Secret US cybersecurity program to protect power grid confirmed

Newly released documents confirm that the National Security Agency (NSA), America's top cyberespionage organization, is spearheading a cloaked and controversial program to develop technology that could protect the US power grid from cyberattack.

Existence of the program, dubbed Perfect Citizen, was revealed in a 2010 Wall Street Journal article. But intriguing new details are revealed in documents released by the NSA last month to the Electronic Privacy Information Center (EPIC), an Internet privacy group that petitioned for them in 2010 under the Freedom of Information Act.

Of the 188 pages of documents released by the agency, roughly half were redacted to remove classified information. Even so, the documents show Perfect Citizen to be in the fourth year of a five-year program begun in 2009. Valued at up to $91 million, the Perfect Citizen technology is being developed by Raytheon, the Waltham, Mass., defense contractor that won it.

The released documents are the contract that the NSA drew up with Raytheon. A Raytheon spokesman referred all comments on the program to the NSA.

All along, the NSA has maintained that Perfect Citizen is "purely a vulnerabilities assessment and capabilities development contract" that "does not involve the monitoring of communications or the placement of sensors on utility company systems," according to an NSA statement released in 2010 – and now rereleased to the Monitor.

What the documents reveal is an apparently small but robust program authorized to hire 28 software engineers, program managers, and laboratory personnel. This includes a pair of "penetration testers" – essentially good-guy hackers who specialize in breaking into networks.

Their assignment as part of the team: discover vulnerabilities that lie in the electronic interface that connects the computer networks of utility companies. Then the team can come up with software and hardware plugs to patch those digital holes.

"Sensitive Control Systems (SCS) perform data collection and control of large-scale distributed utilities or provide automation of infrastructure processes," says the Perfect Citizen contract's "Statement of Work" document. "The protection of SCS is essential to mission operations and has become a significant point of interest in support of the Department of Defense and the Intelligence Community."

Further, the document says, "prevention of a loss due to a cyber or physical attack, or recovery of operational capability after such an event, is crucial to the continuity of the Department of Defense, the intelligence community, and the operation of [Signals Intelligence] systems."

While most might agree the program's national-security goal is laudable, the question of just how to go about protecting the power grid has been a controversial topic in Congress and among Internet privacy advocates leery of government control of the Internet. Of particular concern among such advocates is shielding privately owned corporate computer networks deemed to be "critical infrastructure" from potentially intrusive digital monitoring.

Citing unnamed sources, the original Wall Street Journal article said that the program did indeed involve placing sensors that can detect illegitimate cyberactivity. But the new documents don't clarify this point. Deploying such sensors would be especially sensitive since the NSA is an arm of the Pentagon charged with collecting and analyzing foreign communications and defending US government communications and computer networks – not domestic spying.

"This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor," the 2010 statement says.

Indeed, the NSA is not authorized to intercept the communications of US citizens unless specifically authorized to do so by a special court acting under the Foreign Intelligence Surveillance Act. Yet The New York Times reported in 2005 that the NSA had been involved in conducting wiretaps of calls made by US citizens to persons overseas without first getting a warrant from the court.

"Any suggestions that there are illegal or invasive domestic activities associated with this [Perfect Citizen] contracted effort are simply not true," says the NSA's 2010 statement. "We strictly adhere to both the spirit and the letter of US laws and regulations."

Still, privacy rights groups remain worried the program is focused on digital filtering or monitoring – and developing systems to do that. The Statement of Work document, for instance, requires development of "Computer Network Defense best practices/capabilities that defend against vulnerabilities identified in a SCS."

"Previously the agency had said it was just a research program," says Ginger McCall, director of the Open Government Program at EPIC, which won release of the documents. "But we see in these documents that they do intend to conduct testing, actual research, actual vulnerability testing and develop software tools that could be operational."

Other experts say the documents are suggestive, but do not ultimately clarify Perfect Citizen’s scope.

"It's hard to say if the project is only research, only operational, or a combination of both," says John Bumgarner, a research director for the US Cyber Consequences Unit, a nonprofit security think tank that advises government and industry. "The contract cost for the project seems way too low to be an operational program to, say, protect the entire US electric grid from cyberattack."

But EPIC's main concern is that Perfect Citizen could be already conducting, or planning to conduct, online digital monitoring of data without proper authorizations or having the program itself evaluated for privacy implications. When the Department of Homeland Security undertakes such projects, Ms. McCall notes, it is required to conduct privacy impact assessments. She questions what has happened in this case (which is not under the authority of DHS).

"It appears as though the NSA is trying to develop cybersecurity protective technology, but that as part of this contract, they're conducting testing already," she says. "This isn't merely research."

Others, however, applaud the project, saying such measures are needed.

"The project makes sense, as the government relies on industry for most of its requirements in the way of water, sewer, and power," says one cybersecurity expert who requested anonymity because his company does business with the government.

Threats to the grid seem to be rising. In recent months, he notes, DHS has issued reports about cyberattacks against utility companies whose business computer networks also have industrial networks connected to the grid.

Last month, DHS reported that federal cyberresponse teams recently provided on-site support "at a power generation facility where both common and sophisticated malware had been discovered in the industrial control system environment."

The DHS team also performed preliminary on-site analysis of those machines and "discovered signs of the sophisticated malware on two engineering workstations.” Both machines were "critical to the operation of the control environment."

President Obama is reported to be nearing announcement of an executive order that would expand federal protection to include the power grid and other critical infrastructure networks. Cybersecurity legislation failed in the last Congress. The White House has said that it prefers a comprehensive bill, but that the matter is too urgent to wait any longer.