By Jon Stokes | July 10, 2010 | Ars Technica
A report yesterday in the Wall Street Journal claims to expose details of a new NSA program, codenamed "Perfect Citizen," that will monitor critical infrastructure networks, both public and private, in order to look for suspicious activity that could be evidence of an impending hack attack. The Journal says that the NSA would deploy a set of sensors on the relevant networks, and that the networks wouldn't be persistently and actively monitored—rather, the sensors would act as triggers to alert the agency, which would then take a closer look.
Raytheon allegedly won a $100 million contract for the first phase of Perfect Citizen, and the Journal has seen what are alleged to be Raytheon internal emails discussing the program. One particularly chilling line, which the Journal quoted and which has since made its way around the Internet: "Perfect Citizen is Big Brother."
The program is being funded out of the Comprehensive National Security Intiative, which was started as a classified effort under the Bush administration. The Obama administration has continued it, and has recently declassified some general information about the program. From what has been revealed of the program, it seems to fit directly within the CNCI's mandate, which one DHS official has previously described as a "Manhattan Project to defend cyber networks."
The NSA says the WSJ got it wrong
Wired has a response from the NSA, which I'll reproduce in full, below:
Think about it: one can easily imagine an R&D effort and a vulnerability assessement program that do not themselves involve deploying sensors or monitoring public infrastructure, but which are ultimately designed to produce a monitoring system (the R&D part) and identify places to deploy it (the vulnerability assessment part).
In other words, if I launched an effort called Perfect Citizen to develop the capability to secure my house with a camera system, that effort would involve some online research, online shopping, looking at the house from different angles to figure out camera placement, and maybe a trip to the hardware store—it would not, however, involve actually deploying or using cameras. That part would come later, and I could give it a different codename and a different budget.
So yes, before the NSA can deploy sensors on critical infrastructure to monitor them for attacks, of course they must first design a monitoring system and figure out where to deploy it—i.e., they have to develop the capabilities and assess the vulnerabilities. And yes, of course these first steps don't themselves involve any cameras or monitors, so the NSA is not lying when it insists that they don't. The sensors and cameras will come later, once they've been developed and the NSA knows where to put them. Maybe they'll call that part of the project something else (might I suggest: "All Citizens Are Perfect, But Some Citizens Are More Perfect Than Others").
Wired has asked the NSA some pointed questions about whether Congress has been briefed on the program. My guess is that they haven't, at least not in any meaningful way. Congress hasn't insisted on exercising any oversight of any part of CNCI under either Bush or Obama. They probably don't know anything about this, and they don't want to.
A report yesterday in the Wall Street Journal claims to expose details of a new NSA program, codenamed "Perfect Citizen," that will monitor critical infrastructure networks, both public and private, in order to look for suspicious activity that could be evidence of an impending hack attack. The Journal says that the NSA would deploy a set of sensors on the relevant networks, and that the networks wouldn't be persistently and actively monitored—rather, the sensors would act as triggers to alert the agency, which would then take a closer look.
Raytheon allegedly won a $100 million contract for the first phase of Perfect Citizen, and the Journal has seen what are alleged to be Raytheon internal emails discussing the program. One particularly chilling line, which the Journal quoted and which has since made its way around the Internet: "Perfect Citizen is Big Brother."
The program is being funded out of the Comprehensive National Security Intiative, which was started as a classified effort under the Bush administration. The Obama administration has continued it, and has recently declassified some general information about the program. From what has been revealed of the program, it seems to fit directly within the CNCI's mandate, which one DHS official has previously described as a "Manhattan Project to defend cyber networks."
The NSA says the WSJ got it wrong
Wired has a response from the NSA, which I'll reproduce in full, below:
Today’s Wall Street Journal article by Siobhan Gorman, titled “US Plans Cyber Shield for Utilities, Companies,” is an inaccurate portrayal of the work performed at the National Security Agency. Because of the high sensitivity surrounding what we do to defend our nation, it is inappropriate to confirm or deny all of the specific allegations made in the article. We will, however, provide the following facts:
- PERFECT CITIZEN is purely a vulnerabilities-assessment and capabilities-development contract. This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor.
- Specifically, it does not involve the monitoring of communications or the placement of sensors on utility company systems.
- This contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA’s mission of defending the nation.
- Any suggestions that there are illegal or invasive domestic activities associated with this contracted effort are simply not true. We strictly adhere to both the spirit and the letter of U.S. laws and regulations.
Think about it: one can easily imagine an R&D effort and a vulnerability assessement program that do not themselves involve deploying sensors or monitoring public infrastructure, but which are ultimately designed to produce a monitoring system (the R&D part) and identify places to deploy it (the vulnerability assessment part).
In other words, if I launched an effort called Perfect Citizen to develop the capability to secure my house with a camera system, that effort would involve some online research, online shopping, looking at the house from different angles to figure out camera placement, and maybe a trip to the hardware store—it would not, however, involve actually deploying or using cameras. That part would come later, and I could give it a different codename and a different budget.
So yes, before the NSA can deploy sensors on critical infrastructure to monitor them for attacks, of course they must first design a monitoring system and figure out where to deploy it—i.e., they have to develop the capabilities and assess the vulnerabilities. And yes, of course these first steps don't themselves involve any cameras or monitors, so the NSA is not lying when it insists that they don't. The sensors and cameras will come later, once they've been developed and the NSA knows where to put them. Maybe they'll call that part of the project something else (might I suggest: "All Citizens Are Perfect, But Some Citizens Are More Perfect Than Others").
Wired has asked the NSA some pointed questions about whether Congress has been briefed on the program. My guess is that they haven't, at least not in any meaningful way. Congress hasn't insisted on exercising any oversight of any part of CNCI under either Bush or Obama. They probably don't know anything about this, and they don't want to.
No comments:
Post a Comment