Newly released files show a secret National Security Agency program is targeting the computerized systems that control utilities to discover security vulnerabilities, which can be used to defend the United States or disrupt the infrastructure of other nations.
The NSA’s so-called Perfect Citizen program conducts “vulnerability exploration and research” against the computerized controllers that control “large-scale” utilities including power grids and natural gas pipelines, the documents show. The program is scheduled to continue through at least September 2014.
The Perfect Citizen files obtained by the Electronic Privacy Information Center and provided to CNET shed more light on how the agency aims to defend — and attack — embedded controllers. The NSA is reported to have developed Stuxnet, which President Obama secretly ordered to be used against Iran’s nuclear program, with the help of Israel.
The 190 pages of the NSA’s Perfect Citizen files, which EPIC obtained through the Freedom of Information Act last week, are heavily redacted. At least 98 pages were completely deleted for a number of reasons, including that portions are “classified top secret,” and could “cause exceptionally grave damage to the national security” if released, according to an accompanying letter from Pamela Phillips, chief of the NSA’s FOIA office.
But the portions that were released show that Raytheon received a contract worth up to $91 million to establish Perfect Citizen, which “enables the government to protect the systems,” especially “large-scale distributed utilities,” operated by the private sector.
The Wall Street Journal disclosed the existence of Perfect Citizen in a 2010 article, which reported the NSA’s “surveillance” of such systems relies “on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack.”
Marc Rotenberg, EPIC’s executive director, said that the newly declassified documents “may help disprove” the NSA’s argument that Perfect Citizen doesn’t involve monitoring private networks.