Slashdot Mirror
US Plans Cyber Shield For Private Companies and Utilities
wiggles writes "The federal government is launching an expansive program dubbed 'Perfect Citizen' to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program. The surveillance by the National Security Agency, the government's chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn't persistently monitor the whole system, these people said. How do we feel about NSA spyware in all of our infrastructure?"
Yes, because more surveillance is what is needed. Every year it goes further and further. The good thing is that at least they know to take it slowly - increase the surveillance just a little bit at a time and people wont really complain or notice. In a few years you will be there, just like with UK.
I would think that internet infrastructure belongs to the "critical" category too. Just tell your political opinions in a private conversation to someone, say you don't like the mayor and expect a lawsuit. How long until "harmful content" like P2P and porn starts to get blocked? Looks like USA is not that far from China after all.
And a name like a "Perfect Citizen"...
You're not cleared for that citizen.
"I use a Mac because I'm just better than you are."
I suspect this will turn a tower of babel of insecurity into a monoculture of insecurity.
And future exploits will involve DOS by getting the NSA sensors to trip. Which I assume might just shut down such networks which will cause plenty of problems.
What if the network does come under attack, and gets so badly flooded out that their 'spyware' is unable to phone home to say "something fishy here.."
What then?
A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras.
::facepalm::
My internet traffic is not on a public roadway.
It's just rediculous that they're trying to make such an argument
while trying to plug these boxes into private networks.
[Fuck Beta]
o0t!
How do we feel about NSA spyware in all of our infrastructure?
ummm.... NOT GOOD
When zealots can't distinguish between legitimate security and illegitimate spying, it hurts the credibility of civil liberties, not the NSA.
... detect cyber assaults on private companies
You know, like downloading the latest Lady Gaga CD.
That is all.
I SAID... PICK UP THAT CAN!!
That's the problem with big expensive publicly-announced efforts to protect against known attacks. The bad guys tend to not be idiots, and don't do what you expect. Come on, we can't even protect ourselves from our own stupidity, like when a trader accidentally enters an order for a billion rather than a million. If our systems are so fragile, then it doesn't take much. Oh, and what makes anyone thing that we don't have insiders willing to initiate cyber attacks? A big fire wall on the ourside doesn't help much there.
The fact that any government agency thinks its "corporate citizens" are perfect-able makes me ill. Yes, it's just a name, but it's time that human beings finally have more rights that incorporated entities. It's not to even be joked about by the government.
I'm more concerned about how this could limit the flexibility of these industries. Needing to run substantial IT changes through a federal agency could theoretically stifle innovation. You're adding another restrictive layer of bureaucracy. And then there's the age old... "they put something called linux on it, and it looked like something a hacker might use" problem. Let's hope the people monitoring this are IT people and not middle management people?
It's not like the gov would ever use any info it gathers against you.
"Perfect Citizen".
From the article text, it sounds like this means deploying "normal" IDS systems on a per-network basis. "Not persistently monitor the whole system" probably serves to clarify that it won't log, capture or analyze all data; an IDS triggers when it detects something that it's rules/signatures match, much like an antivirus sans emulation/sandboxing unpacking and behaviour monitoring . "The overall purpose of the [program] is our Government...feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security" sounds like they're forcing them to comply to inspection or testing.
Also, they might have wanted to pick a less dr-strangeglove-sounding name. But maybe the NSA geeks have a sense of humour too?
Emotions! In your brain!
I wonder if the "Slashdot Effect" would be considered a "cyber assault"?
"Be polite, be professional, but have a plan to kill everybody you meet." General James Mattis
.. seriously, are we that far behind in our critical infrastructure that its still just plopped down on the internet without a firewall, filtering, port blocking, like some infected win95 machine from the 90s? Stuff like that should not be on the internet directly, ever. Private networks only, connected only to systems that need to monitor/control. Sure its faster/cheaper to plop a dsl line to that remote site, but its far less expensive to just get a direct private line to it than it would be to implement any of this other security theater the govment likes to use. Imagine your corporate firewall being run by the NSA....Hah
Tm
Support TBI Research: http://www.raisinhope.org
How do we feel about NSA spyware in all of our infrastructure?
It's about time we caught back up with china.
There it goes out the window with all of the Bills currently in Congress to chase the internet "boogie man" as they hire "governmental approved companies" to produce boxes to install on your internet line.
Proprietary and very secret boxes.
