Archive

Archive for April, 2011

NSA testing smartphones, tablets on safe mobile architecture

The National Security Agency is testing a new mobile infrastructure, largely composed of commercial tools, to secure Top Secret information on portable devices, such as smartphones and tablet computers, a high-level NSA official said.

The intelligence community, like the rest of the federal workforce, increasingly wants to access information on the go, which is creating a challenge for Debora Plunkett, director of the NSA Information Assurance Directorate. Mobility is just one of about 10 challenges– or “opportunities” as Plunkett likes to call them — that she has set out to tackle this year.

Moving ahead, her priority will remain bolstering national security networks at the agency responsible for safekeeping the nation’s secrets and spying on others’ covert activities, she said. But the evolving threat landscape has prompted her to change tactics.

After the disclosure of thousands of pages of classified material on the WikiLeaks website, there is increased interest in the data that NSA houses. In addition, technology is rapidly advancing, and cyber adversaries are becoming more sophisticated.

To shore up mobile devices, NSA is experimenting through the summer with an architecture comprised of commercial handsets and a data delivery concept similar to one used by Amazon’s Kindle e-reader and OnStar Corp.’s navigation systems, Plunkett said. So-called mobile virtual network operators, or MVNOs, lease wireless capacity owned by other network providers, including Verizon Communications and Sprint, and then repackage the mobile services with their own specialized features under a new brand name, such as “OnStar.”

But “the IT architecture of the future,” said Plunkett, will be cloud computing –accessing over the Internet information technology systems that are grounded elsewhere– and virtualization, a means of segmenting one physical server into smaller servers that can be accessed remotely.

Last month, U.S. Cyber Command chief Gen. Keith Alexander endorsed this sentiment when he testified before a House subcommittee that cloud computing will help fortify military networks during the coming year.

“This architecture would seem at first glance to be vulnerable to insider threats — indeed, no system that human beings use can be made immune to abuse,” he said, “but we are convinced the controls and tools that will be built into the cloud will ensure that people cannot see any data beyond what they need for their jobs and will be swiftly identified if they make unauthorized attempts to access data.”

Both Plunkett and Alexander said they believe cloud computing will reduce security risks by moving information away from desktops to a centralized arrangement that allows for tighter control over access and more rapid responses to cyber incidents.

“We’re tracking, absolutely,” Plunkett said of their mutual goal. “I firmly believe that cloud computing is the way to go.”

Like civilian agencies, NSA aims to continuously monitor its security posture by automating the process of collecting network status indicators, such as data on anti-virus scans or software patches, she added.

Other challenges this year include software assurance –the practice of making sure “the millions and millions and trillions of lines of code” that personnel exchange “is both developed securely and that it stays secure throughout its life cycle,” Plunkett said.

This is NOT Plagiarism

David Virgil Dafinoiu is the administrator of this blog and not the author of the specific article.

This site functions as a repository of information in the public interest using data available from Open Source Intelligence (OSINT). Specifically, we examine the networks surrounding the daily WW events. Our website contains sources from more than 150 countries in more than 60 languages. Many articles are submitted anonymously.

Everything on this site is accessible free of charge. All of our original content is considered to be in the public domain and may be reproduced freely. We sometimes utilize material which is copyrighted in the production of our content, often without prior approval. However, this is done in a manner that is consistent with fair use, particularly that which is protected under Title 17, Chapter 1, § 107 and § 108 of the U.S. Code. This site does not seek commercial advantage from the reproduction of such works.

If you have access to additional information that is of significance to the public at large, please consider contributing it to our site.

Also, if you know of any errors or omissions in the material we provide, please let us know.

Thank you,

David Virgil Dafinoiu
Site Administrator

Is the NSA’s ‘Perfect Citizen’ the Ultimate Spying Tool?

Could the NSA’s new “Perfect Citizen” actually be used for spying on every citizen in the U.S.?

The name sounds like an action movie — the heroic vigilante chases down the bad guys to aid his country and prevent a nuclear Armageddon. It also sounds like the worst possible name for a government program intended to protect citizens, not spy on them.

The NSA’s new cyber-security program Perfect Citizen will monitor nuclear power plants, train stations, and the electric power grid to safeguard against cyber-assaults.

