Why Can’t Prince William County Manage It’s Own Internet Security?

We recently received the Memorandum of Agreement (MOA) dated September 14, 2020 between the Center for Internet Security (CIS) and Prince William County. It applies to the Northern Virginia Emergency Response System (NVRES), local government and ‘election entities’ for the Albert sensor system. The Albert sensor system was developed as part of the DHS’s expansive Einstein project that launched in 2003 to protect federal agencies from cyberattacks. Albert sensors monitor the network traffic at ‘election entities,’ local government and emergency management systems, tracking IP addresses and volume of data exchanged. Data flowing through county networks includes voter registration sites and other data flowing through ‘election entities’, which is the term used in the MOA.  If CIS wishes to share the data with federal entities it can.

The county should handle this monitoring themselves, It has its own Information Technology department. The counties have done this for years and managed its own notifications of intrusions. The MOA with CIS, however, places equipment on the network that reportedly bypasses the county firewall.

The following are excerpts from the MOA between Prince William County and CIS for the Albert Sensor System,

WHEREAS, CIS offers fee-based Services (as defined herein) to state and local
government and elections entities and Northern Virginia Emergency Response System
(emphasis added) has procured such Services to be deployed at NVERS Entity, subject to the
terms and conditions set forth in a written agreement between NVERS and CIS
(“Agreement”), and
WHEREAS, CIS and NVERS Entity wish to enter into this MOA to further set forth the
duties and obligations of the Parties.
NOW, THEREFORE, in consideration of the mutual covenants contained herein, the
Parties do hereby agree as follows:

I. Definitions

A. Albert Monitoring Services. Combined Netflow and intrusion detection
system monitoring, with analysis of related data; event notification and delivery;
and management of associated devices, including all hardware and software
necessary for service delivery. Also referred to as “Services”.
B. Security Operations Center (SOC) – 24 X 7 X 365 watch and warning center
operated by CIS that provides network monitoring, dissemination of cyber
threat warnings and vulnerability identification and mitigation


NVERS Entity Responsibilities
The NVERS Entity hereby agrees that it will undertake the following:
A. NVERS Entity shall provide logistic support in the form of rack space,
electricity, Internet connectivity, and any other infrastructure necessary to support
communications at NVERS Entity’s expense.
B. NVERS Entity shall provide the following to CIS prior to the commencement of
Services and at any time while receiving Services if the previously provided
information changes:

  1. Current network diagrams to facilitate analysis of security events on the
    DocuSign Envelope ID: F32B8BC1-BB85-4CBE-997C-A562B93BC0E0
    portion(s) of NVERS Entity’s network being monitored. Network diagrams will
    need to be revised whenever there is a substantial network change;
  2. Other reasonable assistance to CIS, including, but not limited to, providing
    all technical information related to the Services reasonably requested by CIS, to
    enable CIS to perform the Services for the benefit of NVERS Entity;
  3. Provide public and private IP address ranges including a list of servers being
    monitored including the type, operating system and configuration information,
    as well as a list of IP ranges and addresses that are not in use by NVERS Entity
    (DarkNet space);
  4. Completed Pre-Installation Questionnaires (PIQ) in the form provided by CIS.
    The PIQ will need to be revised whenever there is a change that would affect
    CIS’s ability to provide the Services;
  5. Provide a completed Escalation Procedure Form including the name, e-mail
    address, and 24/7 contact information for all designated Points of Contact
  6. The name, email address, and landline, mobile, and pager numbers for all
    shipping, installation and security points of contact.

Any change the county wishes to make to its hardware or network configuration has to be submitted 30 days in advance to CIS.

