As April Strawberry Blossoms into Perfect Citizen

A number of you have asked what I make of Siobhan Gorman’s latest story describing a program called “Perfect Citizen” that aims to monitor and map out attempted cyber-intrusions of our critical infrastructure.

Before I say anything about the content of the story, I should note that the nuclear power plant control room depicted with the story–from the plant at Limerick, PA–is just a few miles from where I spend Christmas and about 25 miles from where my mom lives. Maybe that has affected my thoughts on the matter.

But, given what Gorman has reported, I’m not all that bugged about Perfect Citizen. Here’s the operative bit:

Intelligence officials have met with utilities’ CEOs and those discussions convinced them of the gravity of the threat against U.S. infrastructure, an industry specialist said, but the CEOs concluded they needed better threat information and guidance on what to do in the event of a major cyber attack.

Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials said.

While the government can’t force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.

Perhaps I’m missing something, but it seems that a somewhat coercive but nevertheless voluntary monitoring of cybersecurity for things like the nuclear plant near my Aunt’s home isn’t such a bad thing. Perhaps an analogy is whether or not it’d be okay to monitor health professionals and first responders during an epidemic for signs of sickness, as one of the best ways to track and minimize the spread of the disease. Or better yet, whether or not it’d be okay to pressure oil companies to put monitors on their drilling platforms to make it easier for Department of Interior to keep track and prevent spills.

That said, I do have a number of questions.

First, the NSA has been very squirrely about whether or not Congress has been briefed on this. If, as that squirreliness suggests, Congress has not been briefed, then this is a big problem. I’m particularly interested in the timing and the growth of this program. Gorman describes how this program started as a spring strawberry and then morphed into a perfect citizen.

The NSA years ago began a small-scale effort to address this problem code-named April Strawberry, the military official said. The program researched vulnerabilities in computer networks running critical infrastructure and sought ways to close security holes.

That led to initial work on Perfect Citizen, which was a piecemeal effort to forge relationships with some companies, particularly energy companies, whose infrastructure is widely used across the country.

The classified program is now being expanded with funding from the multibillion-dollar Comprehensive National Cybersecurity Initiative, which started at the end of the Bush administration and has been continued by the Obama administration, officials said.

This suggests this program started blossoming long before the debate over which agency–NSA or DHS–would take the lead on cybersecurity had settled on the former. Which suggests it started with NSA out of its lane under the Bush Administration–not exactly good company to be in. So at that level, I endorse both aspects of Marc Ambinder’s rant on this program: that it shouldn’t be classified and maybe should be in DHS. Oh, and why not name it “infrastructure cybersecurity” rather than “George Orwell’s Baby”?

I’m also very interested in the relationship between the government, corporate partners, and Congress. Given the squirreliness about whether or not NSA briefed Congress, is it possible the government has once again partnered with corporations on a project without telling Congress they’re doing so? That would not be cool.

I await more information on this. But for now, I’m not all that bothered about this.

(Limerick cooling towers picture from WikiMedia)

  1. bobschacht says:

    Perfect Citizen— what an Orwellian name.
    Thanks for bringing this to light in this manner; it is worth an alert, bringing attention to it. You’re right, as usual: The best medicine here is sunlight.

    Bob in AZ

    • fatster says:

      Some background info which might interest you further. Here’s an overview of The Federal Information Security Management Act of 2002 which has as a major objective to 1) inventory all federal information systems; 2) perform risk rating of each; 3) establish minimum security requirements; 4) identify needed security controls; 5) develop security plans. (Pretty standard stuff, attempting to achieve much-needed security across all systems, and long overdue at the federal level.)

      But “Perfect Citizen” does sound kind of ominous and this article that Gitcheegumee found is not altogether comforting. For example, “Components of the old TIA are still being conducted, having been placed in other offices (kind of amusing that Advanced Research and Development Activity has moved from NSA to the Disruptive Technology Office (run by the DNI).”

      • Kathryn in MA says:

        “Components of the old TIA are still being conducted, having been placed in other offices

        Of course they are! Right on time!

  2. alan1tx says:

    When you consider that there are plans for over a dozen new nuclear power plants starting construction in the next decade, we should make sure they’re safe.

    • Synoia says:

      Yes, we should ensure that Nuclear plants under construction are safe.

