The Department of Homeland Security is poised to ditch all records from a controversial network monitoring system called Einstein that are at least three years old, but not for security reasons.

DHS reasons the files — which include data about traffic to government websites, agency network intrusions and general vulnerabilities — have no research significance.

But some security experts say, to the contrary, DHS would be deleting a treasure chest of historical threat data. And privacy experts, who wish the metadata wasn’t collected at all, say destroying it could eliminate evidence that the governmentwide surveillance system does not perform as intended.

The National Archives and Records Administration has tentatively approved the disposal plan, pending a public comment period.

According to Homeland Security’s rationale, there is “quickly diminishing value for most of the data collected pursuant to intrusion detection, prevention and analysis.” A three-year retention period for reference purposes is sufficient, and “the records have no value beyond that point” but can be kept longer, if needed, appraisers said.

Incident reports, which include records on catastrophic cyber events, must be kept permanently.

The main driver for defining data retention policies, typically, is the cost of storing information indefinitely.

The nonprofit SANS Internet Storm Center, which monitors malicious activity on the public Web, retains observation data for 12 years.

Older intrusion-detection records provide insight into the evolution of threats, said Johannes Ullrich, dean of research at the SANS Technology Institute. Analysts there sometimes need even older data to answer today’s research questions.

Read the Full Article: Source – Next Gov
http://www.nextgov.com/cybersecurity/2014/11/dhs-set-destroy-governmentwide-network-surveillance-records/99737/

source not found