Forgot your password?
typodupeerror
Security Government United States

US Plans Cyber Shield For Private Companies and Utilities 178

Posted by samzenpus
from the more-power-to-the-shields dept.
wiggles writes "The federal government is launching an expansive program dubbed 'Perfect Citizen' to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program. The surveillance by the National Security Agency, the government's chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn't persistently monitor the whole system, these people said. How do we feel about NSA spyware in all of our infrastructure?"
This discussion has been archived. No new comments can be posted.

US Plans Cyber Shield For Private Companies and Utilities

Comments Filter:
  • Surveillance (Score:5, Insightful)

    by SquarePixel (1851068) on Thursday July 08, 2010 @12:25PM (#32841318)

    Yes, because more surveillance is what is needed. Every year it goes further and further. The good thing is that at least they know to take it slowly - increase the surveillance just a little bit at a time and people wont really complain or notice. In a few years you will be there, just like with UK.

    I would think that internet infrastructure belongs to the "critical" category too. Just tell your political opinions in a private conversation to someone, say you don't like the mayor and expect a lawsuit. How long until "harmful content" like P2P and porn starts to get blocked? Looks like USA is not that far from China after all.

    And a name like a "Perfect Citizen"...

    • Re:Surveillance (Score:5, Insightful)

      by Pojut (1027544) on Thursday July 08, 2010 @12:29PM (#32841366) Homepage

      Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.

      Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::

      • Re:Surveillance (Score:5, Interesting)

        by causality (777677) on Thursday July 08, 2010 @12:36PM (#32841474)

        Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.

        Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::

        The mention of the Patriot Act was apropos. That's because when I first saw the name of this, "Perfect Citizen", I wondered whether that sounded Orwellian to anyone else.

        • Re:Surveillance (Score:5, Interesting)

          by slick7 (1703596) on Thursday July 08, 2010 @12:54PM (#32841760)

          when I first saw the name of this, "Perfect Citizen", I wondered whether that sounded Orwellian to anyone else.

          To paraphrase a quote, "The only Perfect Citizen is a totally subjugated and suppressed citizen".
          To really secure the infrastructure, a system of up-links and down-links to the TDRS satellites would be more secure. If land-based connectivity is required, then dedicated fiber-optics is a good bet. Just by-pass the internet altogether.

          • Re: (Score:3, Insightful)

            by FooAtWFU (699187)
            Which works great until $serious_spy_agency splices the fiber somewhere and takes over everything.

            Air-gap security is all fine and good against casual hackers, but still leaves you with an awfully gooey center. I don't know why Slashdotters keep advocating it as such a panacea.

            • Re:Surveillance (Score:5, Interesting)

              by Philip K Dickhead (906971) <folderol@fancypants.org> on Thursday July 08, 2010 @01:52PM (#32842618) Journal

              The summary for the submitted article misses almost EVERY important aspect to this story, as it was initially reported! It almost looks like an attempt to deliberately minimize concern over the dubious legality and suspect agenda for "Perfect Citizen".

              In fact, Samzenpus and "Wiggles" seem content not to mention the program's Orwellian name, nor the specific use of the term "Big Brother" by Ratheon contractors associated with the NSA on this effort.

              Here is the summary I supplied, when submitting this story as a front-pager for Slashdot. I believe that it is more cogent and INFORMATIVE than the blandness offered us.

              The WSJ is reporting on an $100M NSA program [wsj.com] "to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants." All of which sound nice enough, if one does not become critically focused on the name they chose for this effort: 'Perfect Citizen'. [pcworld.com] Releasing this to the WSJ has the appearance of PR cover for the expansion of both warrantless surveillance [wikipedia.org] and the intrusion of the NSA into a theatre of domestic operations. [eff.org]
              Ratheon, the NSA contractor charged with realizing the NSA vision for the 'Perfect Citizen' program openly called this the "Big Brother" [theregister.co.uk] system, in internal communications.

