Slashdot Mirror

← Back to Stories (view on slashdot.org)

US Plans Cyber Shield For Private Companies and Utilities

Posted by samzenpus on from the more-power-to-the-shields dept.

wiggles writes "The federal government is launching an expansive program dubbed 'Perfect Citizen' to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program. The surveillance by the National Security Agency, the government's chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn't persistently monitor the whole system, these people said. How do we feel about NSA spyware in all of our infrastructure?"

36 of 178 comments (clear)

  1. Surveillance by SquarePixel · · Score: 5, Insightful

    Yes, because more surveillance is what is needed. Every year it goes further and further. The good thing is that at least they know to take it slowly - increase the surveillance just a little bit at a time and people wont really complain or notice. In a few years you will be there, just like with UK.

    I would think that internet infrastructure belongs to the "critical" category too. Just tell your political opinions in a private conversation to someone, say you don't like the mayor and expect a lawsuit. How long until "harmful content" like P2P and porn starts to get blocked? Looks like USA is not that far from China after all.

    And a name like a "Perfect Citizen"...

    1. Re:Surveillance by Pojut · · Score: 4, Insightful

      Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.

      Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::

      --
      Living With a Nerd
    2. Re:Surveillance by causality · · Score: 4, Interesting

      Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.

      Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::

      The mention of the Patriot Act was apropos. That's because when I first saw the name of this, "Perfect Citizen", I wondered whether that sounded Orwellian to anyone else.

      --
      It is a miracle that curiosity survives formal education. - Einstein
    3. Re:Surveillance by rotide · · Score: 4, Informative

      I'm no tinfoilhatter (see my post history) and I can easily state that the government does and has been monitoring communications of citizens since before the PATRIOT Act.

      Google any of the following:
      Project Echelon
      FBI Carnivore
      FBI NarusInsight

      This isn't fear mongering against the government. Those are actual programs/projects the government uses to watch those they want to watch. Actively, passively, whatever it is it doesn't change the fact that the government has the means and the will to watch those it finds worth watching.

      Now, to think that the new system will watch international connections only is short sighted. All you have to do is argue that an "enemy" could bounce through an internal (to the US) proxy and the government would have wholesale reason to peek at _every_ connection, foreign or domestic.

    4. Re:Surveillance by commodore64_love · · Score: 4, Insightful

      >>>hey aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.

      Like the smart meters being installed in Californian homes. All they need to do now is upgrade the firmware to include a little NSA spyware (literally) so they can how much energy you are using & what it was for. ("Running grow lamps in the basement - mmm interesting. Notify the Drug Agency.")

      Patriot Act sucks

      The Patriot Renewal Act which Obama signed sucks even more. At least George Duh Bush could claim he didn't know what was in the bill whe he signed it in 2001, but Obama observed the direct consequences of the law (police entering homes w/ self-written warrants; spying on communications; arrests without right of trial). He should have vetoed that bill.

      --
      "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
    5. Re:Surveillance by Pojut · · Score: 4, Insightful

      Regardless, as I've said many times on this site...in the year 2010, honestly thinking that most if not all digital communication that you engage in isn't tracked, monitored, or recorded at SOME POINT, either by a company or by the government, is just foolish. I operate under the assumption that I have zero privacy with my cell phone and online, and act accordingly.

      --
      Living With a Nerd
    6. Re:Surveillance by Tmack · · Score: 4, Interesting

      Seriously? Calm down. They aren't monitoring the communication of private citizens, they are monitoring incoming connections on critical infrastructure systems.

      Besides, monitoring the communication of private citizens happened a while ago under a happy little thing called the Patriot Act. ::flamesuit::

      FTFA:

      A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It's a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.

      They basically come out and directly say they are taking advantage of a slippery slope and happily sliding down it. So monitoring people driving is the same as watching what they are doing online.... yeh, thats not a slippery-slope argument at all </sarcasm> Next is, well, we already monitor the critical infrastructure, why not just all corporations, why not just all ISPs and all home users, then we could really catch all those sleepercell terrrrists at home!! yeh1!! its just like red-light cameras.

