Homeland Security Watch

News and analysis of critical issues in homeland security

July 9, 2010


Filed under: Cybersecurity — by Jessica Herrera-Flanigan on July 9, 2010

Siobhan Gorman of the Wall Street Journal reported yesterday that the National Security Agency (NSA) is developing a cybersecurity program entitled “Perfect Citizen” that would “rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system.” The purpose of the program would be to “detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants.”

Raytheon allegedly won a $100 million contract for the first phase of the project, which is part of the Comprehensive National Cybersecurity Initiative (CNCI) rolled out in January 2008 by President George W. Bush in the classified National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/ HSPD-23).  President Obama announced in May 2009 as part of the current Administration’s Cyberspace Policy Review that elements of the CNCI would continue as part of an increased effort to build our nation’s cybersecurity strengths.

NSA confirmed late Thursday/early this morning that Perfect Citizen is, indeed, a real program but took issue with the Wall Street Journal’s portrayal. In a statement the agency said “Perfect Citizen is purely a vulnerabilities-assessment and capabilities-development contract. This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor ….Specifically, it does not involve the monitoring of communications or placement of sensors on utility company systems.”  The NSA went on to say that”this contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA’s mission of defending the nation.”

Since Gorman’s story on Perfect Citizen yesterday, there has been a flurry of Internet activity asking several questions, all of which mirror the larger issues facing the federal government as it tries to tackle cybersecurity.  Those questions are:

  1. How much should the federal government be intervening in the private sector’s efforts to protect critical infrastructure assets that are not owned by the United States?
  2. If there should be intervention, how do we address privacy concerns and fears of Big Brother intervention?
  3. Is the NSA (or any of the three letter classified agencies) the proper place for housing such a program?

The questions are intertwined but are not new — the government has struggled with them since the mid-90s when President Bill Clinton announced the first large-scale public efforts to develop public-private partnerships to address critical infrastructure and cybersecurity.   How the Obama Administration chooses to address these three questions going forward will help define the future of cybersecurity for citizens, stakeholders, contractors, the federal government, and our international partners.

How much should the federal government be intervening in the private sector’s efforts to protect critical infrastructure assets that are not owned by the United States?

Interestingly,this is objective # 12 of 12 in the CNCI, according to documents released by President Obama last year.  According to the White House National Security Council’s website describing the program, that objective is as follows:

Initiative #12. Define the Federal role for extending cybersecurity into critical infrastructure domains. The U.S. Government depends on a variety of privately owned and operated critical infrastructures to carry out the public’s business. In turn, these critical infrastructures rely on the efficient operation of information systems and networks that are vulnerable to malicious cyber threats. This Initiative builds on the existing and ongoing partnership between the Federal Government and the public and private sector owners and operators of Critical Infrastructure and Key Resources (CIKR). The Department of Homeland Security and its private-sector partners have developed a plan of shared action with an aggressive series of milestones and activities. It includes both short-term and long-term recommendations, specifically incorporating and leveraging previous accomplishments and activities that are already underway. It addresses security and information assurance efforts across the cyber infrastructure to increase resiliency and operational capabilities throughout the CIKR sectors. It includes a focus on public-private sharing of information regarding cyber threats and incidents in both government and CIKR.

This objective, as stated, meshes with findings of the President’s Commission on Critical Infrastructure Protection, created by President Clinton in 1996, in its report Critical Foundations, Protecting America’s Infrastructures.  In its 1997 report, the Commission found:

The quickest and most effective way to achieve a much higher level of protection from cyber threats is a strategy of cooperation and information sharing based on partnerships among the infrastructure owners and operators and appropriate government agencies.

To facilitate this new relationship between government and industry, new mechanisms will be needed, including sector “clearing houses” to provide the focus for industry cooperation and information sharing; a council of industry CEOs, representatives of state and local government, and Cabinet secretaries to provide policy advice and implementation commitment; a real-time capability for attack warning; and a top-level policy making office in the White House.

Another area where government must lead is in research and development. Some of the basic technology and tools needed to provide improved infrastructure protection already exist, but need to be widely employed. However, there is a need for additional technology with which to protect our essential systems. We have, therefore, recommended a program of research and development focused on those needed capabilities.

It is eerie how little the rhetoric, problems, and solutions on cybersecurity has changed in 13 years, especially given the leaps and bounds we have seen on the technology front – from broadband to smartgrids to wireless to social networks.  The 1997 report would be one of a handful to emerge from the government, all touting the same action items.  In addition, several federal entities – many with acronyms as names – emerged over the years, from the Critical Infrastructure Assurance Office (CIAO) at the Department of Commerce to the National Infrastructure Protection Center (NIPC) at the FBI to the National Cyber Security Division (NCSD) at the Department of Homeland Security.