      Let’s start with cost overruns, not paid for by ratepayers or taxpayers.

      Then have a clear plan to dispose of the high, medium and low level waste, again not at the taxpayers expense.

      Then approve the construction permits. If not, the utilities will come crying to the Feds for a bailout because the construction costs have become too high, and the plants uneconomic because the escrow payments for the waste dispersal damage profits.

  3. Synoia says:

    Perfect Citizen. What an appropriate name.

    “We monitor all you infrastructure use to ensure you are a Perfect Citizen, or else our enforcers, the IRS, will damage you further.”

    Perfect Citizen: We tell you what to use and when to use it, and how mcu you shall pay.

    That really reads as if that were central planning, a hallmark of socialism, without the benefits.

      • BoxTurtle says:

        Motto at Lexis: “When a company sends us a million dollars a month, it gives them a certain amount of say in how we do our jobs”.

        Boxturtle (We maintained support for a 1200 Baud dedicated terminal well into the 90’s cause DoJ liked them)

  4. timr says:

    Unfortunately there have been cyber attacks in this country. Think about what would happen if our electric grid got hacked and the computers that run the system went down.

    I was briefed waaay back in the day, before the internet even existed, about “what if”. I must say, they were very prescient. Of couse, back in the day we were worried about an EMP attack. Say a nuke popped about 30 miles up over mid america and what it would do. Even then we understood how weak technology was against any outside attack.

    But now, we are very vulnerable to a cyber attack. And IMO it is something that should be kept classified because if you make public what you are doing to stop a cyberattack then those making the attack learn more ways around your safeguards.

    Cyberattacks against our power grid-never mind the nuclear power plant, they can in fact isolate controls and some computers from the web-could very easily cripple our country for weeks and even months.

    What will you do if the lights go out and don’t come back on, hmmm?

    Enter the very new field of cyber security.

    What the NSA does and whether or not they notify congress-some times its better you don’t tell congress what you are doing because many of them have no idea what national security is and what security means. And yes, at one time, many years ago, I did work for the NSA. I understand the meaning of security and I also understand when something should be kept secret. This program, IMO, is one such program.

  5. fatster says:

    Thanks ever so much for turning your attention to this issue, EW, which has been nagging at me. Certainly cyber-security must be, has to be, a prominent concern in our world today, and so does protecting the nation’s utilities (to say nothing of the grid). My uneasiness since I learned about it just a few days ago, is that the DOD has the lead on this and not DHS.

    A few articles back where we were commenting on this issue, BoxTurtle wisely reminded us that DOD has much greater experience in these areas than does DHS, and that’s true. I’m still uneasy, though. Maybe it if were a joint venture (DOD and DHS) I wouldn’t be quite so wary. And if Congress does get involved, maybe it will become so. Otherwise, who knows what “Perfect Citizen/George Owell’s Baby” might dwarf into given DOD’s exclusive ownership of this huge project and the usual secrecy surrounding these kinds of endeavors in the past.

    Again, many thanks!

    • emptywheel says:

      There are a lot of reasons why it’d be preferable for it to be in DHS, not least contracting rules, which have a way of getting ignored if things go through DOD.

      • fatster says:

        You bet! And speaking of contracts, it would be interesting to see the contract between DOD and Raytheon to develop “Perfect Citizen” and whatever it’ll morph into. Again, thanks so much for focusing on this.

      • BoxTurtle says:

        Unh,I disagree there. I speak from my expeience at WPAFB, which is headquarters for Air Force Materials Command and likely the single largest collection of contract managers in the United States.

        There are ways to avoid the contracting system, but they all boil down to sombody at no less than Undersecretary level filing paperwork tht says either:

        1) Speed is essential, so the normal process needs to be bypassed. this can be as extreme as handing a contract to a selected company and saying “Do it now. Let us know how much it costs” or simply bypassing open bidding and sending it to the companies you know can handle the work and letting them bid.

        2) Declaring that only company X can do the work. Normally, this is because company X is already cleared for this or company X is obviously the only place with the needed expertise.

        Both of those exceptions are identically available to DHS.

        The key is that the DoD bureaucracy is entrenched and will act to protect it’s turf. If you want to bypass them, you’d better QUALIFY under the above, not just submit paperwork. Else the IG will get you.

