Siobhan Gorman of the Wall Street Journal reported yesterday that the National Security Agency (NSA) is developing a cybersecurity program entitled “Perfect Citizen” that would “rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system.” The purpose of the program would be to “detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants.”
Raytheon allegedly won a $100 million contract for the first phase of the project, which is part of the Comprehensive National Cybersecurity Initiative (CNCI) rolled out in January 2008 by President George W. Bush in the classified National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/ HSPD-23). President Obama announced in May 2009 as part of the current Administration’s Cyberspace Policy Review that elements of the CNCI would continue as part of an increased effort to build our nation’s cybersecurity strengths.
NSA confirmed late Thursday/early this morning that Perfect Citizen is, indeed, a real program but took issue with the Wall Street Journal’s portrayal. In a statement the agency said “Perfect Citizen is purely a vulnerabilities-assessment and capabilities-development contract. This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor ….Specifically, it does not involve the monitoring of communications or placement of sensors on utility company systems.” The NSA went on to say that”this contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA’s mission of defending the nation.”
Since Gorman’s story on Perfect Citizen yesterday, there has been a flurry of Internet activity asking several questions, all of which mirror the larger issues facing the federal government as it tries to tackle cybersecurity. Those questions are:
- How much should the federal government be intervening in the private sector’s efforts to protect critical infrastructure assets that are not owned by the United States?
- If there should be intervention, how do we address privacy concerns and fears of Big Brother intervention?
- Is the NSA (or any of the three letter classified agencies) the proper place for housing such a program?
The questions are intertwined but are not new — the government has struggled with them since the mid-90s when President Bill Clinton announced the first large-scale public efforts to develop public-private partnerships to address critical infrastructure and cybersecurity. How the Obama Administration chooses to address these three questions going forward will help define the future of cybersecurity for citizens, stakeholders, contractors, the federal government, and our international partners.
How much should the federal government be intervening in the private sector’s efforts to protect critical infrastructure assets that are not owned by the United States?
Interestingly,this is objective # 12 of 12 in the CNCI, according to documents released by President Obama last year. According to the White House National Security Council’s website describing the program, that objective is as follows:
Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains. The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyber threats. This Initiative builds on the existing and ongoing partnership between the Federal Government and the public and private sector owners and operators of Critical Infrastructure and Key Resources (CIKR). The Department of Homeland Security and its private-sector partners have developed a plan of shared action with an aggressive series of milestones and activities. It includes both short-term and long-term recommendations, specifically incorporating and leveraging previous accomplishments and activities that are already underway. It addresses security and information assurance efforts across the cyber infrastructure to increase resiliency and operational capabilities throughout the CIKR sectors. It includes a focus on public-private sharing of information regarding cyber threats and incidents in both government and CIKR.
This objective, as stated, meshes with findings of the President’s Commission on Critical Infrastructure Protection, created by President Clinton in 1996, in its report Critical Foundations, Protecting America’s Infrastructures. In its 1997 report, the Commission found:
The quickest and most effective way to achieve a much higher level of protection from cyber threats is a strategy of cooperation and information sharing based on partnerships among the infrastructure owners and operators and appropriate government agencies.
To facilitate this new relationship between government and industry, new mechanisms will be needed, including sector “clearing houses” to provide the focus for industry cooperation and information sharing; a council of industry CEOs, representatives of state and local government, and Cabinet secretaries to provide policy advice and implementation commitment; a real-time capability for attack warning; and a top-level policy making office in the White House.
Another area where government must lead is in research and development. Some of the basic technology and tools needed to provide improved infrastructure protection already exist, but need to be widely employed. However, there is a need for additional technology with which to protect our essential systems. We have, therefore, recommended a program of research and development focused on those needed capabilities.
It is eerie how little the rhetoric, problems, and solutions on cybersecurity has changed in 13 years, especially given the leaps and bounds we have seen on the technology front – from broadband to smartgrids to wireless to social networks. The 1997 report would be one of a handful to emerge from the government, all touting the same action items. In addition, several federal entities – many with acronyms as names – emerged over the years, from the Critical Infrastructure Assurance Office (CIAO) at the Department of Commerce to the National Infrastructure Protection Center (NIPC) at the FBI to the National Cyber Security Division (NCSD) at the Department of Homeland Security.
We also saw directives offered by both Presidents Clinton and Bush to further explain the complex relationship between the government and the private sector in protecting critical infrastructures. PDD 63, released in May 1998, established national policy on necessary measures to eliminate significant vulnerabilities to physical and cyber attacks on U.S. critical infrastructures, including U.S. cyber systems. HSPD-7, released in December 2003, superseded PDD-63, and focused on establishing a national policy for Federal departments and agencies to identify and prioritize U.S. critical infrastructure and key resources and to protect them from terrorist attacks.
Since Perfect Citizen is focused on the energy sector, it is worth noting that the 1997 Critical Infrastructure report did specifically address the vulnerabilities and threats of the energy sector in one of its chapters. Its concluding findings were:
- The authorities and responsibilities for energy infrastructure assurance in the federal
government need to be clarified.
- The respective responsibilities of government and private sector for infrastructure assurance are not clearly understood.
- Improved sharing of threat information and “indications and warning” (I&W) information is needed. Improved sharing of industry experience is needed (e.g., a fully populated cyber intrusion database).
- More training and awareness in infrastructure assurance is needed, focusing on risk management, vulnerabilities, performance testing, and cyber security.
- Infrastructure assurance technology advancements could add significantly to the overall protection of industry assets.
