New cybersecurity program designed to protect the power grid sparks fears that intelligence agencies will use it to spy on U.S. citizens
PUBLISHED: 12:53 EST, 4 January 2013 | UPDATED: 12:55 EST, 4 January 2013
America’s top cyberespionage organization is spearheading a shadowy and controversial program developing technology to protect the U.S. power grid from cyberattack.
The $91 million program, Perfect Citizen, includes placing sensors to detect illegitimate cyberactivity but which could also potentially be used to spy on U.S. citizens.
Perfect Citizen was first revealed in 2010 by the Wall Street Journal. But new details emerged last month in documents released by the NSA to the Electronic Privacy Information Center, an internet privacy group that spent two years fighting for them under the Freedom of Information Act.
About half the the 188-pages were redacted to protect classified information but showed that the NSA had hired Massachusetts defense contractor Raytheon to develop the technology.
Raytheon directed all comments on the program to the NSA.
Perfect Citizen has been in development since 2009 with only a year left before it is schedule for completion.
Since the program became public knowledge, the NSA has maintained that it is ‘purely a vulnerabilities assessment and capabilities development contract’ that ‘does not involve the monitoring of communications or the placement of sensors on utility company systems,’ as it said in a 2010 statement.
It appears the organization has hired 28 software engineers, program managers, and laboratory personnel to develop the project, including two ‘penetration testers’ who break into networks in search of security flaws.
When the team discovers a vulnerability in the electronic interface connecting networks of utility companies, they come up with software and hardware plugs to patch the digital holes.
Perfect Citizen’s ‘Statement of Work’ document states: ‘Sensitive Control Systems (SCS) perform data collection and control of large-scale distributed utilities or provide automation of infrastructure processes. The protection of SCS is essential to mission operations and has become a significant point of interest in support of the Department of Defense and the Intelligence Community.’
‘Prevention of a loss due to a cyber or physical attack, or recovery of operational capability after such an event, is crucial to the continuity of the Department of Defense, the intelligence community, and the operation of [Signals Intelligence] systems,’ it notes.
But Internet privacy advocates questions whether Perfect Citizen violates privately owned corporate computer networks deemed ‘critical infrastructure’ from digital spying.
It’s still unclear how sensors would be used to monitor activity, and because the NSA is the Pentagon’s organization charged with collecting and analyzing foreign communications and defending U.S. government communication and computer networks but has no mission for domestic spying.
The NSA has no authorization to intercept U.S. citizen communications unless specifically authorized by a special court, according to the Foreign Intelligence Surveillance Act.
However the organization has been outed for monitoring those exact communications without court approval, notably by the New York Times in 2005 when that paper reported that the NSA was conducting wiretaps without approval.
The 2010 statement does say that ‘This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor.’
‘Any suggestions that there are illegal or invasive domestic activities associated with this [Perfect Citizen] contracted effort are simply not true. We strictly adhere to both the spirit and the letter of US laws and regulations.’
Despite the promises, privacy rights groups remain concerned, especially as the ‘Statement of Work’ requires development of ‘Computer Network Defense best practices/capabilities that defend against vulnerabilities identified in a SCS.’
‘Previously the agency had said it was just a research program,’ Ginger McCall, director of the Open Government Program at EPIC, told the Christian Science Monitor. ‘But we see in these documents that they do intend to conduct testing, actual research, actual vulnerability testing and develop software tools that could be operational.’
Other experts say the project’s scope is still unclear.
‘It’s hard to say if the project is only research, only operational, or a combination of both,’ said John Bumgarner, a research director for the U.S. Cyber Consequences Unit, a nonprofit security think tank advising government and industry. ‘The contract cost for the project seems way too low to be an operational program to, say, protect the entire US electric grid from cyberattack.’
EPIC’s main worry is that the program may monitor online data without any authorization, and that the program itself will be free of oversight.
McCall notes that when the Department of Homeland Security begins such projects it must conduct privacy impact assessments but in this case whether such a step has been taken is unclear.
‘It appears as though the NSA is trying to develop cybersecurity protective technology, but that as part of this contract, they’re conducting testing already,’ she said. ‘This isn’t merely research.’
But the project has supporters as well.
‘The project makes sense, as the government relies on industry for most of its requirements in the way of water, sewer, and power,’ said one cybersecurity expert who spoke on condition of anonymity because his company works with the government.
The expert added that the DHS has issued reports about cyberattacks against utility companies with computer networks that have industrial networks connected to the grid.
Federal cyberresponse teams provided on-site support ‘at a power generation facility where both common and sophisticated malware had been discovered in the industrial control system environment.’ DHS reported last month.
The team also performed preliminary on-site analysis of the machines and ‘discovered signs of the sophisticated malware on two engineering workstations.’
The machines were ‘critical to the operation of the control environment.’
Though cybersecurity legislation failed in the last Congress, U.S. President Barack Obama is reportedly nearing announcement of an executive order expanding federal protection to include the power grid as well as other critical infrastructure networks.