We also saw directives offered by both Presidents Clinton and Bush to further explain the complex relationship between the government and the private sector in protecting critical infrastructures.  PDD 63, released in May 1998, established national policy on necessary measures to eliminate significant vulnerabilities to physical and cyber attacks on U.S. critical infrastructures, including U.S. cyber systems.  HSPD-7, released in December 2003, superseded PDD-63, and focused on establishing a national policy for Federal departments and agencies to identify and prioritize U.S. critical infrastructure and key resources and to protect them from terrorist attacks.

Since Perfect Citizen is focused on the energy sector, it is worth noting that the 1997 Critical Infrastructure report did specifically address the vulnerabilities and threats of the energy sector in one of its chapters.  Its concluding findings were:

  1. The authorities and responsibilities for energy infrastructure assurance in the federal
    government need to be clarified.
  2. The respective responsibilities of government and private sector for infrastructure assurance are not clearly understood.
  3. Improved sharing of threat information and “indications and warning” (I&W) information is needed. Improved sharing of industry experience is needed (e.g., a fully populated cyber intrusion database).
  4. More training and awareness in infrastructure assurance is needed, focusing on risk management, vulnerabilities, performance testing, and cyber security.
  5. Infrastructure assurance technology advancements could add significantly to the overall protection of industry assets.
  6. Adopting uniform physical and cyber security guidelines, standards or best practices would enhance protection.

Interesting, the government had already been looking at energy sector vulnerabilities before the Commission was even formed.  In the late 80s, the House Energy & Commerce and Senate Government Affairs Committees held hearings and requested an assessment from the then-existing Office of Technology Assessment on the vulnerabilities of the grid. OTA released a report in 1990 entitled  “Physical Vulnerability of Electric Systems to Natural Disasters and Sabotage.”  The report describes the various agencies involved in protecting electric systems, from the National Security Council to the Federal Emergency Management Agency to the Department of Defense to the FBI, and includes the conclusion that “[t]he appropriate level of government intervention is a matter of value judgment and opinion. The level of threat, both sabotage and natural disaster, cannot be quantified, and the costs of a major outage are highly dependent on the exact nature of the outage.”

So what can be concluded from these efforts?  Maybe the OTA report is right – government intervention/involvement in private sector efforts in this area is really a value judgment call where we will see the right mix when we see it.  There is no easy answer though it is clear that it has to be a joint effort if we are going to protect our critical infrastructures such as the electric grid, nuclear plants, and oil pipelines.  Attention should be focused on specific solutions that can harden our systems and advance our efforts beyond policy, partnerships, and threatened mandates.

If there should be intervention, how do we address privacy concerns and fears of Big Brother intervention?

Privacy concerns relating to how the federal government works with the private sector on monitoring critical systems are also not new.  Each time the government creates a cybersecurity program, concerns are raised – some rightly, some not – on what are we doing on the privacy front.

In the late 90s/early 2000s, the FBI came under fire for its unfortunately named program “Carnivore,” which was designed to monitor email and electronic communications through the use of customized packet sniffers.  The name was quickly changed to DCS1000 (despite some   calls for it to be renamed “Fluffy Bunny”) but the program never quite survived the privacy uproar that followed it.

Currently, the Einstein (1,2, 3) programs that make up part of the CNCI effort remain under fire from privacy and civil liberties advocates because they involve deep packet inspections and scanning of communications for malicious code before they attack government systems.  Einstein 1 and 2 have been examined in great detail and have Privacy Impact Assessments available.  Einstein 3, which has yet to be rolled out fully, has created the most controversy as it would allegedly preempt strikes before they happen by sharing information with the NSA (a simplistic description that I’m sure has many techies rolling their eyes).

The concern for many privacy and civil liberties advocates on this front are two-fold. First, there is a general concern that NSA’s involvement in what many deem a civilian effort, especially in light of NSA’s surveillance and intelligence gathering missions, would go beyond protecting to  actively intruding on citizen’s privacy and activities.  Second, to the degree there is discussion about extending Einstein and other programs into the private sector, there is concern about government involvement in such efforts, especially in light of concerns over NSA involvement and use of its “Tutelage” technology developed for screening cybersecurity networks. 

We can expect the same concerns raised by Einstein 3 to be raised with Perfect Citizen.  The fact that private sector systems are the focal point of the effort, something that most of the CNCI has avoided by focusing government systems, may raise further questions as experts try to parse out what really is going on with Perfect Citizen.  Since it is a classified program, much of the discussion will focus on speculation and rumors, making the privacy concerns more difficult to discern.  NSA’s involvement will only magnify those concerns.  It is hard to address concerns for problems that are only speculative and so dependent on “trust” but with little way to “verify” for privacy advocates.

Is the NSA (or any of the three letter classified agencies) the proper place for housing such a program?

Before answering this question, it is worth exploring whether the privacy issues raised in question 2 would go away if NSA was not involved in Perfect Citizen.   My assessment is that they would not as DHS has had a number of programs come under privacy scrutiny and much of the proposed activity would need to be classified to achieve its goals and be successful.  The protection of industry information would also have to be adequately addressed.