              For once, I really wouldn't mind a "dupe" story, either my summary or that of another poster with some insight to the implications of "Perfect Citizen".

              • Re:Surveillance (Score:5, Insightful)

                by badboy_tw2002 (524611) on Thursday July 08, 2010 @02:01PM (#32842716)

                Yeah, its too bad they don't include more unsubstantiated facts and editorial opinions with strong biases in the summaries. I was just thinking how much I was missing that!

                • Re: (Score:2, Interesting)

                  by lonecrow (931585)
                  Hmmm...I am not sure if I would get all worked up over the name. This portion of the article seems to alleviate some concerns:

                  Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials said.

                  I do not see this as akin to the mass wiretapping of individuals of a previous administration. This is traffic pattern detection by the sound

                  • by spazdor (902907)

                    if malicious patterns were detected perhaps an auto-cutoff of the plant from the internet could be triggered.

                    This seems, to me, like a dynamic that's exploitable in itself.

                    Assuming that the plant is connected to the Internet in the first place for a real purpose, whatever that purpose is is suddenly vulnerable to a denial-of-service attack. All you gotta do is trip the IDS deliberately.

              • by Philip K Dickhead (906971) <folderol@fancypants.org> on Thursday July 08, 2010 @02:20PM (#32842932) Journal

                What if there are no "massive cyber-attacks" by "Chinese hackers"?

                Who'd know? The key part of almost every successful TCP/IP network attack or compromise is the ability to manipulate intermediate hosts, etc. to obfuscate and mislead as to the actual "real location" of the attacker or malicious agent. When I was so preoccupied, in the mid/late-nineties, it was common practice to use Chinese IP space as "base-camp" for our explorations. I remember, in particular, an entire University lab of several dozen Sparc5 clones, directly connected to the Internet. Getting shell on these was a trivial exercise. The poor quality of the systems administration on these hosts was also an excellent indication that any forensics effort would be pretty hopeless, with the simple deletion of local logfiles.

                Given the resources of a US or Israeli intelligence agency, it is completely likely that attacks could appear to be "Chinese" - without ever having a ZH presence. Manipulation of BGP, etc. could produce the required 'evidence'.

                Which also begs the question: why would "Chinese" or "North Korean" state-sponsored "hacker gangs" be able to launch attacks with sophistication enough to be considered a threat to national infrastructure, yet simultaneously naive enough to be triangulated back to their supposedly surreptitious origin?

                As they say, "Pull the other one, it has bells on it."

                The only serious outcome of any mass-scale foreign cyber-attack has been to create a climate for the acceptance of increased surveillance, demolition of limits for Federal agencies and the Military in regards to the law-abiding civilian US population, and the complete obliteration of 4th and 1st Amendment protections afforded by the U.S. Constitution. What if that is not the "unintended consequence"?

      • Re:Surveillance (Score:5, Informative)

        by rotide (1015173) on Thursday July 08, 2010 @12:39PM (#32841534)

        I'm no tinfoilhatter (see my post history) and I can easily state that the government does and has been monitoring communications of citizens since before the PATRIOT Act.

        Google any of the following:
        Project Echelon
        FBI Carnivore
        FBI NarusInsight

        This isn't fear mongering against the government. Those are actual programs/projects the government uses to watch those they want to watch. Actively, passively, whatever it is it doesn't change the fact that the government has the means and the will to watch those it finds worth watching.

        Now, to think that the new system will watch international connections only is short sighted. All you have to do is argue that an "enemy" could bounce through an internal (to the US) proxy and the government would have wholesale reason to peek at _every_ connection, foreign or domestic.

      • Re:Surveillance (Score:5, Insightful)

        by commodore64_love (1445365) on Thursday July 08, 2010 @12:43PM (#32841592) Journal

        >>>hey aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.

