UPDATED 7/12 11:00 AM A surveillance program in the works by the US federal government could add significantly to the IT burden in many industries, despite adding a layer of security.
As reported in today's Wall Street Journal, the National Security Agency (NSA) is working with Raytheon Co. to equip systems and networks in nuclear power plants, utilities companies, air traffic control systems, and other organizations involved in US infrastructure with sensors that would alert the government to suspicious activity that could herald an imminent cyber-attack.
The project, nicknamed "Perfect Citizen," is being funded in part through the Comprehensive National Cybersecurity Initiative. It reportedly has been welcomed by many private-sector CEOs, albeit with reservations. Some companies, according to the WSJ, would prefer to buy the sensors themselves and then turn over information to the government as needed, while others would be willing to rely on government sensors placed strategically in their networks.
The newspaper also notes that, while an unconfirmed internal Raytheon email described the Perfect Citizen project as "Big Brother," the monitoring involved would not necessarily cover entire systems or networks.
Data can help you see the future. Click here to see IE's Predictive Analytics tutorial.
While arguments for and against the philosophy behind Perfect Citizen will likely rage indefinitely, it's also possible that the project will complicate life for many IT professionals.
One hint at this is the sheer scope of the project, which could be larger than anything tried before. While the WSJ notes that the NSA, alone among US federal agencies, is "equipped to manage electronic assessments of critical-infrastructure vulnerabilities," it's less clear which organizations might be mandated or provided with incentives to join the program.
It's possible that the list of potential participants would mirror those given precedence in the US Department of Homeland Security's Telecommunications Service Priority list. That list specifies criteria for getting priority repair service in the event of a telecom outage or disaster:
TSP service user organizations may be in the Federal, State, local, or tribal government, critical infrastructure sectors in industry, non-profit organizations that perform critical National Security and Emergency Preparedness (NS/EP) functions, or foreign governments. Typical TSP service users are responsible for the command and control functions critical to management of and response to NS/EP situations, particularly during the first 24 to 72 hours following an event.
Organizations eligible for the cyber-shield will need to get their technical and management resources lined up to work with the NSA on instrumenting specific systems, many of which may be old and reliant only on gateways to the Internet, instead of directly linked to the Net.
Indeed, some systems and networks may need to be decoupled from Internet connectivity, requiring more work by IT. "It sucks in some ways, but providing a limited number of pathways in that are under tight, secure control is a desirable goal," wrote one participant on the North American Network Operators mailing list today. "These networks ought to be air gapped to the maximum reasonable extent possible; all pathways in ought to be defended as though they were the gateway to the kingdom."
Establishment of an NSA cyber-shield also could speed the progress of some suggested modifications and changes to network security. As noted by ThinkerNetter Gideon Lenkey in his latest post, there is already so much work and cost involved in corporate security monitoring that the idea of a single Internet ID just might get pushed to the roster of possible goals.
Will all the adjustments be worth it? Certainly, experts have been calling for greater security, claiming we face perils of which many firms remain unaware.
One observer is hesitant to advocate the cyber-shield just yet. "I think it's a classic 'devil in the details' process," writes ThinkerNetter Tom Nolle, president of CIMI Corp. , in an email today. "There are advantages to a generalized government-sponsored protection process for the Internet and other communications services, but there's also a risk in any single central system; there's only one thing to breach. It also depends on just what the shield would protect against and under what conditions; having the government in the space could drive out private solutions, and if the government one was incomplete it would leave users more at risk."
Until we know more, the issue of how the cyber-shield will affect individual industries and companies remains a question. But surely, it's time for IT pros to start anticipating greater participation in, and responsibility for, national security.
UPDATE: After this blog went to press, and in response to an inquiry I sent to NSA regarding the WSJ article, I received the following statement from Judith Emmel, NSA spokeswoman, via email:
Today’s Wall Street Journal article by Siobhan Gorman, titled “US Plans Cyber Shield for Utilities, Companies,” is an inaccurate portrayal of the work performed at the National Security Agency. Because of the high sensitivity surrounding what we do to defend our nation, it is inappropriate to confirm or deny all of the specific allegations made in the article. We will, however, provide the following facts:
PERFECT CITIZEN is purely a vulnerabilities-assessment and capabilities-development contract. This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor.
Specifically, it does not involve the monitoring of communications or the placement of sensors on utility company systems.
This contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA’s mission of defending the nation.
Any suggestions that there are illegal or invasive domestic activities associated with this contracted effort are simply not true. We strictly adhere to both the spirit and the letter of U.S. laws and regulations.
This blog is part of Internet Evolution'sIT Clan, which addresses the continuing impact of the Internet on enterprise networks, applications, and management. Register hereto join the IT Clan's conversation, and you just might win something unspeakably cool.
The WSJ article was detailed enough that in my view at least, there is room for an argument over definitions. I'm skeptical about the objections the spokesperson made as well.
Thanks for pointing out the places where tongues might be forking.
Sure, there may not be monitoring going on at this particular juncture, but like you, I find it hard to believe it won't be part of the picture later on.
Thanks for the update, but either the spokesperson is not technical or is merely a parrot for the NSA. Let me explain:
PERFECT CITIZEN is purely a vulnerabilities-assessment and capabilities-development contract. This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor.
Specifically, it does not involve the monitoring of communications or the placement of sensors on utility company systems.
