.jpg)
The Wall Street Journal cites unnamed sources as saying that the NSA has issued a $100-million contract to defense contractor Raytheon to build a system dubbed "Perfect Citizen," which will involve placing "sensors" at critical points in the computer networks of private and public organizations that run infrastructure, organizations such as nuclear power plants and electric grid operators.
In an email obtained by the Journal, an unnamed Raytheon employee describes the system as "Big Brother."
"The overall purpose of the [program] is our Government...feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security," the email states. "Perfect Citizen is Big Brother."
"Raytheon declined to comment on this email," the Journal reports.
Some officials familiar with Perfect Citizen see it "as an intrusion by the NSA into domestic affairs, while others say it is an important program to combat an emerging security threat that only the NSA is equipped to provide," the Journal states.
The program is reportedly being funded under the Comprehensive National Cybersecurity Initiative, a program launched by the Bush administration in January, 2008, and continued under the Obama administration. The initiative is budgeted to cost $40 billion over several years.
ANOTHER WAR WITHOUT DEFINITION?
News of the spy system comes in the wake of months of news reports and government statements on the the threat of cyber-attacks. Last year, the US pointed the finger of blame at North Korea for a "widespread" attack on US and South Korean government computers. Earlier this year, a coordinated attack on Google servers was identified as originating from China.
But many observers say the threat of cyberwar is exaggerated, and they suggest that profit may be a motive behind efforts to build cyber-defense systems.
"It's about who is in charge of cyber security, and how much control the government will exert over civilian networks," writes security technology expert Bruce Schneier at the CNN Web site. "And by beating the drums of war, the military is coming out on top."
Schneier sees danger in the media "mislabeling" activities like computer hacking and "cyber-activism" as "cyberwar."
"One problem is that there's no clear definition of 'cyberwar.' What does it look like? How does it start? When is it over? Even cybersecurity experts don't know the answers to these questions, and it's dangerous to broadly apply the term 'war' unless we know a war is going on."
MONEY TO BE MADE
In a report published last month, Cecilia Kang at the Washington Post described cyber-security as "Washington's growth industry of choice," and companies in the business are "in line for a multibillion-dollar injection of federal research dollars."
Kang reported: Delivering the keynote address at a recent cybersecurity summit sponsored by Defense Daily, Dawn Meyerriecks, deputy director of national intelligence for acquisition and technology, said that along with the White House Office of Science and Technology, her office is going to sponsor major research "where the government's about to spend multiple billions of dollars."
Also:
Is the NSA's 'Perfect Citizen' the Ultimate Spying Tool?
Could the NSA's new "Perfect Citizen" actually be used for spying on every citizen in the U.S.?
The name sounds like an action movie -- the heroic vigilante chases down the bad guys to aid his country and prevent a nuclear armageddon. It also sounds like the worst possible name for a government program intended to protect citizens, not spy on them.
The NSA's new cyber-security program Perfect Citizen will monitor nuclear power plants, train stations, and the electric power grid to safeguard against cyber-assaults.
And as the Wall Street Journal reported, the new program is intended to monitor cyber-terrorist threats and "would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack."
According to that report, Raytheon was awarded a $100M contract to develop Perfect Citizen. (Raytheon declined to comment to FoxNews.com, as did the NSA other than describing Perfect Citizen in an official statement as a "research and risk-assessment" project that does not use sensors.)
How would such a system work? Why do experts fear it could be turned against us? And should the government really be in the business of installing sensors on the private power grid and at nuclear plants owned by private companies?
Fighting cyber-attacks
Your local power plant was built long before Google became a household name. Yet just about every nuclear power plant, train station, subway system and local power company now connects to the outside Internet, either for employees to access their e-mail or just to check the weather.
And many utility companies provide remote access for workers to monitor these utility systems; some plants are even interconnected over the Internet to share data.
Perfect Citizen will analyze these attack vectors and plug any security holes. Yet experts claim the new program is just a stop-gap measure -- a band-aid on an old wound.
"Cybersecurity wasn't even a concept when these infrastructure systems were built, and yet they have now all been connected and interconnected online -- making them high profile targets for a cyber-attack," says Hemanshu Nigam, a security consultant who advises Congress on cyber-security.
"Finding anomalous activity will do very little to prevent real cyber-attacks, especially since Perfect Citizen will not be 24/7 and will not be all encompassing [to every point of entry into these systems]."
Nigam says Perfect Citizen is a very broad security program. It will monitor nuclear plants and the electric grid for denial-of-service attacks, which is when hackers -- many of them from China and Russia -- send repeated requests to a computer to cause an overload and failure. Nigam says cyber-terrorists already know the NSA fights denial-of-service threats and will attack through other means.
Interestingly, a more likely attack vector at power plants is the Web browser on an employee's workstation, says Bradley Anstis, a vice president at M86 Security. A terrorist might use malware that tricks an employee into installing a virus, which then infects higher-level systems -- such as a command and control server -- on the same network.
Krish Shetty, the CEO at Wiznucleus, a company that specializes in protecting nuclear power plants and power companies from cyber-assaults, says protecting the aging utility infrastructure in the U.S. requires a risk-assessment for every plant and at every endpoint -- and that Perfect Citizen is a step in the right direction. Yet the challenge is in correlating why a cyber-attack occurred at one power plant and learning from that new attack.
Nigam suggests a similar ground-level approach to protecting power plants. He advocates grants and incentives to companies to build their own private security layer.
Mike Lloyd, the chief scientist at the security company RedSeal Systems, says our current utility cyber-defenses are weak compared to what they should be. He says a terrorist only has to find one weak spot, but a security defense needs to protect against every conceivable attack.
The main issue with protecting utilities is that they are incredibly complex -- not just one company at an office, but multiple buildings and networks, a complex infrastructure with antiquated systems.
The next step: no more privacy?
If Perfect Citizen really is a series of sensors that monitor cyber-attacks, it's easy to envision how this same network could be used for monitoring everyday citizens.
With any NSA program, communication is a one-way street, noted Nigam. There won't be any new official information about the Perfect Citizen program, so it's left to the experts to hypothesize about what it really is -- and the true nature of the program, he says.
They have. And they're worried about what the NSA is planning.
For starters, there's a Wired.com report that claims the NSA has teamed with Homeland Security to get around any legal entanglements, hinting at a justification for spying on U.S. citizens. And a story in The Economist declares a new cyberwar that involves secret cyber-weapons and cyber-armies from Iran, North Korea, and Russia attacking utility companies and the grid.
In the Wall Street Journal, an unnamed military official said Perfect Citizen is long overdue and that "any intrusion into privacy is no greater than what the public already endures from traffic cameras."
All told, Nigam maintains that Perfect Citizen is a result of new beefed up security measures, partly due to an influx of funding for the Comprehensive National Cybersecurity Initiative.
"The Obama Administration is playing catch-up. And so for that reason alone it needs to invest more than ever," says Nigam. "Such spending is fully warranted only if it is directed to the right areas, and right now the Perfect Citizen program is not a good example of that."
