Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:41 PM
Connect Directly

NSA Launches Infrastructure Cybersecurity Program

The "Perfect Citizen" program will seek to help mitigate cyber attacks on critical infrastructure like power plants, air traffic control systems and the electrical grid.

The National Security Agency plans to launch a program aimed at assessing vulnerabilities and developing capabilities to help secure critical infrastructure like power plants, air traffic control systems and the electrical grid.

In an e-mail sent Thursday evening to InformationWeek, NSA refuted parts of an earlier Wall Street Journal report that the effort, called Perfect Citizen, would monitor communications or place "sensors" on utility company systems, instead calling it "a research and engineering effort."

Even so, the program raises unanswered questions about the government's role in -- and undefined turf over -- protecting the nation's critical infrastructure from cyber attacks, what technologies and processes might be used in such an effort, how any such effort would protect critical infrastructure owners' independence as well as privacy, and whether the effort should be public rather than classified.

According to the Wall Street Journal, which first reported the project Thursday, Perfect Citizen aims to protect control systems that are often older and thus built without security in mind, but have since been connected to the Internet. That report also said that the information collected could be used for support when third parties call on the NSA for help in investigating cyber attacks.

"This contract provides a set of technical solutions that help the Naitonal Security Agency better understand the threats to national security networks, which is a critical part of NSA's mission of defending the nation," NSA spokeswoman Judith Emmel said in a statement.

Perfect Citizen reportedly includes a classified $100 million contract with defense contractor Raytheon Corp, though Raytheon declined to comment.

Government agencies have been working more closely with critical infrastructure providers on cyber issues since the aftermath of the 9/11 terrorist attacks, engaging the IT industry in discussions along the way. The protection of critical infrastructure has taken on a higher profile in recent months, raising to the level of a Congressional hearing earlier this year.

The Department of Homeland Security has been the key government player, setting up efforts like the U.S. Computer Emergency Readiness Team's Control Systems Security Program, which aims to reduce risks to industrial control systems. As recently as this week, in a memo issued by the White House's Office of Management and Budget clarifying agency roles in managing compliance with federal cybersecurity requirements, the administration noted that "DHS oversees critical infrastructure protection."

However, while the DHS has maintained a continued presence in protecting critical infrastructure and has seen its overall cybersecurity profile increased in recent years, so too has the NSA taken on new cybersecurity responsibilities. Last year, for example, then-top DHS cybersecurity official Rod Beckstrom resigned, citing a turf war with the NSA, and the NSA announced plans to build a $1.5 billion cybersecurity data center in Utah. Much of the NSA's work has been defense-related, while DHS' work has been largely focused around civilian agencies.

Within the last two years, the Department of Defense -- of which NSA is formally a part -- has significantly ramped up its concern about attacks on critical infrastructure. "We need to think imaginatively about how technology can help secure a space on the Internet for critical government and commercial applications," deputy secretary of defense William Lynn said at a conference in May. "Operators of critical infrastructure could opt-in to a government-sponsored security regime."

However, there remain questions about how the Department of Homeland Security and Department of Defense will work together on critical infrastructure cybersecurity at a national level, says Jim Lewis, director of the Center for Strategic and International Studies' technology and public policy program.

Once the issue of control and coordination of government policy toward critical infrastructure protection is out of the way, the question becomes how an effort like Perfect Citizen might actually be carried out. Undoubtedly, the effort would be done in cooperation with industry, rather than forcibly.

NSA activities inside the United States often raise concerns of civil liberties groups, but in its email, the NSA said that suggestions that Perfect Citizen involves invasive or illegal activities are untrue, and that it follows "both the spirit and letter of U.S. laws." "It's very easy to jump on something like this as Orwellian, but there is question of how do we enable the US government to offer security services online as something that makes us as a nation safer," says Hart Rossman, VP and CTO of cybersecurity solutions with government contractor SAIC. According to Lewis, NSA would likely support critical infrastructure providers by either implementing systems or by providing data and helping companies to improve their defenses. The notion of vulnerabilities assessment further raises the possibility of penetration testing to determine probe weaknesses in critical infrastructure providers' cyber defenses.

Information sharing will likely be a "critical" part of any effort, according to Tom Conway, director of public sector business development for McAfee. Conway says that in his experience, the government is good at sharing at the strategic level on cybersecurity, including basic parameters of cooperation and with whom the government should work, but less so at the operational and tactical levels, where efforts like Perfect Citizen would likely play a new role.

The classified nature of the project also raises questions of its own. Lewis says he wishes more details were forthcoming, as CSIS has wanted to include more about critical infrastructure protection in a follow-on to a major cybersecurity report that became part of the backbone of President Obama's initial cybersecurity strategy, but, Lewis says, "a lot of the details are classified and people are uncomfortable talking about it."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Intel Issues Fix for 'Plundervolt' SGX Flaw
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/11/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-12-14
There is an improper authentication vulnerability in Huawei smartphones (Y9, Honor 8X, Honor 9 Lite, Honor 9i, Y6 Pro). The applock does not perform a sufficient authentication in a rare condition. Successful exploit could allow the attacker to use the application locked by applock in an instant.
PUBLISHED: 2019-12-14
Some Huawei smart phones have a null pointer dereference vulnerability. An attacker crafts specific packets and sends to the affected product to exploit this vulnerability. Successful exploitation may cause the affected phone to be abnormal.
PUBLISHED: 2019-12-13
There is an information disclosure vulnerability in certain Huawei smartphones (Mate 10;Mate 10 Pro;Honor V10;Changxiang 7S;P-smart;Changxiang 8 Plus;Y9 2018;Honor 9 Lite;Honor 9i;Mate 9). The software does not properly handle certain information of applications locked by applock in a rare condition...
PUBLISHED: 2019-12-13
Huawei CloudUSM-EUA V600R006C10;V600R019C00 have an information leak vulnerability. Due to improper configuration, the attacker may cause information leak by successful exploitation.
PUBLISHED: 2019-12-13
Certain Huawei products (AP2000;IPS Module;NGFW Module;NIP6300;NIP6600;NIP6800;S5700;SVN5600;SVN5800;SVN5800-C;SeMG9811;Secospace AntiDDoS8000;Secospace USG6300;Secospace USG6500;Secospace USG6600;USG6000V;eSpace U1981) have an out-of-bounds read vulnerability. An attacker who logs in to the board m...