Secret NSA program concerns privacy groups

CS Monitor |

The National Security Agency is spearheading a program, dubbed Perfect Citizen, to develop technology to protect the power grid from cyberattack. The project worries privacy rights groups.

Newly released documents confirm that the National Security Agency (NSA)America‘s top cyberespionage organization, is spearheading a cloaked and controversial program to develop technology that could protect the US power grid from cyberattack.

Existence of the program, dubbed Perfect Citizen, was revealed in a 2010 Wall Street Journal article. But intriguing new details are revealed in documents released by the NSA last month to the Electronic Privacy Information Center (EPIC), an Internet privacy group that petitioned for them in 2010 under the Freedom of Information Act.

Of the 188 pages of documents released by the agency, roughly half were redacted to remove classified information. Even so, the documents show Perfect Citizen to be in the fourth year of a five-year program begun in 2009. Valued at up to $91 million, the Perfect Citizen technology is being developed by Raytheon, the Waltham, Mass., the defense contractor in Waltham, Mass., that won it.

The released documents are the contract that the NSA drew up with Raytheon. A Raytheon spokesman referred all comments on the program to the NSA.

All along, the NSA has maintained that Perfect Citizen is “purely a vulnerabilities assessment and capabilities development contract” that “does not involve the monitoring of communications or the placement of sensors on utility company systems,” according to an NSA statement released in 2010 — and now rereleased to the Monitor.

What the documents reveal is an apparently small but robust program authorized to hire 28 software engineers, program managers, and laboratory personnel. This includes a pair of “penetration testers” — essentially good-guy hackers who specialize in breaking into networks.

Their assignment as part of the team: discover vulnerabilities that lie in the electronic interface that connects the computer networks of utility companies. Then the team can come up with software and hardware plugs to patch those digital holes.

“Sensitive Control Systems (SCS) perform data collection and control of large-scale distributed utilities or provide automation of infrastructure processes,” says the Perfect Citizen contract’s “Statement of Work” document. “The protection of SCS is essential to mission operations and has become a significant point of interest in support of the Department of Defense and the Intelligence Community.”

Further, the document says, “prevention of a loss due to a cyber or physical attack, or recovery of operational capability after such an event, is crucial to the continuity of the Department of Defense, the intelligence community, and the operation of [Signals Intelligence] systems.”

While most might agree the program’s national-security goal is laudable, the question of just how to go about protecting the power grid has been a controversial topic in Congress and among Internet privacy advocates leery of government control of the Internet. Of particular concern among such advocates is shielding privately owned corporate computer networks deemed to be “critical infrastructure” from potentially intrusive digital monitoring.

Citing unnamed sources, the original Wall Street Journal article said that the program did indeed involve placing sensors that can detect illegitimate cyberactivity. But the new documents don’t clarify this point. Deploying such sensors would be especially sensitive since the NSA is an arm of the Pentagon charged with collecting and analyzing foreign communications and defending US government communications and computer networks — not domestic spying.

Read more