And as the Wall Street Journal reported, the new program is intended to monitor cyber-terrorist threats and “would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack.”

According to that report, Raytheon was awarded a $100M contract to develop Perfect Citizen. (Raytheon declined to comment, as did the NSA other than describing Perfect Citizen in an official statement as a “research and risk-assessment” project that does not use sensors.)

How would such a system work? Why do experts fear it could be turned against us? And should the government really be in the business of installing sensors on the private power grid and at nuclear plants owned by private companies?

Fighting cyber-attacks

Your local power plant was built long before Google became a household name. Yet just about every nuclear power plant, train station, subway system and local power company now connects to the outside Internet, either for employees to access their e-mail or just to check the weather.

And many utility companies provide remote access for workers to monitor these utility systems; some plants are even interconnected over the Internet to share data.

Perfect Citizen will analyze these attack vectors and plug any security holes. Yet experts claim the new program is just a stop-gap measure — a band-aid on an old wound.

“Cybersecurity wasn’t even a concept when these infrastructure systems were built, and yet they have now all been connected and interconnected online — making them high profile targets for a cyber-attack,” says Hemanshu Nigam, a security consultant who advises Congress on cyber-security.

“Finding anomalous activity will do very little to prevent real cyber-attacks, especially since Perfect Citizen will not be 24/7 and will not be all encompassing [to every point of entry into these systems].”

Nigam says Perfect Citizen is a very broad security program. It will monitor nuclear plants and the electric grid for denial-of-service attacks, which is when hackers — many of them from China and Russia — send repeated requests to a computer to cause an overload and failure. Nigam says cyber-terrorists already know the NSA fights denial-of-service threats and will attack through other means.

Interestingly, a more likely attack vector at power plants is the Web browser on an employee’s workstation, says Bradley Anstis, a vice president at M86 Security. A terrorist might use malware that tricks an employee into installing a virus, which then infects higher-level systems — such as a command and control server — on the same network.

Krish Shetty, the CEO at Wiznucleus, a company that specializes in protecting nuclear power plants and power companies from cyber-assaults, says protecting the aging utility infrastructure in the U.S. requires a risk-assessment for every plant and at every endpoint — and that Perfect Citizen is a step in the right direction. Yet the challenge is in correlating why a cyber-attack occurred at one power plant and learning from that new attack.

Nigam suggests a similar ground-level approach to protecting power plants. He advocates grants and incentives to companies to build their own private security layer.

Mike Lloyd, the chief scientist at the security company RedSeal Systems, says our current utility cyber-defenses are weak compared to what they should be. He says a terrorist only has to find one weak spot, but a security defense needs to protect against every conceivable attack.

The main issue with protecting utilities is that they are incredibly complex — not just one company at an office, but multiple buildings and networks, a complex infrastructure with antiquated systems.

The next step: no more privacy?
If Perfect Citizen really is a series of sensors that monitor cyber-attacks, it’s easy to envision how this same network could be used for monitoring everyday citizens.

With any NSA program, communication is a one-way street, noted Nigam. There won’t be any new official information about the Perfect Citizen program, so it’s left to the experts to hypothesize about what it really is — and the true nature of the program, he says.

They have. And they’re worried about what the NSA is planning.

For starters, there’s a Wired.com report that claims the NSA has teamed with Homeland Security to get around any legal entanglements, hinting at a justification for spying on U.S. citizens. And a story in The Economist declares a new cyberwar that involves secret cyber-weapons and cyber-armies from Iran, North Korea, and Russia attacking utility companies and the grid.

In the Wall Street Journal, an unnamed military official said Perfect Citizen is long overdue and that “any intrusion into privacy is no greater than what the public already endures from traffic cameras.”

All told, Nigam maintains that Perfect Citizen is a result of new beefed up security measures, partly due to an influx of funding for the Comprehensive National Cybersecurity Initiative.

“The Obama Administration is playing catch-up. And so for that reason alone it needs to invest more than ever,” says Nigam. “Such spending is fully warranted only if it is directed to the right areas, and right now the Perfect Citizen program is not a good example of that.”

CIA, NSA and Google are partnering up

Categories: Intelligence Tags: , ,