They will track how long you play WoW, what you buy and put you in prison for that Virus that downloads pr0n.
SO much easier to get rid of people they don't like especially if the black box has the ability to infect and download the pr0n for them onto your home PC using "government approved software".
This is getting way out of control very fast.
One thing for sure though, you won't run LINUX, you won't run anything except what that black box says you can run.
Ironically there is a very real chance that only the collusion of fascism can take down Open Source because companies can't compete against it and governments absolutely hate systems built in the open because they can't lie about what they are doing to the masses.
The "Perfect Citizen" in this definition is one who doesn't question, only uses what the government tells them to and more importantly believes that the internet is better off with it.
-Hack
Got Geometrodynamics? Awe, too hard to figure out? Too bad.
its another cyberwar/cyberattack/cybersecurity article! your friends at Raytheon, a wholesome defense contractor, got the contract this time for a surveillance project to fight the upcoming cyber[war/attack]. they of course being shy about the whole thing declined to comment about it.
Perfect Citizen will look at large, typically older computer control systems that were often designed without Internet connectivity or security in mind.
the bigger issue is why are private corporations allowed to operate things like nuclear reactors in such a manner that apparently poses imminent threat to national security and public safety, then turn around and ask the government to secure their systems for them?
Good people go to bed earlier.
A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It's a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.
"You already gave up privacy for traffic cameras, so we can watch you drive, now we want to see what kinds of pr0n you like, cause thats no different and no big deal and its to stop the terrrrrists from doing another 9-11." This is exactly why privacy advocates are so rabid about what seems to be little things. They add up quick, and eventually get used as a "well we already do X, so this should be fine".
Tm
Support TBI Research: http://www.raisinhope.org
Is it just me, or does "Perfect Citizen" sound like the most completely sinister project name you could give?
Seriously, shouldn't they try harder to disguise the intentions with a name like "Save the children security project" or "Patriotic Minutemen project"????
How about just disconnecting critical infrastructure from the internet all together? Which desk do I send my invoice to inside the NSA?
Authority questions you. Return the favor.
Cabsec - Capability Based Security has been around for a long time, it was part of Multics... the idea of having real security built into the OS, available as a tool for the USER to decide what resources to make available to an application, is a very powerful one.
Unfortunately, its a boil the ocean solution.... you have to build a new OS which supports it, and then port your apps.
"Perfect Citizen": Because the phrase "Big Brother" wasn't quite creepy enough.
How do we feel about NSA spyware in all of our infrastructure?
Better than Chinese spyware in all of our infrastructure.
Start with the basics. Map the traffic patterns and usage patterns.
Now, roll that data up from a hundred different companies.
You'll see the patterns.
Share that information (anonymized) with the companies so that they can hunt down any "weird" traffic on their networks.
After reading "The Shadow Factory" ( http://www.amazon.com/Shadow-Factory-NSA-Eavesdropping-America/dp/0307279391/ ), I assumed the NSA already had spyware in all of our infrastructure.
Also, changed.
The net has huge tides - but unpredictable ones such as the traffic burst that happened when Michael Jackson died.
Those traffic shifts, along with the introduction of new technologies (such as IPv6, cloud computing, and smaller things like the next twitter) will create false positives.
And an attacker, knowing that there are these bursts fairly frequently and that during them there will be false triggers, will time the launch his attack so that it occurs during or shortly after one of those events.
Personally I don't think NSA has the chops to do this monitoring job. Why? Because to do a good job a lot of data needs to be correlated and NSA, if anything, is very unwilling to share its data with others who may also be watching - like ISPs and power companies or just those of us chatting on mailing lists and noticing that weird things are happening.
Are you really in-the-know if you use the term "cyber"?
Why is critical infrastructure attached to a public network in the first place?
How about just... not connecting EVERYTHING to the net? The best way to prevent an unauthorized user access to the main control switches of a power plant is to simply have those commands input manually by someone you reach directly by phone. You won't be able to hack those employees directly until those nifty GITS full body replacements roll in (ETA Q4 2013)
would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack
How will the "sensors" communicate with the NSA while being attacked? The internet?
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Am I the only one that read the name of this project and gave serious consideration to buying a shiny new bunker in Montana.
The perversity of the Universe tends towards a maximum. - O'Toole's Corollary
why is the grid and nuclear plants on the Net anyways?
