New documents reveal that the National Security Agency (NSA) is developing technology that identifies security vulnerabilities of computer systems that control utilities, which can be used to defend U.S. infrastructure or disrupt foreign infrastructures.
The program, called Perfect Citizen, conducts “vulnerability exploration and research” through the computerized controllers that help operate “large-scale” utilities, such as power grids and natural gas pipelines, according to new documents obtained by Electronic Privacy Information Center. “Prevention of a loss due to a cyber or physical attack, or recovery of operational capability after such an event, is crucial to the continuity of the Department of Defense, the intelligence community, and the operation of (Signals Intelligence) systems,” the documents say.
The released documents are essentially a work order for the $91 million contract awarded to Raytheon. They include orders for 28 workers including software engineers, program managers, laboratory personnel and penetration testers. The program is scheduled to continue through at least September 2014. These professionals are part of the team to discover vulnerabilities in the electronic interface that connects the computer networks of utility companies. Once found, the team will create software and hardware plugs to patch these digital holes, the document says.
However, privacy rights groups are worried the program might focus on developing systems to conduct digital filtering or monitoring. They point to the Statement of Work document that requires development of “Computer Network Defense best practices/capabilities that defend against vulnerabilities identified in a SCS.”
“Previously the agency had said it was just a research program,” said Ginger McCall, director of the Open Government Program at EPIC, in ABC News. “But we see in these documents that they do intend to conduct testing, actual research, actual vulnerability testing and develop software tools that could be operational.”
The Wall Street Journal disclosed the existence of Perfect Citizen in a 2010 article that reported the NSA’s “surveillance” of such systems relies “on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack.” However, the new documents don’t clarify the use of these sensors.
However, other’s say the security measures are needed. “The project makes sense, as the government relies on industry for most of its requirements in the way of water, sewer, and power,” an anonymous cybersecurity expert told ABC News.