      Tm

      --
      Support TBI Research: http://www.raisinhope.org
    7. Re:Surveillance by slick7 · · Score: 4, Interesting

      when I first saw the name of this, "Perfect Citizen", I wondered whether that sounded Orwellian to anyone else.

      To paraphrase a quote, "The only Perfect Citizen is a totally subjugated and suppressed citizen".
      To really secure the infrastructure, a system of up-links and down-links to the TDRS satellites would be more secure. If land-based connectivity is required, then dedicated fiber-optics is a good bet. Just by-pass the internet altogether.

      --
      The mind conceives, the body achieves, the spirit manifests.
    8. Re:Surveillance by LilGuy · · Score: 2, Funny

      Ahhh the good old days of Echelon. If only we could go back to such simpler times. :)

      --

      You're nothing; like me.
    9. Re:Surveillance by mrbofus · · Score: 3, Informative

      What the submitter forgot to include is that this is an opt-in program; companies can choose to have their networks monitored by the government. Might have helped in a case like the Google/China hacking incidient.

    10. Re:Surveillance by FooAtWFU · · Score: 2, Insightful
      Which works great until $serious_spy_agency splices the fiber somewhere and takes over everything.

      Air-gap security is all fine and good against casual hackers, but still leaves you with an awfully gooey center. I don't know why Slashdotters keep advocating it as such a panacea.

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    11. Re:Surveillance by Philip+K+Dickhead · · Score: 5, Interesting

      The summary for the submitted article misses almost EVERY important aspect to this story, as it was initially reported! It almost looks like an attempt to deliberately minimize concern over the dubious legality and suspect agenda for "Perfect Citizen".

      In fact, Samzenpus and "Wiggles" seem content not to mention the program's Orwellian name, nor the specific use of the term "Big Brother" by Ratheon contractors associated with the NSA on this effort.

      Here is the summary I supplied, when submitting this story as a front-pager for Slashdot. I believe that it is more cogent and INFORMATIVE than the blandness offered us.

      The WSJ is reporting on an $100M NSA program "to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants." All of which sound nice enough, if one does not become critically focused on the name they chose for this effort: 'Perfect Citizen'. Releasing this to the WSJ has the appearance of PR cover for the expansion of both warrantless surveillance and the intrusion of the NSA into a theatre of domestic operations.
      Ratheon, the NSA contractor charged with realizing the NSA vision for the 'Perfect Citizen' program openly called this the "Big Brother" system, in internal communications.

      For once, I really wouldn't mind a "dupe" story, either my summary or that of another poster with some insight to the implications of "Perfect Citizen".

      --
      "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell
    12. Re:Surveillance by chill · · Score: 3, Interesting

      Speaking of which...

      On June 25th, just a few days ago, the original UKUSA agreement that set up Echelon was declassified and published. It includes a number of supporting documents as well.

      http://www.nsa.gov/public_info/declass/ukusa.shtml

      --
      Learning HOW to think is more important than learning WHAT to think.
    13. Re:Surveillance by badboy_tw2002 · · Score: 4, Insightful

      Yeah, its too bad they don't include more unsubstantiated facts and editorial opinions with strong biases in the summaries. I was just thinking how much I was missing that!

    14. Re:Surveillance by lonecrow · · Score: 2, Interesting
      Hmmm...I am not sure if I would get all worked up over the name. This portion of the article seems to alleviate some concerns:

      Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials said.

      I do not see this as akin to the mass wiretapping of individuals of a previous administration. This is traffic pattern detection by the sounds of it. So for example, if malicious patterns were detected perhaps an auto-cutoff of the plant from the internet could be triggered.

      But perhaps another approach to this would be to ask you how you would go about protecting these assets from cyber-attack without violating civil liberties?

      I am going to take a wild guess that it would involve monitoring broad and anonymous traffic patterns which is what this sounds like. Then if malicious patterns were detected due process would kick in to the investigation of any individuals involved.