So putting those concerns aside,  should DHS or NSA be leading this effort?  It is hard to understand exactly what role NSA is playing in this effort or why, according to media reports, it is doing outreach to utilities.  Especially confusing is the fact that if you look at Objective #12 under the CNCI (see above), DHS has the lead on the effort to extend government efforts to the private sector and has done extensive work, along with the Department of Energy and the Federal Energy Regulatory Commission, on the various subsectors within the energy sector on protecting their systems.

Also unclear is how the NSA’s lead (if it is indeed leading) on Perfect Citizen meshes with the Office of Management and Budget’s Memorandum released earlier this week, on July 6th, entitled Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security (DHS).

That memorandum clearly states:

Under various national security and homeland security Presidential directives, and pursuant to its statutory authorities, DHS oversees critical infrastructure protection, operates the United States Computer Emergency Readiness Team (US-CERT), oversees implementation of the Trusted Internet Connection initiative, and takes other actions to help secure both the Federal civilian government systems and the private sector.

Maybe future revelations about Perfect Citizen will reveal DHS’s role in the program and make clearer how NSA is engaging with the energy sector on what the agency is calling a “research and development” program.  Given the complexities involved with cybersecurity, if NSA has technology that is useful that has been developed on “the other side,” shouldn’t it be working with DHS and other civilian agencies to test it and determine its applicability in civilian government and private sector systems?

If it does not have the technology but is contracting with outside entities to develop it purely for civilian purposes, then that would seemingly contradict the understood paradigm on who does what in cybersecurity for the government and with public-private outreach.  Based on what has been made public so far, it is unclear which scenario is actually taking place.

In any event, it would be helpful for the Administration to clarify roles and responsibilities and how it seems the interplay between NSA and DHS on cybersecurity, much in the same way it did on the interplay between the White House and DHS in this week’s OMB memo, as the tension between DHS-NSA efforts will likely not disappear anytime soon.

Share and Enjoy:
  • Digg
  • Reddit
  • Facebook
  • Yahoo! Buzz
  • Google Bookmarks
  • email
  • Print
  • LinkedIn


Comment by William R. Cumming

July 9, 2010 @ 1:34 pm

Very useful history and great post. So many thanks Jessica. Is the July 6th delineation of roles doc on the White House webpage?

It sounds also like you may be working this issue in the real world and I do have some excellent documentation from the 80’s when the analysis of the impacts of the 1965 and 1977 NYC blackouts was fully comprehended. Also of course the NE power outage about 5 years ago was also a huge event. If you want some of that history hard copy and some virtual contact me offline at vlg338@yahoo.com

Comment by Jessica Herrera-Flanigan

July 9, 2010 @ 1:51 pm

The OMB document can be found at http://www.whitehouse.gov/omb/assets/memoranda_2010/m10-28.pdf

Comment by William R. Cumming

July 9, 2010 @ 4:12 pm

As I have previously commented the ORZAG July 6th memo documents the fact that so called “computer security” efforts (see OMB Circular A-130 for example) and cyber security remain on different planets. YUP because of their budget and reporting role OMB remains a player in all preparedness activity whether EM or HS or whatever. And that real history is filled with failure to follow up to well-written and well-conceived policy documents. Why? OMB too thin to really be an adminstrative overseee of any specific programmatic function. They have just enough power to make sure NO other entity can do the job either. Time for Congress to really look very hard at the culture and operations of OMB on the Management side of the OMB.

Comment by CitizenCyber

July 10, 2010 @ 7:31 am

A very well presented and enlightening post! If in fact the author is addressing such in the real world, a very necessary committed discipline inherent with obvious insightful perspective and no doubt any and all further contributions from William Cumming will only prompt more meaningful discussion – at least, let’s hope so!


Comment by CitizenCyber

July 10, 2010 @ 7:40 am

A very well presented and enlightening post!

If in fact the author is addressing such in the real world, a very necessary committed discipline inherent with obvious insightful perspective and no doubt any and all further contributions from William Cumming will only prompt more meaningful discussion – at least, let’s hope the White House and others like our Congressional members are reading and have comment as well….



Comment by Christopher Bellavita

July 12, 2010 @ 8:27 pm

Richard Clarke and Robery Knake’s book “Cyber War: The Next Threat to National Security and What to Do About It” (http://amzn.to/9r5wqs) discusses many of the issues Jessica raises. I’m about 2/3rd through it. The book is neither scholarly nor objective, but it does translate the cyber security issue into language and examples that hit the side of my head with enough force to direct my attention to the issue.

Pingback by Homeland Security Watch » Bottom Up Review: Button Down and Focus

July 16, 2010 @ 1:09 pm

[…] classifying the smart grid and critical infrastructure systems as national security systems,  see Cybercitizen?, we will have to see which agency’s definition of “civilian national security […]

RSS feed for comments on this post. TrackBack URI

Leave a comment

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>