What if a person goes on a rampage in a school and shoots up people. Well we investigate, charge, and try and hopefully convict. The presumption of innocence prevents pre-emptive actions. We seem more and more to cater to Chaneyesque fears (where If I remember right he said if there is as little as 2% chance something bad is going to happen, we take pre-emptive steps or something like that, and we invade a country with our citizens loosing their lives and thousands suffering.. good work Dick). This getting into the middle of essentially all communications is very Orwellian and scary. I am reminded of the steps that Singapore takes to control their citizens. I understand they have urine detectors in elevators, just in case someone takes a leak when riding between floors.
If you are in the network monitoring traffic, you are monitoring All traffic, and it is only your filtering and selection programs that might capture or alert you to specific types of transmissions or to or from individuals or addresses. But you start with monitoring All traffic. So to say, they (actually we, if you think that the government is by the people and for the people) are not looking at private citizens, well of course they are, I'm sure the targets are all private citizens and the senders are either private citizens or programs written by private citizens, Aren't we all private citizens, what other kind of citizen is there, unless you mean Public citizens maybe or private non-US citizens. But we are all private citizens of some country. Are non-US citizens less worthy of protection or privacy? are they a second class of citizen? I think the issues of us vs. them can be framed in a number of ways. With this article the them may be those in the government that want to protect us from ourselves. Not their job.
A single flaw in a common security architecture is a pervasive vulnerability whereas a heterogenous system is robust to targeted attacks.
They would do better to solicit bids for multiple systems from private contractors and place the NSA as well as the public security community in the roles of auditors. That would also allay concerns about covert monitoring by the NSA.
Open-sourceing the product and allowing public audits is advantageous because what is sometimes obscured by "Security through obscurity" is that foreign operatives have covertly horked your source code and analyzed if for vulnerabilities.
What FEMA did for Katrina and the EPA did for the golf oil spill this program will do for online security: create an ineffective program which creates a false sense of protection, displacing genuinely effective protective measures. I am not saying that there is no roll for government here, but rather than the rolls played by government are typically either useless or harmful and it would be nice if it took a different approach; Give the Harvard MBAs and MIT and Caltech Ph.D engineeers working at Cisco and IBM opportunities to innovate and place the government and public in the role of customers holding contractors accountable for supplying quality products.
Ceci n'est pas une signature.
'Law-Abiding Citizen' was too tied up in the movie rights. I wonder if the project to select a name for this program was titled: Operation Hamfist.
Will this be like my bank blocking my debit card "for unusually activity"? Because that has never worked. The government's most secret known agency putting sensors with the ability to shut down a network, what could possibly go wrong?
6.8SPC TR of 550, l xwind at 6, drift rt at 26" drops 77". AT has 503 ft-lbs at 1403 fps. FT 0.86
I strongly disagree..
They will track how long you play WoW, what you buy and put you in prison for that Virus that downloads pr0n.
Do you really think the gov't cares how long you play WoW, what you buy or how much you like to jerk off? They don't. And, if their "little black boxes" are monitoring your traffic, they should be able to tell the difference between a pent-up user and a malicious downloader, by the type and amount of traffic. They do even take legal action unless it is illegal content that you are surfing.
This is getting way out of control very fast.
How do you figure?
One thing for sure though, you won't run LINUX, you won't run anything except what that black box says you can run.
First off, no body is going to tell me what I can and can't run on my network (which happens to be 98% Linux). This wicked evil government has put laws in place to prevent monopolies, which is exactly what you are saying would happen.
Ironically there is a very real chance that only the collusion of fascism can take down Open Source because companies can't compete against it and governments absolutely hate systems built in the open because they can't lie about what they are doing to the masses.
The US government USES F/OSS systems in their own infrastructure and even publish whitepapers on hardening said systems to comply with DoD standards. For you to state that they hate open systems is to point out the fact that you have no idea what you are talking about, in that regard. Personally, I find the NSA/DOD whitepapers on open-source sercurity to be some of the best.
Seriously, people. Do some research into matters and gain a better understanding of the way things currently are before spouting that the government is bringing about a dystopian future by wanting to monitor and secure critical national infrastructures and the infrastructures of those third-parties that are put in charge of them. IMO, I think the government SHOULD step up security on the cyber front. God knows they have been pretty lacking
to Net Force (http://en.wikipedia.org/wiki/Tom_Clancy%27s_Net_Force)
if the sensors mentioned are indeed hardware, they will purchased from a Defense contractor via a lucrative cost-plus agreement. Said contractor will then sub-sub-subcontract the hardware. From a Chinese quasi-military-owned manufacturer. Tah-Dah!
