A few thoughts on the Perfect Citizen project by NSA.
First, it is unclear what Perfect Citizen is. The news reports said the program would places sensors in the critical infrastructure to detect cyber attacks. NSA says “Perfect Citizen is purely a vulnerabilities-assessment and capabilities-development contract. This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor. Specifically, it does not involve the monitoring of communications or the placement of sensors on utility company systems.” So it is impossible to analyze the potential value and risks of Perfect Citizen at this time.
Next, how could they allow this program name? It sounds so big brother. If you had no idea what the program is for and heard there was a program called Perfect Citizen involving the cyber security of the critical infrastructure, what would you think it is? Very big brother, bad marketing, especially for a secret program. It would be like calling the old Clipper Chip program Ultimate Backdoor.
All this is preface to the BIG QUESTION: Would it be a good idea for a government to have sensors in critical infrastructure networks and have an elite team monitoring these sensors? Personally I’m not as concerned as others on where in the USG this would be placed, such as NSA or DHS or some other group, as long as the expertise exists.
To make it even a worthwhile discussion we have to assume the USG could do this well. This is not a small assumption for a complex and politically sensitive endeavor like this. If a program like this went forward, I’d like to see some pilot program head to head against private companies doing this and see if the government organization is superior or at least matches the best in market today. If not, maybe it would be better to require owner/operators to have their critical control system networks monitored by an approved 3rd party.
The next question is why stop at sensors? If you have a presence on the network, and you believe the government has a role in insuring these networks are secure, wouldn’t it help if the sensor also scanned the systems to make sure they were patched and hardened? After all many vendors are combining monitoring and scanning today.
Despite all of the legitimate concerns, the direction of focusing on real time attack information and real time security posture analysis is refreshing. There is potentially a lot more value in this as compared to a paper heavy regulatory exercise like CIP.