        Like the smart meters being installed in Californian homes. All they need to do now is upgrade the firmware to include a little NSA spyware (literally) so they can how much energy you are using & what it was for. ("Running grow lamps in the basement - mmm interesting. Notify the Drug Agency.")

        Patriot Act sucks

        The Patriot Renewal Act which Obama signed sucks even more. At least George Duh Bush could claim he didn't know what was in the bill whe he signed it in 2001, but Obama observed the direct consequences of the law (police entering homes w/ self-written warrants; spying on communications; arrests without right of trial). He should have vetoed that bill.

        • by tibman (623933)

          My guess is intel agencies already have access to power consumption numbers.. though not live data, like a smart meter provides. I really don't think it's that useful though.. does a plug-in hybrid look like a rack of grow lights? Or a rendering cluster? Or a water-splitting setup? But i do think it would be bad for them to have access to. If i had that data, i could plan my raids around the times of least usage.. under the assumption that everyone is asleep or out of the house. It could be useful in a

          • Yeah but now they are putting meters inside appliances which will communicate with the central smart meter (house thermostat). So they'll be able to see if it's a plug-in hybrid or a rack of grow lights.

            Aside-

            Thank $deity that firefox has redline spell-checking. My fingers must be numb today - all kinds of typos

            • by tibman (623933)

              The appliances bit is where i get nervous. There are so many cool things we can do with sensors, monitoring, and automation in our homes.. but almost all of them are double edged swords.

        • RTFA:

          Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials said.

          While the government can't force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.

          They don't need to do any firmware upgrades. All the data all ready goes to those energy companies. It will be up to them to decide what to share with the NSA.

        • ("Running grow lamps in the basement - mmm interesting. Notify the Drug Agency.")

          That's my tanning booth, you insensitive clod.

      • Re:Surveillance (Score:5, Interesting)

        by Tmack (593755) on Thursday July 08, 2010 @12:53PM (#32841752) Homepage Journal

        Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.

        Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::

        FTFA:

        A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It's a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.

        They basically come out and directly say they are taking advantage of a slippery slope and happily sliding down it. So monitoring people driving is the same as watching what they are doing online.... yeh, thats not a slippery-slope argument at all </sarcasm> Next is, well, we already monitor the critical infrastructure, why not just all corporations, why not just all ISPs and all home users, then we could really catch all those sleepercell terrrrists at home!! yeh1!! its just like red-light cameras.

        Tm

      • by dave562 (969951)

        The OP is right on target. I'm sure the government would consider "backbone routers at Tier1 ISPs" critical infrastructure. Given the compliant Congress and our society's lack of actually generating real material goods anymore, it isn't too much of a stretch to imagine the RIAA/MPAA convincing Congress that P2P is a serious threat to the economy. Oh noes, cyber-attacking pirates off the fiber-port bow!!! Shut down teh intartubez! Save the contents!!!

        • by chill (34294)

          If by "stretch" you mean "already done", then you're right.

          http://slashdot.org/~chill/journal/252992 [slashdot.org]

        • by Jawnn (445279)

          The OP is right on target. I'm sure the government would consider "backbone routers at Tier1 ISPs" critical infrastructure. Given the compliant Congress and our society's lack of actually generating real material goods anymore, it isn't too much of a stretch to imagine the RIAA/MPAA convincing Congress that P2P is a serious threat to the economy. Oh noes, cyber-attacking pirates off the fiber-port bow!!! Shut down teh intartubez! Save the contents!!!

          Bingo!
          The implied situation is that Tier 1 ISP's don't do have IDS and appropriate procedures in place and need help from the government to look to the security of their networks and systems. Somehow, I think that the ISP's are already doing a far better job of this than some low-bid government contractor will. Though, as we've seen, utility companies..., maybe not so much. Fine, draft regulations and then enforce them with meaningful penalties for failure to comply. Don't suggest that "the government" ca

      • When I read the headline, I imagined the government being able to protect my business from DDoS attacks.
      • by Ltap (1572175)
        Nickel and dime. If the program is successful, they will expand it to other systems and areas, and expand its influence.
    • Re: (Score:3, Informative)

      by mrbofus (1189727)
      What the submitter forgot to include is that this is an opt-in program; companies can choose to have their networks monitored by the government. Might have helped in a case like the Google/China hacking incidient.
    • I swear the people who name such programs must be deliberately trying to bait conspiracy kooks.