      Please share any better way you can think of?

  2. Spyware? Really? by 0xdeadbeef · · Score: 3, Informative

    When zealots can't distinguish between legitimate security and illegitimate spying, it hurts the credibility of civil liberties, not the NSA.

    1. Re:Spyware? Really? by Anonymous Coward · · Score: 2, Funny

      ("Ahhh I see citizen 12 is using grow lamps - send the DEA to investigate"), then liberty will die for all of us.

      If you are running grow lamps, maybe talking about them in every single post you make to slashdot isn't the way to keep them a secret? Just a thought.

  3. And the Maginot Line will protect France by Palestrina · · Score: 4, Insightful

    That's the problem with big expensive publicly-announced efforts to protect against known attacks. The bad guys tend to not be idiots, and don't do what you expect. Come on, we can't even protect ourselves from our own stupidity, like when a trader accidentally enters an order for a billion rather than a million. If our systems are so fragile, then it doesn't take much. Oh, and what makes anyone thing that we don't have insiders willing to initiate cyber attacks? A big fire wall on the ourside doesn't help much there.

  4. Citizens? by drumcat · · Score: 2, Interesting

    The fact that any government agency thinks its "corporate citizens" are perfect-able makes me ill. Yes, it's just a name, but it's time that human beings finally have more rights that incorporated entities. It's not to even be joked about by the government.

  5. Ahhh... by Securityemo · · Score: 3, Informative

    From the article text, it sounds like this means deploying "normal" IDS systems on a per-network basis. "Not persistently monitor the whole system" probably serves to clarify that it won't log, capture or analyze all data; an IDS triggers when it detects something that it's rules/signatures match, much like an antivirus sans emulation/sandboxing unpacking and behaviour monitoring . "The overall purpose of the [program] is our Government...feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security" sounds like they're forcing them to comply to inspection or testing.
    Also, they might have wanted to pick a less dr-strangeglove-sounding name. But maybe the NSA geeks have a sense of humour too?

    --
    Emotions! In your brain!
  6. Slashdot by warGod3 · · Score: 4, Funny

    I wonder if the "Slashdot Effect" would be considered a "cyber assault"?

    --
    "Be polite, be professional, but have a plan to kill everybody you meet." General James Mattis
  7. Wow... by Tmack · · Score: 2, Insightful
    What they just described sounds like this device I heard of called a "fire wall". It can be set to alert you when bad people try to "hack" into your internets or do cyber war and will block the hackors from infecting you with computer viruses.

    .. seriously, are we that far behind in our critical infrastructure that its still just plopped down on the internet without a firewall, filtering, port blocking, like some infected win95 machine from the 90s? Stuff like that should not be on the internet directly, ever. Private networks only, connected only to systems that need to monitor/control. Sure its faster/cheaper to plop a dsl line to that remote site, but its far less expensive to just get a direct private line to it than it would be to implement any of this other security theater the govment likes to use. Imagine your corporate firewall being run by the NSA....Hah

    Tm

    --
    Support TBI Research: http://www.raisinhope.org
    1. Re:Wow... by Securityemo · · Score: 3, Interesting

      An encrypted VPN secured with a key, that key itself only existing on the physically secure terminals used to access the systems and the internet-facing routers should be virtually as secure as an encrypted dedicated line. As long as the VPN software isn't faulty in some way, but it'd probably be secure enough. It might even be more secure, because if you've got a dedicated line and a stolen key you just need to tap into a point somewhere along the wire - unlike a VPN, where inbound and outbound traffic might follow different routes (a network engineer/architecht could perhaps kindly fill me in on the probability and topology of this). Or are you suggesting quantum-encrypted single-photon lines to every power plant in the US?

      --
      Emotions! In your brain!
  8. Kiss Open Systems Goodbye by hackus · · Score: 3, Insightful

    There it goes out the window with all of the Bills currently in Congress to chase the internet "boogie man" as they hire "governmental approved companies" to produce boxes to install on your internet line.

