at the federal, state, and local levels. The Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the Election Infrastructure Government Coordinating Council (GCC) provide significant oversight, consisting of bipartisan representation from secretaries of state, lieutenant governors, state and local election officials, and the federal government.