US Plans Cyber Shield For Private Companies and Utilities

wiggles writes "The federal government is launching an expansive program dubbed 'Perfect Citizen' to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program. The surveillance by the National Security Agency, the government's chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn't persistently monitor the whole system, these people said. How do we feel about NSA spyware in all of our infrastructure?"

Perfect Citizen. Imperfect Government.

[Anonymous Coward]

I suspect this will turn a tower of babel of insecurity into a monoculture of insecurity.

And future exploits will involve DOS by getting the NSA sensors to trip. Which I assume might just shut down such networks which will cause plenty of problems.

Re:Surveillance

[causality]

Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.

Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::

The mention of the Patriot Act was apropos. That's because when I first saw the name of this, "Perfect Citizen", I wondered whether that sounded Orwellian to anyone else.

Citizens?

[drumcat]

The fact that any government agency thinks its "corporate citizens" are perfect-able makes me ill. Yes, it's just a name, but it's time that human beings finally have more rights that incorporated entities. It's not to even be joked about by the government.

"Perfect Citizen"

[L3370]

Is it just me, or does "Perfect Citizen" sound like the most completely sinister project name you could give?
Seriously, shouldn't they try harder to disguise the intentions with a name like "Save the children security project" or "Patriotic Minutemen project"????

Re:Surveillance

[Tmack]

Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.

Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::

FTFA:

A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It's a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.

They basically come out and directly say they are taking advantage of a slippery slope and happily sliding down it. So monitoring people driving is the same as watching what they are doing online.... yeh, thats not a slippery-slope argument at all </sarcasm> Next is, well, we already monitor the critical infrastructure, why not just all corporations, why not just all ISPs and all home users, then we could really catch all those sleepercell terrrrists at home!! yeh1!! its just like red-light cameras.

Tm

Re:Surveillance

[slick7]

when I first saw the name of this, "Perfect Citizen", I wondered whether that sounded Orwellian to anyone else.

To paraphrase a quote, "The only Perfect Citizen is a totally subjugated and suppressed citizen".
To really secure the infrastructure, a system of up-links and down-links to the TDRS satellites would be more secure. If land-based connectivity is required, then dedicated fiber-optics is a good bet. Just by-pass the internet altogether.

Re:Wow...

[Securityemo]

An encrypted VPN secured with a key, that key itself only existing on the physically secure terminals used to access the systems and the internet-facing routers should be virtually as secure as an encrypted dedicated line. As long as the VPN software isn't faulty in some way, but it'd probably be secure enough. It might even be more secure, because if you've got a dedicated line and a stolen key you just need to tap into a point somewhere along the wire - unlike a VPN, where inbound and outbound traffic might follow different routes (a network engineer/architecht could perhaps kindly fill me in on the probability and topology of this). Or are you suggesting quantum-encrypted single-photon lines to every power plant in the US?

boondoggle

[Jodka]

A single flaw in a common security architecture is a pervasive vulnerability whereas a heterogenous system is robust to targeted attacks.

They would do better to solicit bids for multiple systems from private contractors and place the NSA as well as the public security community in the roles of auditors. That would also allay concerns about covert monitoring by the NSA.

Open-sourceing the product and allowing public audits is advantageous because what is sometimes obscured by "Security through obscurity" is that foreign operatives have covertly horked your source code and analyzed if for vulnerabilities.

What FEMA did for Katrina and the EPA did for the golf oil spill this program will do for online security: create an ineffective program which creates a false sense of protection, displacing genuinely effective protective measures. I am not saying that there is no roll for government here, but rather than the rolls played by government are typically either useless or harmful and it would be nice if it took a different approach; Give the Harvard MBAs and MIT and Caltech Ph.D engineeers working at Cisco and IBM opportunities to innovate and place the government and public in the role of customers holding contractors accountable for supplying quality products.

Re:Surveillance

[Philip K Dickhead]

The summary for the submitted article misses almost EVERY important aspect to this story, as it was initially reported! It almost looks like an attempt to deliberately minimize concern over the dubious legality and suspect agenda for "Perfect Citizen".

In fact, Samzenpus and "Wiggles" seem content not to mention the program's Orwellian name, nor the specific use of the term "Big Brother" by Ratheon contractors associated with the NSA on this effort.

Here is the summary I supplied, when submitting this story as a front-pager for Slashdot. I believe that it is more cogent and INFORMATIVE than the blandness offered us.

The WSJ is reporting on an $100M NSA program [wsj.com] "to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants." All of which sound nice enough, if one does not become critically focused on the name they chose for this effort: 'Perfect Citizen'. [pcworld.com] Releasing this to the WSJ has the appearance of PR cover for the expansion of both warrantless surveillance [wikipedia.org] and the intrusion of the NSA into a theatre of domestic operations. [eff.org]
Ratheon, the NSA contractor charged with realizing the NSA vision for the 'Perfect Citizen' program openly called this the "Big Brother" [theregister.co.uk] system, in internal communications.

For once, I really wouldn't mind a "dupe" story, either my summary or that of another poster with some insight to the implications of "Perfect Citizen".

Re:Surveillance

[chill]

Speaking of which...

On June 25th, just a few days ago, the original UKUSA agreement that set up Echelon was declassified and published. It includes a number of supporting documents as well.

http://www.nsa.gov/public_info/declass/ukusa.shtml [nsa.gov]

Re:Surveillance

[lonecrow]

Hmmm...I am not sure if I would get all worked up over the name. This portion of the article seems to alleviate some concerns:

Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials said.

I do not see this as akin to the mass wiretapping of individuals of a previous administration. This is traffic pattern detection by the sounds of it. So for example, if malicious patterns were detected perhaps an auto-cutoff of the plant from the internet could be triggered.

But perhaps another approach to this would be to ask you how you would go about protecting these assets from cyber-attack without violating civil liberties?

I am going to take a wild guess that it would involve monitoring broad and anonymous traffic patterns which is what this sounds like. Then if malicious patterns were detected due process would kick in to the investigation of any individuals involved.

Please share any better way you can think of?