        DHS seems to have much less in the ways of controls on them. Frankly, I’d rather they had to go through the pentagon system. DHS will eventually have a meltdown in this area and tighten things up.

        Boxturtle (DoD has periodic meltdowns, but normally for violation of process not bad process)

        • fatster says:

          Interesting what you say about sole source contracts under DOD. I’ve been on both sides of sole source contracts, though in an entirely different area, and the documentation required for justifying them was intense, as was the scrutiny of that documentation (which is how it should be). Does DOD require such thorough justification for sole source contracts? Thnx.

          • BoxTurtle says:

            Oh yeah. But once the undersecretary signs off, you have to appeal to a higher authority: Secretary Of Defense, then the President. Involving the president is uncommon, but it does happen.

            Boxturtle (Meaning at the end of the day, it’s a politician making the decision)

  6. Scarecrow says:

    The concern is not so much individual plants, nuclear or not. The utilities in the Eastern US, except for the South, don’t operate the transmission grid. Quasi-governmental entities, called Regional Transmission Organizations do. The entire interconnected grid for all of PA, Delaware, NJ, most of Virginia, WV, Ohio, parts of Indiana and segments of Kentucky, Illinois and Michigan are operated by an RTO called PJM. There are other RTOs that cover (1) all of New England, (2) all of New York State, (3) virtually all of Texas, (4) most of the Midwest (15 states), and most of California.

    Each RTO controls the dispatch of all the generators in their respective regions. Thousands of powerplants are interconnected and controled by their respective RTOs. It’s the dispatch that keeps the lights on, keeps flows on transmission lines from exceeding their safe operating limits, and balances supply and demand at every moment — literally every second, 24/7.

    It is the RTO computer systems that control the whole grid and the dispatches that we’re worried about, and they do need federal help. People have been thinking/worrying about this for a long time, and especially since a failure of the alarm systems in the control room of an Ohio utility (before and RTO took over that part of the system), failed, and because of the faulty communications systems and other problems, it blacked out 50 million people in the US and Canada — 2003.

    Part of this is controlled via dedicated communication links, but the whole system is also dependent on the internet, every second, especially the essential spot-market functions that determine the dispatch. They need a “vigilant” eye watching for and preventing efforts to hack into these massive computer systems — both because of the potential for terrorist attacks and more likely because of the possibility of commercial hackers trying to manipulate the multibillion dollar markets that each RTO operates as a necessary part of the generation dispatch.

    Think about how computer trading has manipulated the stock markets, causing wild volatility in stock prices, and forced their closings in recent months. Now apply that threat to the nation’s electricity systems. If they weren’t trying to prevent this, we’d want to know why.

    • emptywheel says:

      Oh yeah. In addition to the picture on the story–of a nuke plant that would endanger my dearest family members–I should have noted that I lived through that blackout. I still won’t buy a freezer because I don’t believe our electrical grid is sound enough.

      But I gotta say, we had some damn good parties that weekend.

      • Scarecrow says:

        I wouldn’t base any decision to buy or not buy an appliance based on worries about the security of the grid. I’d worry about the efficiency rating of that appliance versus its price — that matters to my budget and also to the total cost of the system that keeps the lights on and the stress the aggregate demand creates for the dispatch during peak hours.

      • alan1tx says:

        I bought the generator and fuel tank first, then the freezer. I don’t need no stinkin’ electrical grid.

      • PJEvans says:

        My parents had two freezers, and a small generator, in Texas. Losing power at the local level was a problem; the generator could put out enough to keep the coldboxes running, as long as we kept their doors closed. (Wouldn’t power the electric range, though.)

        I remember the mountain cabin east of Sacramento, that had an actual icebox when they bought it. (25-lb cakes in the top, drip pan underneath.) Refrigerators are an improvement.

  7. BoxTurtle says:

    Cybersecurity is good. But physical security is also required, it’s just not as sexy.

    Believe it or not, it’s fairly easy to secure a computer network. Just isolate it so that only employees on site have access to that network. Then you hire carefully. Just like what we do today with classified stuff. You don’t need internet access on the computers that control a power station. A large number of computer weaknesses come because the boss wnts ESPN on his desk, so he asks the geek to drill him a hole. Holes like that are easy for anyone to use.

