The Wall Street Journal reports, citing unnamed sources, that the NSA is launching a program to help protect critical infrastructure – including private enterprises – from cyber attacks. According to the paper, defense contractor Raytheon has received the contract for the project, which would rely on a series of sensors to detect “unusual activity suggesting an impending cyber attack.” This follows the Lieberman-Collins bill passing committee in the Senate.
The Orwellian nature of the name was alledgedly not lost on Raytheon: The Wall Street Journal claims to have seen an internal Raytheon e-mail saying “Perfect Citizen is Big Brother.”
Although the project will be mostly aimed at public infrastructure with older computer control systems, such as subways and air-traffic control systems, the paper notes that the program could be of use to private companies like Google and the many other companies who sustained cyber attacks late last year.
A power struggle has been brewing over who should be in charge of national cybersecurity: the NSA, the Department of Homeland Security, the military, or the private sector. The Lieberman-Collins bill would put the responsibility squarely on the shoulders of the White House and DHS, establishing new cybersecurity organizations in both and requiring private enterprises to take orders from the federal government in the event of a “national cyber emergency.”
However, security expert Bruce Schneier notes that DHS has been “getting hammered” in Senate Homeland Security Committee hearings and that the NSA has been consolidating its power. “Perfect Citizen” would appear to be a major power grab by the agency.
Schneier, writing last year about the intra-agency cybersecurity power struggle wrote “Putting national cybersecurity in the hands of the NSA is an incredibly bad idea.” Schneier points out that the NSA’s surveillance function would a conflict of interest with a security function. However, in appears “Perfect Citizen” is primarily a surveillance project.
Schneier called for the government to use its purchasing power to improve the quality of commercial security products to improve information security for everyone, not just the government.
Writer and futurist Bruce Sterling has expressed deep cynicism about the private sector’s ability to address key security issues on its own: “If you want your infrastructure to be up to mil-spec, you can’t use commercial off-the-shelf material that was kicked out the door as fast as it would sell. It’s a fact. Mind you, I’m not saying that government oversight necessarily improves this stuff — especially when a government’s for sale to the private sector anyway.”
Government involvement in private sector IT infrastructure has caused some concern about the future of the open Internet. Earlier in this year Threat Level blogger Ryan Singel wrote that cyberwar hype was intended to destroy the open Internet. Fortunately, as Singel later pointed out, not everyone in government is a cyberwar alarmist.
Although threats of cyberwar may be exaggerated, vulnerabilities in critical infrastructure remain a major concern, and a point of contention in Washington.
Schneier wrote on his blog yesterday, before the Wall Street Journal broke this story:
We need to be prepared for war, and a Cyber Command is just as vital as an Army or a Strategic Air Command. And because kid hackers and cyber-warriors use the same tactics, the defenses we build against crime and espionage will also protect us from more concerted attacks. But we’re not fighting a cyberwar now, and the risks of a cyberwar are no greater than the risks of a ground invasion. We need peacetime cyber-security, administered within the myriad structure of public and private security institutions we already have.
Photo credit: Circo de Invierno