UPDATED 7/12 11:00 AM
A surveillance program in the works by the US federal government could add significantly to the IT burden in many industries, despite adding a layer of security.
As reported in today's Wall Street Journal, the National Security Agency (NSA) is working with Raytheon Co. to equip systems and networks in nuclear power plants, utilities companies, air traffic control systems, and other organizations involved in US infrastructure with sensors that would alert the government to suspicious activity that could herald an imminent cyber-attack.
The project, nicknamed "Perfect Citizen," is being funded in part through the Comprehensive National Cybersecurity Initiative. It reportedly has been welcomed by many private-sector CEOs, albeit with reservations. Some companies, according to the WSJ, would prefer to buy the sensors themselves and then turn over information to the government as needed, while others would be willing to rely on government sensors placed strategically in their networks.
The newspaper also notes that, while an unconfirmed internal Raytheon email described the Perfect Citizen project as "Big Brother," the monitoring involved would not necessarily cover entire systems or networks.
Data can help you
see the future.
Click here to see IE's
While arguments for and against the philosophy behind Perfect Citizen will likely rage indefinitely, it's also possible that the project will complicate life for many IT professionals.
One hint at this is the sheer scope of the project, which could be larger than anything tried before. While the WSJ notes that the NSA, alone among US federal agencies, is "equipped to manage electronic assessments of critical-infrastructure vulnerabilities," it's less clear which organizations might be mandated or provided with incentives to join the program.
It's possible that the list of potential participants would mirror those given precedence in the US Department of Homeland Security's Telecommunications Service Priority list. That list specifies criteria for getting priority repair service in the event of a telecom outage or disaster:
TSP service user organizations may be in the Federal, State, local, or tribal government, critical infrastructure sectors in industry, non-profit organizations that perform critical National Security and Emergency Preparedness (NS/EP) functions, or foreign governments. Typical TSP service users are responsible for the command and control functions critical to management of and response to NS/EP situations, particularly during the first 24 to 72 hours following an event.
Organizations eligible for the cyber-shield will need to get their technical and management resources lined up to work with the NSA on instrumenting specific systems, many of which may be old and reliant only on gateways to the Internet, instead of directly linked to the Net.
Indeed, some systems and networks may need to be decoupled from Internet connectivity, requiring more work by IT. "It sucks in some ways, but providing a limited number of pathways in that are under tight, secure control is a desirable goal," wrote one participant on the North American Network Operators mailing list today. "These networks ought to be air gapped to the maximum reasonable extent possible; all pathways in ought to be defended as though they were the gateway to the kingdom."
Establishment of an NSA cyber-shield also could speed the progress of some suggested modifications and changes to network security. As noted by ThinkerNetter Gideon Lenkey in his latest post, there is already so much work and cost involved in corporate security monitoring that the idea of a single Internet ID just might get pushed to the roster of possible goals.
Will all the adjustments be worth it? Certainly, experts have been calling for greater security, claiming we face perils of which many firms remain unaware.
And it's not just the detonation of whole systems that's at stake. A cyber-shield might help avert attacks such as those that led to Google's ongoing problems in China. And a cyber-shield might help avoid problems caused by malware, such as the worm that felled a nuclear plant in Ohio several years back.
One observer is hesitant to advocate the cyber-shield just yet. "I think it's a classic 'devil in the details' process," writes ThinkerNetter Tom Nolle, president of CIMI Corp. , in an email today. "There are advantages to a generalized government-sponsored protection process for the Internet and other communications services, but there's also a risk in any single central system; there's only one thing to breach. It also depends on just what the shield would protect against and under what conditions; having the government in the space could drive out private solutions, and if the government one was incomplete it would leave users more at risk."
Until we know more, the issue of how the cyber-shield will affect individual industries and companies remains a question. But surely, it's time for IT pros to start anticipating greater participation in, and responsibility for, national security.
UPDATE: After this blog went to press, and in response to an inquiry I sent to NSA regarding the WSJ article, I received the following statement from Judith Emmel, NSA spokeswoman, via email:
Today’s Wall Street Journal article by Siobhan Gorman, titled “US Plans Cyber Shield for Utilities, Companies,” is an inaccurate portrayal of the work performed at the National Security Agency. Because of the high sensitivity surrounding what we do to defend our nation, it is inappropriate to confirm or deny all of the specific allegations made in the article. We will, however, provide the following facts:
- PERFECT CITIZEN is purely a vulnerabilities-assessment and capabilities-development contract. This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor.
- Specifically, it does not involve the monitoring of communications or the placement of sensors on utility company systems.
- This contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA’s mission of defending the nation.
- Any suggestions that there are illegal or invasive domestic activities associated with this contracted effort are simply not true. We strictly adhere to both the spirit and the letter of U.S. laws and regulations.
— Mary Jander, ThinkerNet Editor, Internet Evolution
This blog is part of Internet Evolution's IT Clan, which addresses the continuing impact of the Internet on enterprise networks, applications, and management. Register here to join the IT Clan's conversation, and you just might win something unspeakably cool.