  • by 0racle (667029)
    You're not cleared for that citizen.
  • A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras.

    ::facepalm::
    My internet traffic is not on a public roadway.

    It's just rediculous that they're trying to make such an argument
    while trying to plug these boxes into private networks.

    • Maybe Alex Jones is smarter than he acts. He's been talking for months about Boxes being placed in homes (or at the curb) to monitor internet lines to ensure security. I thought he was nuts but now here it comes.

      "Any who would give-up essential liberty for temporary security deserve neither." - Benjamin Franklin, Pennsylvanian

    • Re:Asinine (Score:5, Insightful)

      by jeffmeden (135043) on Thursday July 08, 2010 @12:50PM (#32841706) Homepage Journal

      The first thing I thought of when I read the flame-inducing "How do we feel about NSA spyware in all of our infrastructure?" was "oh well, at least there will be good-guy spyware in there with the bad-guy spyware..."

      Do you really think that these private firms are honky dory with their current systems? As discussed to death at Black Hat 20[insert any year here], most private firms are years behind the DOD when it comes to info security, some of them ignoring it outright (the new power grid technology comes to mind).

      If these companies aren't going to take security seriously, is it really wrong to offer a program that lets the NSA help them out? Or worse, would you rather the NSA simply hold out for a secret executive order to place surveillance equipment without the need to tell anyone? I think that this step, at least, is in the right direction. It could still go horribly wrong, but why kill it before it has the chance to do some good?

    • >>>My internet traffic is not on a public roadway.

      Maybe it's time we nerds setup our own private network. Something like Usenet or Fidnonet but much faster (the old 56k or 112k connections are not enough). On second thought, with advancing codecs maybe it would work. I just watched Doctor Who at dialup speeds (48k) and it was no more horrible than watching a VHS tape.

      And to add to Franklin's quote:

      - I would rather take the risk that there's a 1 in 300 million risk that a terrorist will kill me,

    • by ScentCone (795499)
      It's just rediculous

      It's so diculous, it's ridiculous twice! It's re-diculous. Not to ridicule, of course.

      As for connecting things to private networks: read. This is done in cooperation with private network owners that agree it's a good idea, considering what they're operating/protecting. You're not being forced, on your own network, to have anything to do with it.
  • by mackil (668039)

    How do we feel about NSA spyware in all of our infrastructure?

    ummm.... NOT GOOD

  • Spyware? Really? (Score:4, Informative)

    by 0xdeadbeef (28836) on Thursday July 08, 2010 @12:35PM (#32841460) Homepage Journal

    When zealots can't distinguish between legitimate security and illegitimate spying, it hurts the credibility of civil liberties, not the NSA.

    • When zealots can't distinguish between legitimate security and illegitimate spying, it hurts the credibility of civil liberties, not the NSA.

      But giving the a program one of the the most Orwellian names ever - "Perfect Citizen" - sure doesn't help the NSA's credibility either.

  • ... detect cyber assaults on private companies

    You know, like downloading the latest Lady Gaga CD.

  • by Palestrina (715471) * on Thursday July 08, 2010 @12:36PM (#32841470) Homepage

    That's the problem with big expensive publicly-announced efforts to protect against known attacks. The bad guys tend to not be idiots, and don't do what you expect. Come on, we can't even protect ourselves from our own stupidity, like when a trader accidentally enters an order for a billion rather than a million. If our systems are so fragile, then it doesn't take much. Oh, and what makes anyone thing that we don't have insiders willing to initiate cyber attacks? A big fire wall on the ourside doesn't help much there.