    Proprietary and very secret boxes.

    They will track how long you play WoW, what you buy and put you in prison for that Virus that downloads pr0n.

    SO much easier to get rid of people they don't like especially if the black box has the ability to infect and download the pr0n for them onto your home PC using "government approved software".

    This is getting way out of control very fast.

    One thing for sure though, you won't run LINUX, you won't run anything except what that black box says you can run.

    Ironically there is a very real chance that only the collusion of fascism can take down Open Source because companies can't compete against it and governments absolutely hate systems built in the open because they can't lie about what they are doing to the masses.

    The "Perfect Citizen" in this definition is one who doesn't question, only uses what the government tells them to and more importantly believes that the internet is better off with it.

    -Hack

    --
    Got Geometrodynamics? Awe, too hard to figure out? Too bad.
    1. Re:Kiss Open Systems Goodbye by chill · · Score: 3, Informative

      You do know they're talking about doing this to water, electric, utilities, gas and railroad infrastructure, right? "Critical infrastructure", such as traffic control centers, the power grids, gas grid and the like. You aren't critical infrastructure. WoW certainly as hell shouldn't be running on critical infrastructure. Traffic in those network SHOULD be watched and coordinated. The companies can either let the NSA do it or purchase the equipment and do it themselves.

      Last I knew, those "proprietary systems" (example here) were Linux-based using libpcap but on screaming fast hardware. Proprietary analysis software is used to baseline traffic patterns and look for anomalies.

      --
      Learning HOW to think is more important than learning WHAT to think.
  9. "Perfect Citizen" by L3370 · · Score: 3, Interesting

    Is it just me, or does "Perfect Citizen" sound like the most completely sinister project name you could give?
    Seriously, shouldn't they try harder to disguise the intentions with a name like "Save the children security project" or "Patriotic Minutemen project"????

  10. Perfect Citizen by iateyourcookies · · Score: 2, Funny

    "Perfect Citizen": Because the phrase "Big Brother" wasn't quite creepy enough.

  11. Re:Asinine by jeffmeden · · Score: 4, Insightful

    The first thing I thought of when I read the flame-inducing "How do we feel about NSA spyware in all of our infrastructure?" was "oh well, at least there will be good-guy spyware in there with the bad-guy spyware..."

    Do you really think that these private firms are honky dory with their current systems? As discussed to death at Black Hat 20[insert any year here], most private firms are years behind the DOD when it comes to info security, some of them ignoring it outright (the new power grid technology comes to mind).

    If these companies aren't going to take security seriously, is it really wrong to offer a program that lets the NSA help them out? Or worse, would you rather the NSA simply hold out for a secret executive order to place surveillance equipment without the need to tell anyone? I think that this step, at least, is in the right direction. It could still go horribly wrong, but why kill it before it has the chance to do some good?

  12. Bias? by andy1307 · · Score: 2, Insightful

    How do we feel about NSA spyware in all of our infrastructure?

    Better than Chinese spyware in all of our infrastructure.

  13. If they did it correctly, it would help. by khasim · · Score: 2, Insightful

    Start with the basics. Map the traffic patterns and usage patterns.

    Now, roll that data up from a hundred different companies.

    You'll see the patterns.

    Share that information (anonymized) with the companies so that they can hunt down any "weird" traffic on their networks.

  14. Re:Concerns that don't involve tinfoil hats. by commodore64_love · · Score: 2, Informative

    >>>there's the age old... "they put something called linux on it, and it looked like something a hacker might use" problem

    Like that poor kid who was given detention. His crime? Demonstrating Linux on his personal laptop during study hall, and handing out free CDs of it to friends. The teacher assumed the kid was a pirate and punished him. She even went so far as to contact the guy who created the original CD, and scold him too! "I don't know why you are handing-out these CDs but I play to consult with lawyers and if necessary prosecute. We cannot allow you to corrupt our children." (Quoted from memory)

    Fortunately a teacher has no real power, but imagine this story is the "teacher" was replaced with "NSA enforcement officer" knocking at your door and arresting you for illegal acts, such as handing out free copies of Ubuntu Linux OS. (And yes cops really are that fucking stupid. Go watch some vids on youtube.)