C. During the period that NVERS Entity is receiving Services, NVERS Entity shall
provide the following:

  1. Written notification to CIS SOC (SOC@cisecurity.org) at least thirty (30) days
    in advance of changes in hardware or network configuration affecting CIS’s
    ability to provide Services;

Confidential Information & Information Sharing
CIS acknowledges that certain confidential or proprietary information may
either be provided by the NVERS Entity to CIS or generated in the performance
of the Albert Monitoring Services, including without limitation: information
regarding the infrastructure and security of the NVERS Entity’s information
systems; assessments and plans that relate specifically and uniquely to the
vulnerability of the NVERS Entity’s information systems; the results of tests of
the security of the NVERS Entity’s information systems insofar as those results
may reveal specific vulnerabilities; or information otherwise marked as
confidential by the NVERS Entity (“Confidential Information”). CIS agrees to
hold all NVERS Entity’s Confidential Information in confidence to the same
extent and the same manner as it protects its own confidential information, but
in no event will less than reasonable care be provided and a NVERS Entity’s
information will not be released in any identifiable form without the express
written permission of such NVERS Entity or as required pursuant to lawfully
authorized subpoena or similar compulsive directive or is required to be
disclosed by law, provided that the NVERS Entity shall be required to make
reasonable efforts, consistent with applicable law, to limit the scope and nature
of such required disclosure. CIS shall, however, be permitted to disclose
relevant aspects of such Confidential Information to its officers, employees and
CIS’s federal partners provided that they agree to protect the Confidential
Information to the same extent as required under this Agreement.
(emphasis added) CIS agrees to use all reasonable steps to ensure that Confidential Information received
under this Agreement is not disclosed in violation of this Section IX. The
obligations of the Parties pursuant to this paragraph shall survive the
termination of this Agreement. Nothing in this Agreement shall prohibit CIS
from using aggregated data of its customers in any format for any purpose,
provided that such data cannot be identified to or associated with a NVERS


The Albert System is not a firewall and allegedly is 100% passive, but it claims to send notifications of network intrusions. The system only watches where the traffic is going but not the data itself; however, Okanogan and Lincoln counties in Washington State felt differently. Although in 2019 both counties explained to CIS that they already had a security system, CIS replied that Albert system would be additional security. Both counties agreed to the terms of the MOA. Following the 2020 Nov. election, Lincoln county was the victim of a ransomware attack but CIS never alerted the county to the attack. Okanogan county experienced a similar problem with no alert from CIS.

In Who Counts the Votes piece of July 7, 2022, Nancy Churchill (R), state committee woman for Ferry County Republicans in Washington state, says,

Placing the Albert Sensor on the network gives unknown outside control of Albert, which circumvents any existing firewalls. Think of this like a hardware-based Trojan horse. This means that there is a node on the network that counties have zero control over, are contractually obligated to keep in place, that they cannot touch, that could be doing anything it wants (accessible to hackers) and they would never know about it.


It seemed to these counties that the Albert system was nothing but a data grab. Subsequently both counties left the system behind and Ferry County, Washington followed in breaking the Albert system agreement, encouraging other WA counties to leave as well. NPR was not happy with their decision.

Nancy Churchill further states,

Albert Sensors have two network interfaces. An inward facing “listening” interface, and an outward facing interface for remote control by CIS. Placing the Albert Sensor on the network gives unknown outside control of Albert, which circumvents any existing firewalls. Think of this like a hardware-based Trojan horse. This means that there is a node on the network that counties have zero control over, are contractually obligated to keep in place, that they cannot touch, that could be doing anything it wants (accessible to hackers) and they would never know about it.  

The SOS says that once the Albert Sensor was installed, it would only be “listening,” that it was configured to not be able to have bi-directional traffic on the inward facing interface. The concern is that the interface could be reconfigured remotely to be able to send bi-direction traffic and inject data packets onto county networks. There would be no way to know if this was ever happening until it was too late to do anything about it.  

Albert Open-Source software allows packet capture data to be bundled up to CIS. Even though Albert may not be in some counties, Albert is a set of applications that can be loaded into an existing computer already in a county Local Area Network (LAN) and does not have to be in a specific physical box that is installed. Microsoft and Amazon are heavily invested in Albert / CIS and have access to the data from the counties via cloud storage.  

The Virginia Department of Elections (Elect) is also among those expected to have the Albert sensor system, along with other counties in Virginia. ES&S is a voting system company that also has an MOA with CIS as of 2018.

The MOA between Prince William County and the Center for Internet Security can be downloaded here. In addition, here is a helpful April 4, 2023 brief in Albert and CIS.