    • Start with the basics. Map the traffic patterns and usage patterns.

      Now, roll that data up from a hundred different companies.

      You'll see the patterns.

      Share that information (anonymized) with the companies so that they can hunt down any "weird" traffic on their networks.

      • uh, dshield.org much?

      • by GrEp (89884)

        You can't anonymize it. Any information given with enough detail to be useful is many times more than enough to reconstruct the relation of "anonymized" data points.

    • if the sensors mentioned are indeed hardware, they will purchased from a Defense contractor via a lucrative cost-plus agreement. Said contractor will then sub-sub-subcontract the hardware. From a Chinese quasi-military-owned manufacturer. Tah-Dah!
  • Citizens? (Score:2, Interesting)

    by drumcat (1659893)
    The fact that any government agency thinks its "corporate citizens" are perfect-able makes me ill. Yes, it's just a name, but it's time that human beings finally have more rights that incorporated entities. It's not to even be joked about by the government.
  • I'm more concerned about how this could limit the flexibility of these industries. Needing to run substantial IT changes through a federal agency could theoretically stifle innovation. You're adding another restrictive layer of bureaucracy. And then there's the age old... "they put something called linux on it, and it looked like something a hacker might use" problem. Let's hope the people monitoring this are IT people and not middle management people?
    • Re: (Score:3, Informative)

      >>>there's the age old... "they put something called linux on it, and it looked like something a hacker might use" problem

      Like that poor kid who was given detention. His crime? Demonstrating Linux on his personal laptop during study hall, and handing out free CDs of it to friends. The teacher assumed the kid was a pirate and punished him. She even went so far as to contact the guy who created the original CD, and scold him too! "I don't know why you are handing-out these CDs but I play to con

  • It's not like the gov would ever use any info it gathers against you.

  • Ahhh... (Score:4, Informative)

    by Securityemo (1407943) on Thursday July 08, 2010 @12:39PM (#32841548) Journal
    From the article text, it sounds like this means deploying "normal" IDS systems on a per-network basis. "Not persistently monitor the whole system" probably serves to clarify that it won't log, capture or analyze all data; an IDS triggers when it detects something that it's rules/signatures match, much like an antivirus sans emulation/sandboxing unpacking and behaviour monitoring . "The overall purpose of the [program] is our Government...feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security" sounds like they're forcing them to comply to inspection or testing.
    Also, they might have wanted to pick a less dr-strangeglove-sounding name. But maybe the NSA geeks have a sense of humour too?
  • Slashdot (Score:4, Funny)

    by warGod3 (198094) on Thursday July 08, 2010 @12:40PM (#32841560)
    I wonder if the "Slashdot Effect" would be considered a "cyber assault"?
  • Wow... (Score:3, Insightful)

    by Tmack (593755) on Thursday July 08, 2010 @12:42PM (#32841584) Homepage Journal
    What they just described sounds like this device I heard of called a "fire wall". It can be set to alert you when bad people try to "hack" into your internets or do cyber war and will block the hackors from infecting you with computer viruses.

    .. seriously, are we that far behind in our critical infrastructure that its still just plopped down on the internet without a firewall, filtering, port blocking, like some infected win95 machine from the 90s? Stuff like that should not be on the internet directly, ever. Private networks only, connected only to systems that need to monitor/control. Sure its faster/cheaper to plop a dsl line to that remote site, but its far less expensive to just get a direct private line to it than it would be to implement any of this other security theater the govment likes to use. Imagine your corporate firewall being run by the NSA....Hah