    If I wanted to take out Ohio, I’d hit the main transformers at Zimmer and Perry. I’d have a reasonable chance at taking out the entire Eastern grid. If wanted to take out Chicago, I’d dump the river into the tunnels. For New York, I’d go for the main sewage treatment plant on Long Island. For Los Angles, I’d dress up as a cop and then shoot a few minorities.

    Any of which can be done without special skills or equiptment.

    Boxturtle (Even Weatherbug can be a security hole, if you run it inside you firewall)

  8. Leen says:

    Ew listening to Meet the Press

    Gibbs announced Obama will be attending an event of the opening of a new Battery manufacturing plant for the Volt in Holland Michigan this Thursday. Have vacationed with family in Holland Michigan for decades(cottage on the lake).

    Obama to Attend Groundbreaking for LG Chem Plant in U.S.

    U.S. President Barack Obama will attend a groundbreaking ceremony on Thursday for an LG Chem plant in Holland, Michigan, the company said Sunday. It is very unusual for an incumbent U.S. president to appear at such an event for a foreign company, and it is the first time for a Korean firm.

    LG is investing US$300 million to build the plant which will produce batteries for electric vehicles. First-phase commercial production is scheduled to begin in the first half of 2012, and once completed in 2013 the plant will churn out lithium ion cells for 200,000 hybrid cars annually.

  9. puppethead says:

    Why this is a bad, bad idea and threatens civil liberties more than ensuring any sort of “cyber” security:

    1) NSA will get data taps on every router on the internet: Once companies like Cisco build in special monitoring hooks for the likes of the NSA for power plants, don’t kid yourselves. It will become a standard feature for every commercial-grade router deployed anywhere.

    2) This gives the government control over what is deemed a threat: How will the government snoopers know what is or isn’t an “attack”? Sometimes legitimate traffic can look like something else. This moves the analysis of what is going on outside of the organization and into some government “overseer”.

    3) Attacks change, this is false security: The biggest threat to good security is complacency. If utilities or companies think they’re being protected by Big Brother, they’ll become less vigilant and eventually some new attack will come along that will get past something like “Perfect Citizen”.

    4) Security is a process, not a product: Security requires on-going assessment of what’s being done, what’s exposed and what the consequences might be. It is not a single firewall or monitoring product that you can just put in place that will magically protect everything.

    5) The biggest security breaches almost always come from within: Whether a malicious employee, careless employee or simple malfunction, the most damage is overwhelmingly caused from an internal source. “Perfect Citizen” won’t defend against that. Three Mile Island was caused by bad sensors and poor redundancy. The biggest stock market drop in history (over 1000 points in 30 minutes) was due to a trader entering the wrong number. Or flash trading. Both of which were allowable, “safe” events that broke the system.

    • BoxTurtle says:

      1) They already have that, for any exposed router. And they have legal taps into MAE East and MAE West.

      2) They already have that. We need to control the government, not the tools it uses.

      3-5) Aye, truer words were never spoken.

      Boxturtle (What civil liberties do we have left that this threatens?)

    • BoxTurtle says:

      Cost. A few thousand miles of dedicated lines is very expensive, time consuming to install, and a genuine PITA to maintain. It’s much easier to use the internet and VPN.

      Boxturtle (I’m unaware of a successful VPN hack, other than human engineerin. But it will come)

      • hijean831 says:

        Why do they need thousands of miles of line? What are they connected to, and why is that more important than their security?

        • BoxTurtle says:

          Because a dedicated line is just that. It’s a wire from point A to point B that nobody else uses or can even access. You have to hook every power plant to a regional center and then the regional centers have to be connected. Thousands of miles.

          And money is alway the most important thing. Should I spend megabucks and wait years for my own dedicated set of lines (You’ll want some redundency) or should I call ATT and get a high speed line installed this weekend for under $200 with a continuing cost of less than $200 a month? And VPN has never been cracked….

          Boxturtle (Oh, what to do,what to do..)

          • hijean831 says:

            Dude, I know what a dedicated line is. And I spent 12 years at a company whose motto was, “The network is the computer.” Obviously, plants need to be hooked to the distribution grid on the output side, I’m just not getting why the control side has to be available to hackers.

            Are you saying that nuclear plants are managed remotely from a regional center?

            • BoxTurtle says:

              Actual reactor operations,no. But the electrical transmission part of the plant is monitored remotely.

