NSA Launches Infrastructure Cybersecurity Program

The National Security Agency plans to launch a program aimed at assessing vulnerabilities and developing capabilities to help secure critical infrastructure like power plants, air traffic control systems and the electrical grid.

In an e-mail sent Thursday evening to InformationWeek, NSA refuted parts of an earlier Wall Street Journal report that the effort, called Perfect Citizen, would monitor communications or place "sensors" on utility company systems, instead calling it "a research and engineering effort."

Even so, the program raises unanswered questions about the government's role in -- and undefined turf over -- protecting the nation's critical infrastructure from cyber attacks, what technologies and processes might be used in such an effort, how any such effort would protect critical infrastructure owners' independence as well as privacy, and whether the effort should be public rather than classified.

According to the Wall Street Journal, which first reported the project Thursday, Perfect Citizen aims to protect control systems that are often older and thus built without security in mind, but have since been connected to the Internet. That report also said that the information collected could be used for support when third parties call on the NSA for help in investigating cyber attacks.

"This contract provides a set of technical solutions that help the Naitonal Security Agency better understand the threats to national security networks, which is a critical part of NSA's mission of defending the nation," NSA spokeswoman Judith Emmel said in a statement.

Perfect Citizen reportedly includes a classified $100 million contract with defense contractor Raytheon Corp, though Raytheon declined to comment.

Government agencies have been working more closely with critical infrastructure providers on cyber issues since the aftermath of the 9/11 terrorist attacks, engaging the IT industry in discussions along the way. The protection of critical infrastructure has taken on a higher profile in recent months, raising to the level of a Congressional hearing earlier this year.

The Department of Homeland Security has been the key government player, setting up efforts like the U.S. Computer Emergency Readiness Team's Control Systems Security Program, which aims to reduce risks to industrial control systems. As recently as this week, in a memo issued by the White House's Office of Management and Budget clarifying agency roles in managing compliance with federal cybersecurity requirements, the administration noted that "DHS oversees critical infrastructure protection."

However, while the DHS has maintained a continued presence in protecting critical infrastructure and has seen its overall cybersecurity profile increased in recent years, so too has the NSA taken on new cybersecurity responsibilities. Last year, for example, then-top DHS cybersecurity official Rod Beckstrom resigned, citing a turf war with the NSA, and the NSA announced plans to build a $1.5 billion cybersecurity data center in Utah. Much of the NSA's work has been defense-related, while DHS' work has been largely focused around civilian agencies.

Within the last two years, the Department of Defense -- of which NSA is formally a part -- has significantly ramped up its concern about attacks on critical infrastructure. "We need to think imaginatively about how technology can help secure a space on the Internet for critical government and commercial applications," deputy secretary of defense William Lynn said at a conference in May. "Operators of critical infrastructure could opt-in to a government-sponsored security regime."

However, there remain questions about how the Department of Homeland Security and Department of Defense will work together on critical infrastructure cybersecurity at a national level, says Jim Lewis, director of the Center for Strategic and International Studies' technology and public policy program.

Once the issue of control and coordination of government policy toward critical infrastructure protection is out of the way, the question becomes how an effort like Perfect Citizen might actually be carried out. Undoubtedly, the effort would be done in cooperation with industry, rather than forcibly.

NSA activities inside the United States often raise concerns of civil liberties groups, but in its email, the NSA said that suggestions that Perfect Citizen involves invasive or illegal activities are untrue, and that it follows "both the spirit and letter of U.S. laws." "It's very easy to jump on something like this as Orwellian, but there is question of how do we enable the US government to offer security services online as something that makes us as a nation safer," says Hart Rossman, VP and CTO of cybersecurity solutions with government contractor SAIC. According to Lewis, NSA would likely support critical infrastructure providers by either implementing systems or by providing data and helping companies to improve their defenses. The notion of vulnerabilities assessment further raises the possibility of penetration testing to determine probe weaknesses in critical infrastructure providers' cyber defenses.

Information sharing will likely be a "critical" part of any effort, according to Tom Conway, director of public sector business development for McAfee. Conway says that in his experience, the government is good at sharing at the strategic level on cybersecurity, including basic parameters of cooperation and with whom the government should work, but less so at the operational and tactical levels, where efforts like Perfect Citizen would likely play a new role.

The classified nature of the project also raises questions of its own. Lewis says he wishes more details were forthcoming, as CSIS has wanted to include more about critical infrastructure protection in a follow-on to a major cybersecurity report that became part of the backbone of President Obama's initial cybersecurity strategy, but, Lewis says, "a lot of the details are classified and people are uncomfortable talking about it."