    Tm

    • Re:Wow... (Score:4, Interesting)

      by Securityemo (1407943) on Thursday July 08, 2010 @01:04PM (#32841902) Journal
      An encrypted VPN secured with a key, that key itself only existing on the physically secure terminals used to access the systems and the internet-facing routers should be virtually as secure as an encrypted dedicated line. As long as the VPN software isn't faulty in some way, but it'd probably be secure enough. It might even be more secure, because if you've got a dedicated line and a stolen key you just need to tap into a point somewhere along the wire - unlike a VPN, where inbound and outbound traffic might follow different routes (a network engineer/architecht could perhaps kindly fill me in on the probability and topology of this). Or are you suggesting quantum-encrypted single-photon lines to every power plant in the US?
  • by hackus (159037) on Thursday July 08, 2010 @12:46PM (#32841624) Homepage

    There it goes out the window with all of the Bills currently in Congress to chase the internet "boogie man" as they hire "governmental approved companies" to produce boxes to install on your internet line.

    Proprietary and very secret boxes.

    They will track how long you play WoW, what you buy and put you in prison for that Virus that downloads pr0n.

    SO much easier to get rid of people they don't like especially if the black box has the ability to infect and download the pr0n for them onto your home PC using "government approved software".

    This is getting way out of control very fast.

    One thing for sure though, you won't run LINUX, you won't run anything except what that black box says you can run.

    Ironically there is a very real chance that only the collusion of fascism can take down Open Source because companies can't compete against it and governments absolutely hate systems built in the open because they can't lie about what they are doing to the masses.

    The "Perfect Citizen" in this definition is one who doesn't question, only uses what the government tells them to and more importantly believes that the internet is better off with it.

    -Hack

    • >>>One thing for sure though, you won't run LINUX, you won't run anything except what that black box says you can run.

      Vice-versa: Some of us might start using Lubuntu Linux or Amiga OS specifically because we are told we can't. Some of us enjoy challenging tyrants in order to fight for freedom.

      • What happens when the NSA tells you that you have [nsa.gov] to run Linux? Will you be happy then?

        Of course not. They would be taking away your essential liberty to infest yourself and everyone around you with all manner of digital pests so you would be (appropriately) upset.

        My point is that they're much likely to require something like SE Linux that forbid it.

        You may return to being a good citizen by recycling your hat now.

    • by chill (34294) on Thursday July 08, 2010 @01:10PM (#32841986) Journal

      You do know they're talking about doing this to water, electric, utilities, gas and railroad infrastructure, right? "Critical infrastructure", such as traffic control centers, the power grids, gas grid and the like. You aren't critical infrastructure. WoW certainly as hell shouldn't be running on critical infrastructure. Traffic in those network SHOULD be watched and coordinated. The companies can either let the NSA do it or purchase the equipment and do it themselves.

      Last I knew, those "proprietary systems" (example here [narus.com]) were Linux-based using libpcap but on screaming fast hardware. Proprietary analysis software is used to baseline traffic patterns and look for anomalies.

    • by tibman (623933)

      I don't want to step on your rant, but most US Gov websites i've seen.. are on linux. I would guess much of the infrastructure is the same. End-user computers are mostly windows boxes though. With those come exchange and sharepoint and blah blah. But the critical stuff appears to be linux/bsd. You can check here: http://toolbar.netcraft.com/site_report?url=whitehouse.gov [netcraft.com]

      Also, the last time i saw a Certificate of Networthiness list.. there was plenty of OSS approved: apache, php, python, putty, RHEL, fi

  • its another cyberwar/cyberattack/cybersecurity article! your friends at Raytheon, a wholesome defense contractor, got the contract this time for a surveillance project to fight the upcoming cyber[war/attack]. they of course being shy about the whole thing declined to comment about it.

    Perfect Citizen will look at large, typically older computer control systems that were often designed without Internet connectivity or security in mind.
    the bigger issue is why are private corporations allowed to operate t
  • A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It's a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.

