NSA's 'Perfect Citizen' power grid security plan far from perfect

The National Security Agency (NSA) calls its semi-secret technology to protect the nation's power grid "Perfect Citizen." But it's far from perfect in the eyes of privacy advocates, who find it somewhat odd and amusing, but mostly disturbing.

It's semi-secret because the existence of the prorgam, designed to protect against a crippling cyberattack, has been public since July 2010, when The Wall Street Journal published reported on it describing its overall mission and that a five-year, $91 million contract had been awarded to the defense contractor Raytheon.

But virtually all other details about the program are secret, including any information on whether the technology will allow any kind of domestic data collection on citizens. NSA vigorously denies that it will.

In a statement first issued in 2010 and then reissued last week to Mark Clayton of the Christian Science Monitor, the agency said the contract with Raytheon "does not involve the monitoring of communications or the placement of sensors on utility company systems."

Computerworld reported in 2010 that NSA called Perfect Citizen a "research program." But the entire 188-page contract, recently released to the Electronic Privacy Information Center (EPIC) under a 2010 Freedom of Information Act request, came with about half of the pages redacted.

The documents show Raytheon was authorized to hire 28 software engineers, program managers, and laboratory staff, including two penetration testers who, Clayton reported, were assigned to "discover vulnerabilities that lie in the electronic interface that connects the computer networks of utility companies," he wrote. "Then the team can come up with software and hardware plugs to patch those digital holes."

Michelle Richardson, legislative counsel for the American Civil Liberties Union (ACLU), noted that the amount of detail left out makes it hard to tell what's going on. "They've redacted things like job descriptions," she said. "The task orders say things like, 'Expanding the technical capacity of the (blank) workforce.'"

[See related: Damage from attack on power grid would surpass Sandy]

Richardson said the documents don't answer fundamental privacy questions, such as: Do the monitoring and countermeasures under development interact with the public Internet and everyday Internet users' data? If so, why? And what will be done with it?

Both Richardson and Rebecca Herold, CEO of The Privacy Professor, laud the idea of protecting the power grid, but say they find the name of the program strange, and a bit creepy.

"'Perfect Citizen' does not lend itself to harboring trust in the NSA's actions," Herold said. "It sounds like a program used to separate those who are perfect citizens from those who are terrorists."

"Such a binary perception of separating the general population into two different groups lends itself to suspicions of what kinds of activities are really going on," she added.

C. Robert Kline, who formerly worked for the NSA and is now president and managing member of Kline Technical Consulting, noted that while the Federal Energy Regulatory Commission (FERC) has primary responsibility for the national power grid, but "NSA is in part commanded to ensure security for U.S. government information and communication systems."

Herold said the lack of transparency "justifiably raises concerns about how that goal will be met."

"What types of vulnerability assessments and big data analysis will involve consumer energy usage data and consumer personal information?" she asked. "The lack of any meaningful detailed information about these actions understandably raises privacy concerns."

Herold added that NSA's declaration that it complies with all existing U.S. laws regarding monitoring and data collection is not reassuring, given there are none. "There are no current federal regulations governing monitoring for, or use of, power grid data," she said. "There is much regarding personal activities, lifestyles, etc., that can be derived from data that do not contain what has been traditionally considered personal information."

Richardson said the NSA was adding to the confusion by not defining some alarming terms used in the plan. "What do they mean by sensors?" she asked. "If they're looking for IP addresses of people overseas, then a sensor is not a huge problem. But if they're copying all traffic that crosses a system, it's not justifiable."

Another reason for privacy advocates to be uneasy about NSA's assurances is William Binney, a whistleblower who worked for NSA for 32 years who resigned in protest in 2001 after the Bush administration launched a top-secret surveillance program to spy on U.S. citizens without warrants.

In recent interviews, Binney said the U.S. is collecting and storing every electronic activity of its citizens. He estimate the number of documents at more than 20 trillion, and said spying on citizens has gotten worse under President Obama than it was under Bush.

"The NSA, and Raytheon, should provide transparency for their activities," Herold said. "And they can certainly do so without compromising their anti-terrorist efforts."

"They should be able to describe the types of data being monitored, analyzed and accessed, and also answer whether they will be obtaining data that relates to specific consumer locations and activities," she added.

Read more about critical infrastructure in CSOonline's Critical Infrastructure section.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security Agencyperfect citizensecurityphysical securitynsaPhysical Security | Critical Infrastructurepower grid

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place