NSA Launches Perfect Citizen

Saturday, July 10, 2010

Lee Mangold


Cross Posted from Lee's Weblog

There's been a lot of talk on the Island about the "Cyberwar" term and this is yet another example... The Wall Street Journal reported that the NSA allegedly awarded a contract to Raytheon for an Information Security program called "Perfect Citizen".

The details are sketchy - as they should be - but the idea is that the NSA is going to be placing IDS sensors across the country, primarilly targeting critical infrastructure.

Sounds harmless (and beneficial, to me), but the Raytheon leak used the term "Big Brother", so of course this became newsworthy!

The obvious concerns are that now the NSA is going to be tracking your every move, every website you go to, everything you buy, how much power you use ... and not just you, but everyone in the country!! (please note the sarcasm)

The federal government is launching an expansive program dubbed "Perfect Citizen" to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program.

The surveillance by the National Security Agency, the government's chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn't persistently monitor the whole system, these people said.

"The overall purpose of the [program] is our Government...feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security," said one internal Raytheon email, the text of which was seen by The Wall Street Journal. "Perfect Citizen is Big Brother."

Wallstreet Journal: U.S. Plans Cyber Shield for Utilities, Companies

Possibly Related Articles:
Security Awareness
Cyberwar Cyber Security
Post Rating I Like this!
Derrick Buxton lol, I would think they could easily crack any civilian level encryption on the market. Otherwise the terrorists could simply attack us while we try to decrypt the traffic. I say let NSA put the systems in place to detect it, then let them cut it off when necessary.
Lee Mangold @Michael - One of the STIGs states that the IDS/IPS on a DoD IS must be able to read the encrypted data. If you negotiate an SSL connection to a Govt site, in THEORY it shouldn't really protect you

@Derrick - We'd like to think that the NSA and other government agencies could decrypt the "consumer" grade encryption, but in reality they use the same things everyone else does, like AES. There are FIPS Validated algorithms mandated, but that just means that they validated the methodology, not the algorithm.
Lee Mangold Oh, most certainly. I believe the phrase "compliance is not security" is appropriate!
Mister Reiner This is nothing new. Full network activity monitoring has been in place in many organizations and the government for years. Most people who do this type of monitoring could care less about who is doing what unless it's against policy or the law. If someone is doing something wrong, there are going to be consequences.

When someone in the government does this type of monitoring, they are governed by certain rules of conduct and policies on disclosure. It's not like these guys are going to post activity logs about what everyone does online for others to scrutinize.

Lee Mangold @Mister I had some conversation with a colleague the ether day regarding the privacy of this, and I agree with you. But even from a technical perspective...lets assume that the NSA wants to track ALL data moving around the DOE (for example). In order to NOT affect the availability of the data, they would effectively need to duplicate the infrastructure, double the bandwidth, etc.

Does this mean that the NSA couldn't push a new rule to track all data originating from a certain IP address or range? Certainly not...and that's the privacy concern.

But I will always stand behind the one thing that drives privacy advocates and black/gray hats crazy....I have nothing to hide. If you expose what I'm doing, I call it advertising!
Mister Reiner @Lee Only subsets of data of interest needs to be pulled back. The rest can stay at the collection point and be pulled back as required. Data of interest usually only represents a very small percentage of traffic, so additional infrastructure and bandwidth are not an issue.

As you indicated with respect to your own privacy, privacy is really based on personal point of view. If nobody has anything to hide, then what's the issue?

When someone is doing "see all and know all" monitoring, the person already has their hands full looking for the bad guys. There really is no time to just sit around and spy on people just for the sake of spying. Most people's lawful activity is so incredibly boring, that it's not even worth an analyst's time to look at anyway - and that's what many people may not realize. Also keep in mind, that analysts are not allowed to target people without just cause. They can certainly take a look, but if there is nothing that meets the monitoring criteria, they better move on to something else.

Lawmakers aren't completely stupid. I'm sure they realize that this monitoring capability can be used against them as well. If anyone should have privacy concerns, I would think they would. LOL
Ray Tan Should our privacy sacrifice for the national security?
Will those collected data(maybe sensitive or confidential) be stored properly?
The data center will be a another target for the attacks? If it is compromised, who should be blamed for?
Lee Mangold I think the security of our nation (from other nations) is what ensures our privacy.

The point @Mister and I kept talking about was that while it IS possible to "spy" on someone if you control the IDS in their path, you are 1-of-307M citizens in the USA, so why is the government spending (tedious and boring) time on you?

As far as data retention, if they truly are setting up IDSs (which is speculation on my part, but makes sense) then they're not likely to be tracking very detailed information unless you're actively attacking. If you log into a system and don't send up any flags, there's no need to report that data at the IDS. As for who would be responsible for a Data Breech? The USG, of course...
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.