Perfect Citizen Confirmed, Some Documents Released

In 2010, the Wall Street Journal reported on a National Security Agency program called “Perfect Citizen.” The program has been officially “unconfirmed” until now, although NSA offered some vague explanations about its aim to protect utility networks from cybersecurity hacks.

The program is supported by a reportedly $100 million contract with defense and technology specialist, Raytheon.

Through the Freedom of Information Act, the Electronic Privacy Information Center (EPIC) obtained documents confirming Perfect Citizen’s existence. The documents are, however, extensively censored and 98 pages were withheld due to top secret classification. The document is titled “Statement of Work for Perfect Citizen,” and although some of it is censored, background to the program is as follows:

“Sensitive Control Systems (SCS) perform data collection and control of large-scale distributed utilities or provide automation of infrastructure processes. From an information assurance perspective, the protection of SCS is essential to mission operations and has become a significant point of interest in support of the Department of Defense (DOD) and the Intelligence Community (IC). The prevention of a loss due to a cyber or physical attack…is crucial to the DOD [and] the IC.”

The “prevention” of an attack and the definition of “threat” are highly contested, and EPIC has recommended the government’s cybersecurity strategies narrow their definition of the word.

According to the WSJ report in 2010, a leaked e-mail from a Raytheon authority noted: “The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security. Perfect Citizen is Big Brother.”

However, an NSA spokeswoman in 2010 assured critics that Perfect Citizen was “purely a vulnerabilities assessment and capabilities development contract…[and] it does not involve the monitoring of communications or the placement of sensors on utility company systems.”

The Post report raised some concerns about privacy, but gave little detail as to what kind of intrusions were likely. Some officials saw the program as the NSA overstepping their boundaries into domestic affairs, similar to the worries about the recent FISA renewal.

Although, such a stretch into domestic surveillance and monitoring of the cyber world is no new arrival. President Bush gave NSA greater authority to investigate computing and informational systems in the official 2008 policy: the National Security Presidential Directive 54/ Department of Homeland Security Directive 23.

The original document is not available, but President Obama’s extension of the directive can be read here. The scope of authority is ambiguous, but what is obvious is extended funding for strengthening and broadening intelligence collection, processing, and analysis, among other activities.

Hacking is quickly becoming one of the most demanded skills in U.S. Government intelligence agencies, like the NSA, Department of Homeland Security, and the Department of Defense. The exponentially growing use of hackers, however, is posing questions about the legality and morality of domestic surveillance and the ever-broadening definition of the word “threat.”

The Sans Institute is an entity specializing in computer security, training, and research and has worked closely with the US military. They are currently running an experiment in New Jersey in which hackers try to simulate a cyber attack on a model town (literally, a miniature city complete with utility grid) and then reverse the affects.

The Atlantic, which ran the story last week, published a rather cute and gimmicky tale of what actually has serious implications on America’s future in cybersecurity.

It is entirely possible that the NSA is simply employing research and development activities like those carried out by the Sans Institute. However, the fact that 98 pages of Perfect Citizen’s narrative were withheld, not to mention the heavy redaction of the released documents, indicates the WSJ’s 2010 report may have been more accurate than the NSA wished to reveal.