    "You already gave up privacy for traffic cameras, so we can watch you drive, now we want to see what kinds of pr0n you like, cause thats no different and no big deal and its to stop the terrrrrists from doing another 9-11." This is exactly why privacy advocates are so rabid about what seems to be little things. They add up quick, and eventually get used as a "well we already do X, so this should be fine".

    Tm

  • "Perfect Citizen" (Score:4, Interesting)

    by L3370 (1421413) on Thursday July 08, 2010 @12:48PM (#32841666)
    Is it just me, or does "Perfect Citizen" sound like the most completely sinister project name you could give?
    Seriously, shouldn't they try harder to disguise the intentions with a name like "Save the children security project" or "Patriotic Minutemen project"????
    • For some reason I read "Perfect Citizen" in the voice of the Combine soldiers in Half Life 2. It makes me picture cowering... Probably just coincidence.
  • How about just disconnecting critical infrastructure from the internet all together? Which desk do I send my invoice to inside the NSA?
  • Cabsec - Capability Based Security has been around for a long time, it was part of Multics... the idea of having real security built into the OS, available as a tool for the USER to decide what resources to make available to an application, is a very powerful one.

    Unfortunately, its a boil the ocean solution.... you have to build a new OS which supports it, and then port your apps.

  • "Perfect Citizen": Because the phrase "Big Brother" wasn't quite creepy enough.
  • Bias? (Score:3, Insightful)

    by andy1307 (656570) on Thursday July 08, 2010 @12:50PM (#32841716)

    How do we feel about NSA spyware in all of our infrastructure?

    Better than Chinese spyware in all of our infrastructure.

  • The net has huge tides - but unpredictable ones such as the traffic burst that happened when Michael Jackson died.

    Those traffic shifts, along with the introduction of new technologies (such as IPv6, cloud computing, and smaller things like the next twitter) will create false positives.

    And an attacker, knowing that there are these bursts fairly frequently and that during them there will be false triggers, will time the launch his attack so that it occurs during or shortly after one of those events.

    Personally

    • Those traffic shifts, along with the introduction of new technologies (such as IPv6, cloud computing, and smaller things like the next twitter) will create false positives. And an attacker, knowing that there are these bursts fairly frequently and that during them there will be false triggers, will time the launch his attack so that it occurs during or shortly after one of those events.

      This is pretty much a solved problem. You're picturing a system that monitors traffic level, then automatically shuts off the traffic in an emergency. That's not the state of the art and hasn't been for a long time. Rather, you deploy IDS systems that build a relational database of "normal" traffic on a network over time. Administrators look at the traffic ad mark some of it as "critically important" like the connection between the control system update board and the deployed sensors, and the connection bet

  • by Drakkenmensch (1255800) on Thursday July 08, 2010 @01:08PM (#32841960)
    How about just... not connecting EVERYTHING to the net? The best way to prevent an unauthorized user access to the main control switches of a power plant is to simply have those commands input manually by someone you reach directly by phone. You won't be able to hack those employees directly until those nifty GITS full body replacements roll in (ETA Q4 2013)
    • have those commands input manually by someone you reach directly by phone.

      A little social engineering, maybe:

      "Hi Ben, This is Frank over at the . We have a little problem here. Actually, it's a big problem. We got a fire. Four buildings, so far. We can't put it out because the connection with is live. We need you to pull so we can get close enough to put out the fire."

      I never got a root password by hacking. Every one I ever got was by asking nicely.

  • Sensors (Score:4, Insightful)

    by Thelasko (1196535) on Thursday July 08, 2010 @01:08PM (#32841966) Journal

    would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack

    How will the "sensors" communicate with the NSA while being attacked? The internet?

    • If a sensor goes offline, it'd ovbiously be treated as an attack, depending on if it looks like an outage further away from the network edge.
  • That Name! (Score:2, Funny)

    by eheldreth (751767)
    Am I the only one that read the name of this project and gave serious consideration to buying a shiny new bunker in Montana.
  • why is the grid and nuclear plants on the Net anyways?

