It is the job of the National Security Agency (NSA) to protect US national security systems, which includes the critical infrastructure--whether public or private sector--that forms the backbone of national defense and commerce for the country. The NSA "Perfect Citizen" initiative is only one step, though, in a larger cyber security process that must involve private sector information security professionals to be effective.
The NSA Web site explains that "The Information Assurance mission confronts the formidable challenge of preventing foreign adversaries from gaining access to sensitive or classified national security information." However, that doesn't include violating the Constitution or breaking any laws, and the initial reports of the scope and capabilities of the National Security Agency "Perfect Citizen" program may have been exaggerated.
Judith Emmel, an NSA spokesperson, sent a statement via e-mail declaring the initial story from the Wall Street Journal "an inaccurate portrayal of the work performed at the National Security Agency," adding "Because of the high sensitivity surrounding what we do to defend our nation, it is inappropriate to confirm or deny all of the specific allegations made in the article."
The statement clarifies that "Perfect Citizen is purely a vulnerabilities-assessment and capabilities-development contract. This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor."
It also states "This contract provides a set of technical solutions that help the National Security Agency better understand the threats to national security networks, which is a critical part of NSA's mission of defending the nation."
Fair enough. That said, I think most Americans would agree that protecting the network assets and data of government agencies and critical infrastructure entities is important, and that many information security professionals would agree that the current state of both public and private sector cyber security could use improvement.
In line with the goal stated by Emmel to "better understand the threats", private sector companies--whether they are part of the critical infrastructure or not--should be more involved in aiding the government efforts, as well as more cooperative with each other.
By its very nature, information security is secretive. Organizations are reluctant to share even minor details of attacks for fear of losing the trust and confidence of customers or shareholders. They are unwilling to reveal the innovative defenses they come up with to protect their networks for fear of inviting further attacks.
The problem is that different companies and different security vendors often only see one small piece of the puzzle. By sharing those pieces and cooperating to put the puzzle together, suspicious activity and malicious attacks can be more quickly identified and blocked, and all parties benefit from improved security.
As it relates to national security, one solution would be to involve the private sector information security community by creating an opportunity for information security professionals to contribute to national defense in a way similar to dedicating time to the military reserves or National Guard.
In a two-part article from GovInfoSecurity.com, Eric Laykin, Managing Director of Global Electronic Discovery and Investigations at Duff & Phelps, proposed a National Cyber Corps, explaining "The National Cyber Corps would be an elite, dedicated, civilian body of our country's best and brightest IT professionals. It would be a nimble group with a mandate to operate across all government departments and address a variety of needs."
In the second part of the article, Laykin adds "Service in the National Cyber Corps could become an internal management career path for employees from major corporations, where participation in the National Cyber Corps would be an encouraged--maybe even expected--component of career advancement. At the conclusion of service, a National Cyber Corps member would resume his or her employment, armed with a better understanding of the cyber security landscape. In effect, the re-engagement of National Cyber Corps members would pollinate companies with a unified ethos and shared protocols, strengthening our country's cyber security in the process."
A cooperative effort such as this between the public and private sector, combined with expanded collaboration between private sector corporations like we saw in the wake of the Operation Aurora attack earlier this year, would go a long way toward improving our national cyber defense--and also evolving the general security landscape to face new challenges more effectively.