‘Perfect Citizen’ is an Imperfect Solution

Few phrases in the English language are as terrifying as, “We’re from the government and we’re here to help.” And that’s essentially what the Obama administration, in the form of the National Security Agency, is saying to the companies that run the country’s utilities and other privately owned critical infrastructure with its proposed “Perfect Citizen” surveillance and coordination program: You had your chance, now step aside and let us show you how it’s done.

Few phrases in the English language are as terrifying as, “We’re from the government and we’re here to help.” And that’s essentially what the Obama administration, in the form of the National Security Agency, is saying to the companies that run the country’s utilities and other privately owned critical infrastructure with its proposed “Perfect Citizen” surveillance and coordination program: You had your chance, now step aside and let us show you how it’s done.

The reaction to Siobhan Gorman’s terrific story this week in the Wall Street Journal on a proposed new program, run by the NSA, that will give the intelligence agency broad capabilities to monitor certain networks belonging to companies that run nuclear power plants, electric utilities and other services that are deemed vital to the country’s national security has been strong and opinionated, as one would expect. Security experts and privacy advocates are worried that the program will expand the government’s surveillance of private citizens, further eroding what little privacy Americans still enjoy.

“Some industry and government officials familiar with the program see Perfect Citizen as an intrusion by the NSA into domestic affairs, while others say it is an important program to combat an emerging security threat that only the NSA is equipped to provide,” Gorman wrote.

“‘The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security,'” said one internal Raytheon email, the text of which was seen by The Wall Street Journal. “‘Perfect Citizen is Big Brother.'”

That’s certainly the way it sounds: The NSA placing sensors in private networks, looking for vaguely defined signs of an impending attack, all the while slurping up God knows how much other data that will disappear into the giant maw of Fort Meade, never to be seen again.

There are two main pieces to this puzzle that scary. The first is the involvement of the NSA. If they know of it all, most Americans think of the NSA as the super-secretive, all-powerful agency that spies on regular citizens reads everyone’s emails in breathless Dan Brown novels or Will Smith movies. Giving that agency the ability to switch on sensors in private networks on a whim and look for suspicious activity, whatever that means, seems, on its face, to be a terrible idea.

And it probably is, in terms of transparency and accountability. The NSA is the ultimate black box; everything goes in and virtually nothing comes out. That’s by design. The agency’s mission is to sift through all of the electronic traffic it can gets its hands on, analyze it and identify threats to the U.S. It is very good at this job. If any agency has the ability to look at huge amounts of data from hundreds or thousands of disparate sources and find the one nugget that matters, it’s the NSA.

The NSA also is very good at secrecy. You don’t see many former NSA employees writing tell-all books or going on CNN to take shots at the agency. That’s the CIA’s domain. So what we likely won’t get, if the Perfect Citizen program ever is implemented, is any sort of public accounting of what it’s doing and, perhaps more importantly, what it’s not doing. The NSA will report to the Director of National Intelligence, who reports to the president, and that will be that. Don’t look for leaks or anonymously sourced stories about the agency stopping some attack on our power grid. It won’t happen.

The other scary element to this idea is increased government meddling in the private sector. The last 10 years has seen a massive increase in the amount of involvement the federal government has in the business of private companies and ordinary citizens. Because this has happened over the course of a decade, perhaps it’s been less noticeable to a lot of people who aren’t constantly focused on security and privacy. But it’s there.

And now the government is thinking about wrapping its tentacles around the private data networks owned by utilities and other companies, in the name of national security. That’s not a very appealing prospect for many people.

[block:block=47]

But if you look under the covers a bit, what you find is that Perfect Citizen is just another iteration–albeit a broader and more intrusive one–of the government’s longstanding effort to coordinate data on attacks across various industries and networks. This was part of the Department of Homeland Security’s original reason for being, but it’s mostly failed. The Information Sharing and Analysis Centers that coordinate information in specific industries work in some cases, but they’ve been understandable reluctant to share some of their data with the government. What’s in it for them, after all?

But the Perfect Citizen program looks and feels different from any of the previous plans based on coordination centers and voluntary collaboration. This feels just as clumsy, but far more intrusive and odious, as well.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.