  • boondoggle (Score:4, Interesting)

    by Jodka (520060) on Thursday July 08, 2010 @01:23PM (#32842190)

    A single flaw in a common security architecture is a pervasive vulnerability whereas a heterogenous system is robust to targeted attacks.

    They would do better to solicit bids for multiple systems from private contractors and place the NSA as well as the public security community in the roles of auditors. That would also allay concerns about covert monitoring by the NSA.

    Open-sourceing the product and allowing public audits is advantageous because what is sometimes obscured by "Security through obscurity" is that foreign operatives have covertly horked your source code and analyzed if for vulnerabilities.

    What FEMA did for Katrina and the EPA did for the golf oil spill this program will do for online security: create an ineffective program which creates a false sense of protection, displacing genuinely effective protective measures. I am not saying that there is no roll for government here, but rather than the rolls played by government are typically either useless or harmful and it would be nice if it took a different approach; Give the Harvard MBAs and MIT and Caltech Ph.D engineeers working at Cisco and IBM opportunities to innovate and place the government and public in the role of customers holding contractors accountable for supplying quality products.

    • A single flaw in a common security architecture is a pervasive vulnerability whereas a heterogenous system is robust to targeted attacks.

      Agreed, however, given the way software is procured and "certified" for security by the government, that is the least of the problem. Secure software in the government requires motivated players who will work around the security regulations in order to get secure software, and the NSA is one of the few branches of government that seems motivated.

      They would do better to solicit bids for multiple systems from private contractors and place the NSA as well as the public security community in the roles of auditors.

      In theory that sounds great, but in practice do you have any idea hope nighmarish that would be for people who are actually try to create a secure system?

      I am not saying that there is no roll[sic] for government here, but rather than the rolls[sic] played by government are typically either useless or harmful and it would be nice if it took a different approach; Give the Harvard MBAs and MIT and Caltech Ph.D engineeers working at Cisco and IBM opportunities to innovate and place the government and public in the role of customers holding contractors accountable for supplying quality products.

      Have you d

    • it would be nice if it took a different approach; Give the Harvard MBAs and MIT and Caltech Ph.D engineeers working at Cisco and IBM opportunities to innovate

      Dude, where's the money in that? Raytheon for the win.

  • 'Law-Abiding Citizen' was too tied up in the movie rights. I wonder if the project to select a name for this program was titled: Operation Hamfist.
  • Will this be like my bank blocking my debit card "for unusually activity"? Because that has never worked. The government's most secret known agency putting sensors with the ability to shut down a network, what could possibly go wrong?
  • I'll let the NSA put spyware on some of my computers, *if* they let me target a Tomahawk missile at my least-favorite spammer once or twice a year.

  • That actually has freedoms.

    Sooner or later, every entrenched government becomes corrupt. As was seen back in the days when you couldn't fight the corrupt system, you left, formed a new country and then grew into a power that eventually becomes corrupt and then a section of your people leave and the process starts anew.

    The United States has reached the stage that a segment of the population needs to leave and form a new country. Unfortunately, I believe we've run out of land. Used to be you could expand into

  • the CORRECT solution is to never have critical infrastructure exposed to the Wacky Wacky Webbiepoo.

    the old saw is still correct... the only secure computer is deep underground in a vault. no power. no wires. encased in concrete. access to the borehole up top guarded by crew-served weapons.

    it is an INCORRECT solution to put critical infrastructure on the Wacky, with spies and lies draped all around it.

    this means your "smart grid," folks, is megatard.

  • Seriously.

    People breaking into a private company is a private company's problem to prevent.

    If they catch someone breaking in, they can report it to the police. Who will probably say something like "we don't do that", which is what they've told me every time I've reported a crime.

  • Like we get a choice. Its already out there. This just brings it out into the open to serve as a deterrent.

Never invest your money in anything that eats or needs repainting. -- Billy Rose

Working...