- Adopting uniform physical and cyber security guidelines, standards or best practices would enhance protection.
Interesting, the government had already been looking at energy sector vulnerabilities before the Commission was even formed. In the late 80s, the House Energy & Commerce and Senate Government Affairs Committees held hearings and requested an assessment from the then-existing Office of Technology Assessment on the vulnerabilities of the grid. OTA released a report in 1990 entitled “Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage.” The report describes the various agencies involved in protecting electric systems, from the National Security Council to the Federal Emergency Management Agency to the Department of Defense to the FBI, and includes the conclusion that “[t]he appropriate level of government intervention is a matter of value judgment and opinion. The level of threat, both sabotage and natural disaster, cannot be quantified, and the costs of a major outage are highly dependent on the exact nature of the outage.”
So what can be concluded from these efforts? Maybe the OTA report is right – government intervention/involvement in private sector efforts in this area is really a value judgment call where we will see the right mix when we see it. There is no easy answer though it is clear that it has to be a joint effort if we are going to protect our critical infrastructures such as the electric grid, nuclear plants, and oil pipelines. Attention should be focused on specific solutions that can harden our systems and advance our efforts beyond policy, partnerships, and threatened mandates.
If there should be intervention, how do we address privacy concerns and fears of Big Brother intervention?
Privacy concerns relating to how the federal government works with the private sector on monitoring critical systems are also not new. Each time the government creates a cybersecurity program, concerns are raised – some rightly, some not – on what are we doing on the privacy front.
In the late 90s/early 2000s, the FBI came under fire for its unfortunately named program “Carnivore,” which was designed to monitor email and electronic communications through the use of customized packet sniffers. The name was quickly changed to DCS1000 (despite some calls for it to be renamed “Fluffy Bunny”) but the program never quite survived the privacy uproar that followed it.
Currently, the Einstein (1,2, 3) programs that make up part of the CNCI effort remain under fire from privacy and civil liberties advocates because they involve deep packet inspections and scanning of communications for malicious code before they attack government systems. Einstein 1 and 2 have been examined in great detail and have Privacy Impact Assessments available. Einstein 3, which has yet to be rolled out fully, has created the most controversy as it would allegedly preempt strikes before they happen by sharing information with the NSA (a simplistic description that I’m sure has many techies rolling their eyes).
The concern for many privacy and civil liberties advocates on this front are two-fold. First, there is a general concern that NSA’s involvement in what many deem a civilian effort, especially in light of NSA’s surveillance and intelligence gathering missions, would go beyond protecting to actively intruding on citizen’s privacy and activities. Second, to the degree there is discussion about extending Einstein and other programs into the private sector, there is concern about government involvement in such efforts, especially in light of concerns over NSA involvement and use of its “Tutelage” technology developed for screening cybersecurity networks.
We can expect the same concerns raised by Einstein 3 to be raised with Perfect Citizen. The fact that private sector systems are the focal point of the effort, something that most of the CNCI has avoided by focusing government systems, may raise further questions as experts try to parse out what really is going on with Perfect Citizen. Since it is a classified program, much of the discussion will focus on speculation and rumors, making the privacy concerns more difficult to discern. NSA’s involvement will only magnify those concerns. It is hard to address concerns for problems that are only speculative and so dependent on “trust” but with little way to “verify” for privacy advocates.
Is the NSA (or any of the three letter classified agencies) the proper place for housing such a program?
Before answering this question, it is worth exploring whether the privacy issues raised in question 2 would go away if NSA was not involved in Perfect Citizen. My assessment is that they would not as DHS has had a number of programs come under privacy scrutiny and much of the proposed activity would need to be classified to achieve its goals and be successful. The protection of industry information would also have to be adequately addressed.
So putting those concerns aside, should DHS or NSA be leading this effort? It is hard to understand exactly what role NSA is playing in this effort or why, according to media reports, it is doing outreach to utilities. Especially confusing is the fact that if you look at Objective #12 under the CNCI (see above), DHS has the lead on the effort to extend government efforts to the private sector and has done extensive work, along with the Department of Energy and the Federal Energy Regulatory Commission, on the various subsectors within the energy sector on protecting their systems.
Also unclear is how the NSA’s lead (if it is indeed leading) on Perfect Citizen meshes with the Office of Management and Budget’s Memorandum released earlier this week, on July 6th, entitled Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS).
That memorandum clearly states:
Under various national security and homeland security Presidential directives, and pursuant to its statutory authorities, DHS oversees critical infrastructure protection, operates the United States Computer Emergency Readiness Team (US-CERT), oversees implementation of the Trusted Internet Connection initiative, and takes other actions to help secure both the Federal civilian government systems and the private sector.
Maybe future revelations about Perfect Citizen will reveal DHS’s role in the program and make clearer how NSA is engaging with the energy sector on what the agency is calling a “research and development” program. Given the complexities involved with cybersecurity, if NSA has technology that is useful that has been developed on “the other side,” shouldn’t it be working with DHS and other civilian agencies to test it and determine its applicability in civilian government and private sector systems?
If it does not have the technology but is contracting with outside entities to develop it purely for civilian purposes, then that would seemingly contradict the understood paradigm on who does what in cybersecurity for the government and with public-private outreach. Based on what has been made public so far, it is unclear which scenario is actually taking place.
In any event, it would be helpful for the Administration to clarify roles and responsibilities and how it seems the interplay between NSA and DHS on cybersecurity, much in the same way it did on the interplay between the White House and DHS in this week’s OMB memo, as the tension between DHS-NSA efforts will likely not disappear anytime soon.