A number of you have asked what I make of Siobhan Gorman’s latest story describing a program called “Perfect Citizen” that aims to monitor and map out attempted cyber-intrusions of our critical infrastructure.
Before I say anything about the content of the story, I should note that the nuclear power plant control room depicted with the story–from the plant at Limerick, PA–is just a few miles from where I spend Christmas and about 25 miles from where my mom lives. Maybe that has affected my thoughts on the matter.
But, given what Gorman has reported, I’m not all that bugged about Perfect Citizen. Here’s the operative bit:
Intelligence officials have met with utilities’ CEOs and those discussions convinced them of the gravity of the threat against U.S. infrastructure, an industry specialist said, but the CEOs concluded they needed better threat information and guidance on what to do in the event of a major cyber attack.
Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials said.
While the government can’t force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.
Perhaps I’m missing something, but it seems that a somewhat coercive but nevertheless voluntary monitoring of cybersecurity for things like the nuclear plant near my Aunt’s home isn’t such a bad thing. Perhaps an analogy is whether or not it’d be okay to monitor health professionals and first responders during an epidemic for signs of sickness, as one of the best ways to track and minimize the spread of the disease. Or better yet, whether or not it’d be okay to pressure oil companies to put monitors on their drilling platforms to make it easier for Department of Interior to keep track and prevent spills.
That said, I do have a number of questions.
First, the NSA has been very squirrely about whether or not Congress has been briefed on this. If, as that squirreliness suggests, Congress has not been briefed, then this is a big problem. I’m particularly interested in the timing and the growth of this program. Gorman describes how this program started as a spring strawberry and then morphed into a perfect citizen.
The NSA years ago began a small-scale effort to address this problem code-named April Strawberry, the military official said. The program researched vulnerabilities in computer networks running critical infrastructure and sought ways to close security holes.
That led to initial work on Perfect Citizen, which was a piecemeal effort to forge relationships with some companies, particularly energy companies, whose infrastructure is widely used across the country.
The classified program is now being expanded with funding from the multibillion-dollar Comprehensive National Cybersecurity Initiative, which started at the end of the Bush administration and has been continued by the Obama administration, officials said.
This suggests this program started blossoming long before the debate over which agency–NSA or DHS–would take the lead on cybersecurity had settled on the former. Which suggests it started with NSA out of its lane under the Bush Administration–not exactly good company to be in. So at that level, I endorse both aspects of Marc Ambinder’s rant on this program: that it shouldn’t be classified and maybe should be in DHS. Oh, and why not name it “infrastructure cybersecurity” rather than “George Orwell’s Baby”?
I’m also very interested in the relationship between the government, corporate partners, and Congress. Given the squirreliness about whether or not NSA briefed Congress, is it possible the government has once again partnered with corporations on a project without telling Congress they’re doing so? That would not be cool.
I await more information on this. But for now, I’m not all that bothered about this.
(Limerick cooling towers picture from WikiMedia)