In order to perform a vulnerability assessment, you need the ability to scan for vulnerabilities. This is done either by accessing the network through the external firewall, which is unlikely. Have a person onsite that is conducting the assessment, which is also unlikely as this will take a lot of human resources or you deploy a monitoring device that can perform the assessments, which can be controlled offsite and then have the data sent to a centralized repository for analysis.
If 'perfect citizen' is a monitoring program, then it would be similar to a managed services engagement that the outside entity either monitors the companies equipment already installed or deploys new equipment that they manage on behalf of the client.
Either way, in order for 'perfect citizen' to work, access and monitoring will be necessary, so she is wrong. However, I am sure she will not dispute this as she would open the NSA to additional questions that will show what this program truly is. BTW, remember the movie 'Sneakers'? The NSA was trying to get their hands on a similar device that allowed them to monitor internal communications which was clearly outside of their charter.
After this blog was posted last week, I received an update, as you can see above, from NSA, in which the agency denies the accuracy of the WSJ's reporting on the cyber shield program.
I'm going to be skeptical of the agency's claims, which seem not to contradict the gist of the WSJ's report.
That's why I allowed for the likelihood of their existence in my comment. However, as someone that has to deal with the type on a regular basis, I'm easily discouraged of finding these unicorns of IT.
Don't we already have this? It's called a SOC (Security operations center). Every ISP has a SOC (usually coupled with their NOC...network operations center) These SOCs have dozens of monitors that watch internal, external and television networks to identify any suspicious activity.
Also, we have NANOG (north american network operations group) This group is responsible for the backbone that traverses the United States. They are the ones who have their finger on the pulse of the internet as it operates in the United states.
Plus, we have private organizations like Counterpane and Netsec (now owned by Verizon)
These organizations *KNOW* the internet backbone and *KNOW* how to proceed if there is something to be alarmed about. I don't see how the government can do this any better...because like everything else the government sticks their finger in seems to become a disaster!
I say leave well enough alone...The government will *NOT* be able to do this as well as it is already being done!
I'm sure there are people with clues in the public sector, Knoxzoo, but they're caught up in a bureaucracy that isn't necessarily driven by best practices as we know them on the private sector side.
Great parallel with airport security, Mary. I do agree that the pressure this might put on private-sector firms, not to mention the added layer of insecurity it would introduce, are something to consider.
I agree with Tom Nolle that a single shield is a dangerous thing to depend on. What security system worthy of the name depends on one service? Defense in depth. That's my mantra.
Great thoughts and consideration, Mary. I agree with knoxzoo, and your premise about the pros and cons of a centralized government system, I do not believe that in reality the government has the capability to effectively manage a single complex security system.
I think it is an ideal that works on paper but when applied to the realities of multi-agency integration, agency "territories", manpower, etc., it would end up with the "gaps" that currently exist.
Your point about the weakening of the private system is what would concern me most; but you are absolutely on target that IT professionals need to begin to consider what the affects of greater government involvement would be. Maybe the government would set standards that could serve as footprints and provide audit trails, but I don't think they will be the best stewards of our security - look at 9/11 and the resulting airport security efforts.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Facebook and Twitter are great for posting cat pictures. But are people really using social media for life-changing communications? Like, if a hurricane comes by and blows down their house?
In a standout presentation at the Jefferies 2013 Global Technology, Media & Telecom Conference in New York this week, the UK government talked about becoming a "very intelligent client."
A consumer business would have to be crazy or desperate to change call-center software in December, the peak of the holiday season. But that was exactly Positec's position.
To help enterprises deploy software faster for mobile, social, big-data, and cloud applications, IBM this week acquired development tools vendor UrbanCode.
Internet Explorer seems like a relic of the 90s, like parachute pants and Friends. But that's just me. I'm a Chrome guy, and before that I used Firefox.
That's what Larry Page said on Google's earnings call, referring to the conjunction of mobile and the cloud. Well, let's chart it then! We need to be thinking about an Internet where 90% of our traffic goes to 70 destinations within 40 miles of us.
Businesses helped neighbors with Internet access and mobile device charge-ups during Sandra. Following that example, enterprises should consider preparing Internet disaster plans to help the public during disasters.
US counterterrorism expert Richard Clarke, who came to prominence with his prescient warnings before the 9/11 attacks, tells Smithsonian Magazine the US was responsible for the Stuxnet supersmart worm that attacked parts of nuclear reactors in Iran – and in the process, has given away one of the world's most sophisticated cyberweapons.
In the final episode of this series about the death of Internet anonymity, Saunders describes how the Internet of the future will start to attain a level of intelligence that requires no human intervention. Scary.
What can users today do to protect their online privacy? The simplest and most obvious option is to not use the Internet – at all. However, once all digital information is consolidated over the Internet, trying to protect digital identity by simply unplugging from the Internet becomes impossible – a fact that has manifest implications for civil liberties, Saunders says.
By 2011 the number of Internet-connected sensors will exceed 1 trillion, making your chances of doing anything or going anywhere unnoticed pretty much zero. Saunders talks about how the 'sensortization' of the Internet is eliminating the traditional divide between online and offline populations.
The 20th Century Internet was characterized by the ability to interact with other people and information on the Internet largely without anyone knowing who you were. The Internet of this century, conversely, will be defined by identity. Saunders explains how Internet users are unwittingly contributing to the demise of the anonymous Internet.
EU operators are considering joining up to create a pan-European network to reduce competitive overbuild and cost. This might lower costs and focus operators on higher-level, more interesting services.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
