Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


04:41 PM
Connect Directly

NSA Launches Infrastructure Cybersecurity Program

The "Perfect Citizen" program will seek to help mitigate cyber attacks on critical infrastructure like power plants, air traffic control systems and the electrical grid.

The National Security Agency plans to launch a program aimed at assessing vulnerabilities and developing capabilities to help secure critical infrastructure like power plants, air traffic control systems and the electrical grid.

In an e-mail sent Thursday evening to InformationWeek, NSA refuted parts of an earlier Wall Street Journal report that the effort, called Perfect Citizen, would monitor communications or place "sensors" on utility company systems, instead calling it "a research and engineering effort."

Even so, the program raises unanswered questions about the government's role in -- and undefined turf over -- protecting the nation's critical infrastructure from cyber attacks, what technologies and processes might be used in such an effort, how any such effort would protect critical infrastructure owners' independence as well as privacy, and whether the effort should be public rather than classified.

According to the Wall Street Journal, which first reported the project Thursday, Perfect Citizen aims to protect control systems that are often older and thus built without security in mind, but have since been connected to the Internet. That report also said that the information collected could be used for support when third parties call on the NSA for help in investigating cyber attacks.

"This contract provides a set of technical solutions that help the Naitonal Security Agency better understand the threats to national security networks, which is a critical part of NSA's mission of defending the nation," NSA spokeswoman Judith Emmel said in a statement.

Perfect Citizen reportedly includes a classified $100 million contract with defense contractor Raytheon Corp, though Raytheon declined to comment.

Government agencies have been working more closely with critical infrastructure providers on cyber issues since the aftermath of the 9/11 terrorist attacks, engaging the IT industry in discussions along the way. The protection of critical infrastructure has taken on a higher profile in recent months, raising to the level of a Congressional hearing earlier this year.

The Department of Homeland Security has been the key government player, setting up efforts like the U.S. Computer Emergency Readiness Team's Control Systems Security Program, which aims to reduce risks to industrial control systems. As recently as this week, in a memo issued by the White House's Office of Management and Budget clarifying agency roles in managing compliance with federal cybersecurity requirements, the administration noted that "DHS oversees critical infrastructure protection."

However, while the DHS has maintained a continued presence in protecting critical infrastructure and has seen its overall cybersecurity profile increased in recent years, so too has the NSA taken on new cybersecurity responsibilities. Last year, for example, then-top DHS cybersecurity official Rod Beckstrom resigned, citing a turf war with the NSA, and the NSA announced plans to build a $1.5 billion cybersecurity data center in Utah. Much of the NSA's work has been defense-related, while DHS' work has been largely focused around civilian agencies.

Within the last two years, the Department of Defense -- of which NSA is formally a part -- has significantly ramped up its concern about attacks on critical infrastructure. "We need to think imaginatively about how technology can help secure a space on the Internet for critical government and commercial applications," deputy secretary of defense William Lynn said at a conference in May. "Operators of critical infrastructure could opt-in to a government-sponsored security regime."

However, there remain questions about how the Department of Homeland Security and Department of Defense will work together on critical infrastructure cybersecurity at a national level, says Jim Lewis, director of the Center for Strategic and International Studies' technology and public policy program.

Once the issue of control and coordination of government policy toward critical infrastructure protection is out of the way, the question becomes how an effort like Perfect Citizen might actually be carried out. Undoubtedly, the effort would be done in cooperation with industry, rather than forcibly.

NSA activities inside the United States often raise concerns of civil liberties groups, but in its email, the NSA said that suggestions that Perfect Citizen involves invasive or illegal activities are untrue, and that it follows "both the spirit and letter of U.S. laws." "It's very easy to jump on something like this as Orwellian, but there is question of how do we enable the US government to offer security services online as something that makes us as a nation safer," says Hart Rossman, VP and CTO of cybersecurity solutions with government contractor SAIC. According to Lewis, NSA would likely support critical infrastructure providers by either implementing systems or by providing data and helping companies to improve their defenses. The notion of vulnerabilities assessment further raises the possibility of penetration testing to determine probe weaknesses in critical infrastructure providers' cyber defenses.

Information sharing will likely be a "critical" part of any effort, according to Tom Conway, director of public sector business development for McAfee. Conway says that in his experience, the government is good at sharing at the strategic level on cybersecurity, including basic parameters of cooperation and with whom the government should work, but less so at the operational and tactical levels, where efforts like Perfect Citizen would likely play a new role.

The classified nature of the project also raises questions of its own. Lewis says he wishes more details were forthcoming, as CSIS has wanted to include more about critical infrastructure protection in a follow-on to a major cybersecurity report that became part of the backbone of President Obama's initial cybersecurity strategy, but, Lewis says, "a lot of the details are classified and people are uncomfortable talking about it."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft Patches Wormable RCE Vulns in Remote Desktop Services
Kelly Sheridan, Staff Editor, Dark Reading,  8/13/2019
The Mainframe Is Seeing a Resurgence. Is Security Keeping Pace?
Ray Overby, Co-Founder & President at Key Resources, Inc.,  8/15/2019
GitHub Named in Capital One Breach Lawsuit
Dark Reading Staff 8/14/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-08-17
Zabbix through 4.4.0alpha1 allows User Enumeration. With login requests, it is possible to enumerate application usernames based on the variability of server responses (e.g., the "Login name or password is incorrect" and "No permissions for system access" messages, or just blocki...
PUBLISHED: 2019-08-17
In GIFLIB before 2019-02-16, a malformed GIF file triggers a divide-by-zero exception in the decoder function DGifSlurp in dgif_lib.c if the height field of the ImageSize data structure is equal to zero.
PUBLISHED: 2019-08-17
RIOT through 2019.07 contains a memory leak in the TCP implementation (gnrc_tcp), allowing an attacker to consume all memory available for network packets and thus effectively stopping all network threads from working. This is related to _receive in sys/net/gnrc/transport_layer/tcp/gnrc_tcp_eventloo...
PUBLISHED: 2019-08-17
REDCap before 9.3.0 allows time-based SQL injection in the edit calendar event via the cal_id parameter, such as cal_id=55 and sleep(3) to Calendar/calendar_popup_ajax.php. The attacker can obtain a user's login sessionid from the database, and then re-login into REDCap to compromise all data.
PUBLISHED: 2019-08-17
extenua SilverSHielD 6.x fails to secure its ProgramData folder, leading to a Local Privilege Escalation to SYSTEM. The attacker must replace SilverShield.config.sqlite with a version containing an additional user account, and then use SSH and port forwarding to reach a service.