    --
    "I disapprove of what you say, but I will defend to the death your right to say it." - historian Evelyn Beatrice Hall
  15. The universal OFF switch by Drakkenmensch · · Score: 3, Insightful

    How about just... not connecting EVERYTHING to the net? The best way to prevent an unauthorized user access to the main control switches of a power plant is to simply have those commands input manually by someone you reach directly by phone. You won't be able to hack those employees directly until those nifty GITS full body replacements roll in (ETA Q4 2013)

  16. Sensors by Thelasko · · Score: 3, Insightful

    would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack

    How will the "sensors" communicate with the NSA while being attacked? The internet?

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  17. That Name! by eheldreth · · Score: 2, Funny

    Am I the only one that read the name of this project and gave serious consideration to buying a shiny new bunker in Montana.

    --
    The perversity of the Universe tends towards a maximum. - O'Toole's Corollary
  18. boondoggle by Jodka · · Score: 3, Interesting

    A single flaw in a common security architecture is a pervasive vulnerability whereas a heterogenous system is robust to targeted attacks.

    They would do better to solicit bids for multiple systems from private contractors and place the NSA as well as the public security community in the roles of auditors. That would also allay concerns about covert monitoring by the NSA.

    Open-sourceing the product and allowing public audits is advantageous because what is sometimes obscured by "Security through obscurity" is that foreign operatives have covertly horked your source code and analyzed if for vulnerabilities.

    What FEMA did for Katrina and the EPA did for the golf oil spill this program will do for online security: create an ineffective program which creates a false sense of protection, displacing genuinely effective protective measures. I am not saying that there is no roll for government here, but rather than the rolls played by government are typically either useless or harmful and it would be nice if it took a different approach; Give the Harvard MBAs and MIT and Caltech Ph.D engineeers working at Cisco and IBM opportunities to innovate and place the government and public in the role of customers holding contractors accountable for supplying quality products.

    --
    Ceci n'est pas une signature.
  19. And now for the Tinfoil stuff by Philip+K+Dickhead · · Score: 4, Insightful

    What if there are no "massive cyber-attacks" by "Chinese hackers"?

    Who'd know? The key part of almost every successful TCP/IP network attack or compromise is the ability to manipulate intermediate hosts, etc. to obfuscate and mislead as to the actual "real location" of the attacker or malicious agent. When I was so preoccupied, in the mid/late-nineties, it was common practice to use Chinese IP space as "base-camp" for our explorations. I remember, in particular, an entire University lab of several dozen Sparc5 clones, directly connected to the Internet. Getting shell on these was a trivial exercise. The poor quality of the systems administration on these hosts was also an excellent indication that any forensics effort would be pretty hopeless, with the simple deletion of local logfiles.

    Given the resources of a US or Israeli intelligence agency, it is completely likely that attacks could appear to be "Chinese" - without ever having a ZH presence. Manipulation of BGP, etc. could produce the required 'evidence'.

    Which also begs the question: why would "Chinese" or "North Korean" state-sponsored "hacker gangs" be able to launch attacks with sophistication enough to be considered a threat to national infrastructure, yet simultaneously naive enough to be triangulated back to their supposedly surreptitious origin?

    As they say, "Pull the other one, it has bells on it."

    The only serious outcome of any mass-scale foreign cyber-attack has been to create a climate for the acceptance of increased surveillance, demolition of limits for Federal agencies and the Military in regards to the law-abiding civilian US population, and the complete obliteration of 4th and 1st Amendment protections afforded by the U.S. Constitution. What if that is not the "unintended consequence"?

    --
    "Speaking the Truth in times of universal deceit is a revolutionary act." -- George Orwell