Risk
1/9/2013
04:25 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Documents Detail NSA's 'Perfect Citizen' Cybersecurity Work

Documents confirm National Security Agency's penetration testing of U.S. critical infrastructure control systems and a related five-year contract with Raytheon, but are heavily redacted.

Military Drones Present And Future: Visual Tour
Military Drones Present And Future: Visual Tour
(click image for larger view and for slideshow)
Documents recently obtained by privacy advocacy group the Electronic Privacy Information Center (EPIC) provide new details on a secret and provocatively-named National Security Agency effort to improve cybersecurity at U.S. critical infrastructure sites.

Officials have long warned about vulnerabilities in the U.S. electrical grid and other critical infrastructure facilities, and both the Department of Defense and Department of Homeland Security have programs underway to help secure critical infrastructure networks and systems. The National Security Agency itself has been linked to the Stuxnet attacks on control systems at Iran's Natanz nuclear plant.

The documents, released pursuant to a Freedom of Information Act (FOIA ) request by EPIC, are heavily censored: More than half of the 188 pages have been deleted for numerous reasons, and others redacted. The remaining pages indicated that NSA contracted with Raytheon in a deal capped at $91 million to help run Perfect Citizen, which is in the fourth year of a five-year contract period.

[ Hackers already have infiltrated U.S. networks, say government officials. Read DOD: Hackers Breached U.S. Critical Infrastructure Control Systems ]

EPIC had sought contracts, memoranda and other records on Perfect Citizen after The Wall Street Journal reported in 2010 that Perfect Citizen would deploy sensors that would be triggered by network activity that suggested an impending attack on critical infrastructure networks and computers.

In an email to InformationWeek Government at the time, NSA refuted the reports that NSA would place any sensors on utility company systems, and called Perfect Citizen a "research and engineering effort." Although the documents do not mention sensors, they seem to indicate that the project goes far beyond research.

A statement of work included in the documentation details an effort that aims to understand critical infrastructure control systems to "enable the government to protect the systems." The documents indicate that NSA's interest in critical infrastructure control systems derives from the fact that "the prevention of a loss due to a cyber or physical attack is crucial to the continuity of the [Department of Defense], the [Intelligence Community], and the operation of [signals intelligence] systems."

Perfect Citizen includes the study of "interfaces and communication between significant components" of specific critical infrastructure control systems; work to discover vulnerabilities of those systems and attached devices; and demonstration of exploits. The project also includes the development of best practices to defend against these vulnerabilities.

Details of labor requirements show a team of 28, including software, hardware and embedded systems engineers; systems administrators; penetration testers; and others experienced in a broad array of technologies. Those technologies and areas of expertise include C, assembly and similar languages; TCP/IPO protocols or SQL programming; hardware testing and lab equipment; and familiarity with broader software and hardware development processes.

Specifically, the penetration tester positions required experience with a number of common penetration testing and other security tools, such as Nmap, Tenable Network Security's Nessus, dsniff, Libnet, Netcat, and network sniffers and fuzzers.

NSA cited national security as the primary reason for its redactions, noting that some of the redacted information has been classified Top Secret. "Its disclosure could reasonably be expected to cause exceptionally grave damage to the national security," NSA said, noting that such classification exempts it from FOIA disclosure. Other information has been redacted for privacy and confidentiality reasons.

According to the documents, the statement of work for Perfect Citizen was issued in September 2009, and the contract was awarded to Raytheon in June 2010. Thus, the project will continue through at least June 2015 if work continues for the full five-year contract.

InformationWeek's 2013 Government IT Innovators program will feature the most innovative government IT organizations in the 2013 InformationWeek 500 issue and on InformationWeek.com. Does your organization have what it takes? The nomination period for 2013 Government IT Innovators closes April 12.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
John Foley
50%
50%
John Foley,
User Rank: Apprentice
1/10/2013 | 4:08:49 PM
re: Documents Detail NSA's 'Perfect Citizen' Cybersecurity Work
Is anyone surprised, or alarmed, that NSA is evaluating potential vulnerabilities in US infrastructure? There's a race underway to see who will discover the gaps first -- people who are looking after the health of US infrastructure or those who would do it harm. If not the NSA, then possibly a foreign adversary. Private sector companies have a big responsibility here, and more will be required by presidential order or legislation. Public-private collaboration and info sharing are already happening to a degree, but much more needs to be done.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5314
Published: 2014-11-23
Buffer overflow in Cybozu Office 9 and 10 before 10.1.0, Mailwise 4 and 5 before 5.1.4, and Dezie 8 before 8.1.1 allows remote authenticated users to execute arbitrary code via e-mail messages.

CVE-2014-5325
Published: 2014-11-23
The (1) DOMConverter, (2) JDOMConverter, (3) DOM4JConverter, and (4) XOMConverter functions in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allow remote attackers to read arbitrary files via DOM data containing an XML external entity declaration in conjunction with an entity refe...

CVE-2014-5326
Published: 2014-11-23
Cross-site scripting (XSS) vulnerability in Direct Web Remoting (DWR) through 2.0.10 and 3.x through 3.0.RC2 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

CVE-2014-6477
Published: 2014-11-23
Unspecified vulnerability in the JPublisher component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2014-4290, CVE-2014-4291, CVE-2014-4292, CVE-2014-4...

CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?