Control systems for critical national infrastructure are not connected to external networks. If the NSA or any other three letter agency wants to connect gear and networks to them then they build an attack pathway that would not otherwise exist. Self-fulfilling idiocy, this.
Not Orwellian so much, but Chinese, Perfect Citizen sounds much like Harmonious discourse to me.
Regardless, I nearly choked on my coffee.
Oh god, captcha: smiles
I'll let the NSA put spyware on some of my computers, *if* they let me target a Tomahawk missile at my least-favorite spammer once or twice a year.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
I swear the people who name such programs must be deliberately trying to bait conspiracy kooks.
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
That actually has freedoms.
Sooner or later, every entrenched government becomes corrupt. As was seen back in the days when you couldn't fight the corrupt system, you left, formed a new country and then grew into a power that eventually becomes corrupt and then a section of your people leave and the process starts anew.
The United States has reached the stage that a segment of the population needs to leave and form a new country. Unfortunately, I believe we've run out of land. Used to be you could expand into "new world" or just form a country out in some desert where no one else lived. Not so easy anymore now that all lands are claimed and/or spied upon by Google Earth.
Nevertheless, it's time to form an independent country. Move out to international waters, and create a floating continent perhaps similar to "Snow Crash". Or everyone bring a rock, like in that beer commercial.
If telephones are outlawed, then only outlaws will have telephones.
What if there are no "massive cyber-attacks" by "Chinese hackers"?
Who'd know? The key part of almost every successful TCP/IP network attack or compromise is the ability to manipulate intermediate hosts, etc. to obfuscate and mislead as to the actual "real location" of the attacker or malicious agent. When I was so preoccupied, in the mid/late-nineties, it was common practice to use Chinese IP space as "base-camp" for our explorations. I remember, in particular, an entire University lab of several dozen Sparc5 clones, directly connected to the Internet. Getting shell on these was a trivial exercise. The poor quality of the systems administration on these hosts was also an excellent indication that any forensics effort would be pretty hopeless, with the simple deletion of local logfiles.
Given the resources of a US or Israeli intelligence agency, it is completely likely that attacks could appear to be "Chinese" - without ever having a ZH presence. Manipulation of BGP, etc. could produce the required 'evidence'.
Which also begs the question: why would "Chinese" or "North Korean" state-sponsored "hacker gangs" be able to launch attacks with sophistication enough to be considered a threat to national infrastructure, yet simultaneously naive enough to be triangulated back to their supposedly surreptitious origin?
As they say, "Pull the other one, it has bells on it."
The only serious outcome of any mass-scale foreign cyber-attack has been to create a climate for the acceptance of increased surveillance, demolition of limits for Federal agencies and the Military in regards to the law-abiding civilian US population, and the complete obliteration of 4th and 1st Amendment protections afforded by the U.S. Constitution. What if that is not the "unintended consequence"?
"Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
the CORRECT solution is to never have critical infrastructure exposed to the Wacky Wacky Webbiepoo.
the old saw is still correct... the only secure computer is deep underground in a vault. no power. no wires. encased in concrete. access to the borehole up top guarded by crew-served weapons.
it is an INCORRECT solution to put critical infrastructure on the Wacky, with spies and lies draped all around it.
this means your "smart grid," folks, is megatard.
if this is supposed to be a new economy, how come they still want my old fashioned money?
Seriously.
People breaking into a private company is a private company's problem to prevent.
If they catch someone breaking in, they can report it to the police. Who will probably say something like "we don't do that", which is what they've told me every time I've reported a crime.
Whats wrong with mandating these stupid companies get with the program and get IDS through an MSSP(managed security service provider)? I'd be very leery to let Raytheon watch my traffic. Honestly, partly because I don't believe they would be good at it, and obviously the privacy implications.
Audit and pentest these critical companies, and hit them hard with massive fines if they dont have solid security programs.
There are a lot of companies that can do it MUCH better for less. Secureworks, and Symantec (Riptech) both have the threat intelligence across verticals, and malware reversing capability to do it better.
We should be thankful for a big brother who cares so much for us.
So the control system can be virtualized and run/monitored by operators in India and the Czech Republic.
Like we get a choice. Its already out there. This just brings it out into the open to serve as a deterrent.
