NSA's Cyberattack Alert Plan Draws Cautious Support
A reported federal government plan calling for the National Security Agency to monitor critical infrastructure networks to detect possible cyberattacks is drawing qualified support from security analysts.
Under the plan, first reported by the Wall Street Journal yesterday, the spy agency would monitor those U.S. companies and government agencies that operate critical infrastructure, including electricity grids and nuclear power plants. The report said that as part of the so-called Perfect Citizen program , the NSA would insert sensors in computer networks that would be programmed to alert officials to activity that could portend a cyberattack.
Analysts said the need for such monitoring is long overdue given the escalating threats against government, military and private sector networks. However, they cautioned that the government must tread carefully in having the nation's chief eavesdropping agency oversee the monitoring.
"I think we don't have a choice," said James Lewis, director and senior fellow at the Center for Strategic and International Studies in Washington. "This is the way to go."
Lewis led a team that prepared a set of cybersecurity recommendations for President Obama in Dec. 2008.
Lewis added that "this notion that public/private partnerships, information sharing and market forces are going to save us" remains unproven in the cybersecurity arena, where there seems an increasing need for direct government action and regulations.
However, letting the secretive NSA oversee the monitoring of government and private networks could prove troubling to some, Lewis conceded. "They have to be careful in explaining how oversight and privacy protections will work for this to survive," he added.
He added that the use of the NSA to monitor networks presents perception problems for the government. "We had a collapse of oversight of the NSA during the Bush administration," Lewis said."People are still saying, 'how do I know I can trust you?' That's what they need to be thinking about," Lewis said.
Initially at least, Perfect Citizen will focus on vulnerabilities in older computer control systems that are used to run the electric grid, subway systems and air-traffic control systems. Many of these control systems are now connected to the Internet, despite their deployment years ago without Internet connectivity or security in mind.
The goal of Perfect Citizen will be to secure such control networks against cyber attacks, the Journal said.
According to the Wall Street Journal report, defense contractor Raytheon Corp. has already been awarded a classified contract worth an estimated $100 million to work on the project. Funding for the program will apparently come from the multi-billion dollar Comprehensive National Cybersecurity Initiative (CNCI) that was launched during the George W. Bush Administration.
News of the proposed plan comes at a time of increasing concern over whether the U.S government and private industry have the ability to detect and withstand cyberattacks launched by organized state-sponsored groups and others against critical targets.
The concerns grew markedly earlier this year after Google disclosed that its servers had been penetrated, apparently by hackers operating from inside of China. At the time, it was also revealed that the same hackers also hit dozens more high-tech companies.
"There is definitely a need for any nation to monitor its critical infrastructure for attacks," said John Pescatore, an analyst at Gartner Inc. "But it is very important to realize that [monitoring] is very different from securing the critical infrastructure."
The best way to secure critical infrastructure is to eliminate vulnerabilities rather than by monitoring attacks, Pescatore said. "Trying to expand this across all of private industry is a nice information security stimulus plan for defense contractors but will not result in any meaningful increase in security," he said.
"Monitoring internet traffic to and from control systems is such a huge benefit to the utilities and the nation that this is long overdue," said Alan Paller, director of research at the SANS Institute in Bethesda, Maryland. "The only really sad element is that this has to be run by NSA instead of by DHS," he added.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org .
Read more about security in Computerworld's Security Topic Center.