U.S. quietly launches protection program against cyber attacks on critical infrastructure

cyber threat against its infrastructure, one industry specialist familiar with the program told Gorman. “We don’t have a dedicated way to understand the problem.”

The information gathered by Perfect Citizen could also have applications beyond the critical infrastructure sector, officials said, serving as a data bank that would also help companies and agencies who call upon NSA for help with investigations of cyber attacks, as Google did when it sustained a major attack late last year.

The U.S. government has for more than a decade claimed a national-security interest in privately owned critical infrastructure that, if attacked, could cause significant damage to the government or the economy (“DNI Dennis Blair: U.S. critical infrastructure severely threatened,” 4 February 2010 HSNW). Initially, it established relationships with utility companies so it could, for instance, request that a power company seal a manhole that provides access to a key power line for a government agency.

With the rising concern about cyber attacks, these relationships began to extend into the electronic arena, and the only U.S. agency equipped to manage electronic assessments of critical-infrastructure vulnerabilities is the NSA, government and industry officials said.

Gorman writes that the NSA years ago began a small-scale effort to address this problem code-named April Strawberry. The program researched vulnerabilities in computer networks running critical infrastructure and sought ways to close security holes.

That led to initial work on Perfect Citizen, which was a piecemeal effort to forge relationships with some companies, particularly energy companies, whose infrastructure is widely used across the country.

The classified program is now being expanded with funding from the multibillion-dollar Comprehensive National Cybersecurity Initiative, which

started at the end of the Bush administration and has been continued by the Obama administration (“Obama’s 29 May 2009 cybersecurity speech: a year on,” 10 June 2010 HSNW; and “U.S. unveils cybersecurity strategy,” 5 March 2010 HSNW). With that infusion of money, the NSA is now seeking to map out intrusions into critical infrastructure across the country.

“Because the program is still in the early stages, much remains to be worked out, such as which computer control systems will be monitored and how the data will be collected,” Gorman writes. “[Officials said that] NSA would likely start with the systems that have the most important security implications if attacked, such as electric, nuclear, and air-traffic-control systems.”

Intelligence officials have met with utilities’ CEOs and those discussions convinced them of the gravity of the threat against U.S. infrastructure, an industry specialist said, but the CEOs concluded they needed better threat information and guidance on what to do in the event of a major cyber attack.

Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials told Gorman.

The government can not force companies to work with it, but it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.

Gorman notes that Raytheon, which has built up a large cyber-security practice through acquisitions in recent years, is expected to subcontract out some of the work to smaller specialty companies, according to a person familiar with the project.