---- Booth was a patriot ----
who says the NSA is impervious themselves, they could at some point have rogue employees working for them, or other vulnerabilities, there is no such thing as perfect. then assuming they install their software on all critical infrastructure, and i imagine it will have additional functionality besides just monitoring, an attacker just needs to seize control of NSA's software, rather than being forced to attack each different piece of completely different types of infrastructure. instead of going after many keys of all shapes and sizes, they only need the master key to take everything down. this is one of those ideas that looks good on a NSA whiteboard in a conference room, but in practice, could be the worst possible thing they could do.
at least the NSA konws what Linux is and army uses it a long with mac os as well.
The power grid has manual off switches on the lines
"drill and spill baby. drill and spill"
The NSA is the government agency with excellent expertise to protect against computer based attacks. Unfortunately the NSA's original mission is to gather intelligence from foreign communications, and in fuzzy cases, domestic communications that may possibly turn out to be "foreign communications". Protecting citizens from cyber-attacks is a laudable goal, but is an add-on tacked on to their actual responsibility of protect US national security systems. http://en.wikipedia.org/wiki/National_Security_Agency , http://www.nsa.gov/
This is the conflict of interest for the NSA in protecting citizens' data and computing; they also wish to gather intelligence. Any worker in the NSA will always have the temptation to mix the two purposes slightly. As a result, the internet community tends to suspect solutions provided by the NSA, even if provided in good faith.
One idea I've encountered is to have a separate agency with the unambiguous purpose of protecting citizen's data and computing, something hopefully similar to the CDC, the Center for Disease Control, which prevents diseases. Such an agency may be more transparent than the NSA, which is unfortunately limited in having to serve several purposes.
Allow me to put on the hat of grid operations security for a moment.
1) I can't allow a third party to put boxes in my network based on someone's assurances about what they do or don't do. I need to audit the hardware and software they contain. NSA would probably deny me that access.
2) What qualifies government in general and NSA in particular as trusted partners for grid security? Government is already asking for authority to put a kill switch on the Internet, how do I know if they might have similar ambitions for the grid? Might NSA want a back door they can use to seize control of the grid away from me? My mission is simple and clear -- keep the lights on and keep the power grid secure and to do so whether or not the government wants it that way.
It may be far-fetched but nevertheless easily imaginable that my mission may conflict with government's at some point.
Don't. Network. Critical. Systems. How hard can it be to figure this out?
"Ubuntu" - an African word meaning "Slackware is too hard for me."
is the future ...
beware he who denies you access to information for in his mind, he already deems himself to be your master (SMAC-ish)
Dedicated circuits do not achieve security if the circuit passes through any unsecured location. The security between two endpoints can be achieved only by security-oriented communication protocol such as encryption, or by physically securing the entire path between the endpoints. Even then, the resulting implementation must be examined constantly by multiple parties, each with a goal of finding a security defect. And then, we can only hope that each defect is found by a friendly party.
Part of the problem with infrastructure is that it is very highly distributed. We aren't just talking about big power plants and water plants. We are also talking about every electric transformer, every telco switching device, every traffic light at an intersection, every radio in a police car or fire truck, and every water main. Those things are scattered throughout the entire country. Millions of power and telco devices are mounted on utility poles. Physical security just isn't an option.
Another part of the problem is that millions of those devices are old. Many have some remote control capability, but very little in the way of processing power or software upgrade capacity. The cost (in materials and labor) to upgrade all of those devices is just astronomical. And, after replacing an individual device, there is no guarantee that the (new) device cannot be hacked in the future.
And, of course, keeping two networks separate is hard to do. When two networks have millions of nodes each, they are likely to touch somewhere. Even one device with two interfaces can potentially route between the networks. And, even one entry-level installer who gets confused or bribed, can install that one device.
So, it's just a really big problem, with lots of parts, so the solution is going to have lots of parts. Dedicated lines for some specific applications might be part of the solution. An upgrade program for the basic hardware/software units is clearly part of the solution. A sensor system to detect intrusion is clearly needed as part of the solution. A control system to shut down or disconnect the source of an intrusion after it is detected, might be part of the solution (though that might introduce another vulnerability). Firewalls to limit the scope of an intrusion, or at least to slow down the spread, is surely part of the solution. No one of these approaches can address the whole thing.
And, the whole process is going to take time. Security is a never-ending process, not a one-time project. Each time a new vulnerability is identified, a new response is needed, and each new response takes time to roll out. So, part of the solution is to set priorities -- to focus each new response on the most important resources, first.