              Boxturtle (Apologies for lecturing, there are so many different people here I sometimes err on the side of TMI)

  10. JohnLopresti says:

    February 10, 2010 – Terry Gross, host, transcript.

    Gross: Have you personally investigated any cyber crimes, cyber attacks?

    (D)r. Lewis++: Well, I looked at one once that happened to a place I was working at and they, you know, you could – it was one of these denial service attacks. And it was really interesting to me because I was able to track back on where these attacks were coming from and, you know, one was a travel agency in Puerto Rico, one was a small manufacturing company in Michigan, and one was an optical equipment maker in Germany. Does that mean that we*d annoyed travel agents in Puerto Rico? No. What it meant is that whoever was actually attacking us had figured out how to capture these people*s computers and was using them as a weapon. So once I got back that far, I kind of stopped because to go further I would*ve had to, myself, hack into the Puerto Rican or Michigan or German computers and I would*ve had to, myself, commit a crime, and at that particular moment I thought that wasnt a good idea.


    ++Lewis was an author of the transition cybersec plan for O*Co, and has worked with RClarke. Lewis works at Center for Strategic and International Studies locus.

    Footnote2: Bx-Tle, be glad it was lofty 1200 baud; pretty quick compared to 300 on some early **minis**; Maybe had to do with POTS interface mux/demux. Cited Lewis interview has jovial comments on digital encryption standard work he did for Bush Sr. However, the passages on internet engineering taskforce are equally as interesting.

  11. SnarkiChildOfLoki says:

    There is no telling what kind of stupidity exists out there, but from my experience:

    1. Reactor operations, to the extent that any network is used at all, is completely physically isolated from the internet. That’s for control of the reactor, not necessarily for control of the electrical-generator side of things, which does need to coordinate with transmission systems.

    2. If the regional authorities are worried about hacking, yes, they can lease dedicated network lines, just like the old days. Or use ISDN connections. The data-rate is not that great, but since there’s no YouTube videos being transmitted, it should handle it with no problem. The main point is to avoid sharing bandwidth with other users, which also prevents DOS attacks.

    NSA is just trying to justify their existence by hyping a threat. Spying on all of us is (from their POV) a side benefit.

    • hijean831 says:

      1. Reactor operations, to the extent that any network is used at all, is completely physically isolated from the internet. That’s for control of the reactor, not necessarily for control of the electrical-generator side of things, which does need to coordinate with transmission systems.

      This sort of answers my questions to BT. So, the risk is really to the grid, not necessarily any individual generation source? I.e., someone could fool the leveling controls into causing blackouts or system overloads, but not tell a reactor to melt down?

  12. Kathryn in MA says:

    The classified program is now being expanded with funding from the multibillion-dollar Comprehensive National Cybersecurity Initiative, which started at the end of the Bush administration and has been continued by the Obama administration, officials said.

    Oh, WELL! Say no more!

  13. b2020 says:

    “I’m not all that bothered about this.”

    OK, great, but this is relevant how?

    To me, if anybody cares, “Perfectly Unbothered Citizen” is a classic case of a self-licking ice-cream cone, National Security version. The only reason “cyversecurity” is supposedly needed in the first place is because systems that have no business being networked beyond their own scope and location are being networked for, ah-ha, security, surveillance, monitoring, tracking reasons – the motives ranging from corporate convenience to cheap-skating on dedicated fiber/cable hardware to TIA-like “omnisicient executive” aspirations.

    Why the fuck does a nuclear power plant have to be connected to the web? Why would critical infrastructure share bandwidth?

    If you want security – as opposed to security theater that makes for lucrative means to privatize public money – forget about firewalls. You cut the wires. You don’t network for the sake of networking.

    This of a piece with the whole idiocy of Bygones Obama requiring another red button – one for nukes, the other the intertubes “killswitch” – to allegedly protect the network from, ah-ha, an attack that could kill the network. This is almost comically inane when one remembers that the protocols and algorithms that define the net were originally comissioned by the military to establish a robust communications infrastructure capable of routing around nuclear war.

    The solution to information pollution is NOT further dilution. S/N matters.

    • bobschacht says:

      The solution to information pollution is NOT further dilution. S/N matters.

      THAT is the modern dilemma. Tons if info, but most of it is noise.
      Our system of education has not caught up. What every modern high schooler needs is a good course in how to tell the difference between noise and signal.

      Bob in AZ