NSA Hunting Down Network Security Vulnerabilities
Newly released documents indicate that the National Security Agency (NSA) is proactively looking for vulnerabillities in key computer systems and networks such as those at public utilities. Reportedly among the targeted systems are those associated with natural gas pipelines and the electrical power grid.
For the IT community at midsize firms, this effort may at once raise concerns and alleviate worries. On the one hand, no one is very comfortable hearing about shadowy intruders, and the involvement of a secretive federal agency can raise privacy concerns. On the other hand, in an era of growing cyber threats, there is an element of comfort in hearing of measures to find and respond to vulnerabilities before potential enemies can exploit them.
The NSA is among the most secretive components of the US intelligence system. Its historical emphasis has been on SIGINT, signals intelligence, which naturally involves it with computer networks. The group is widely believed to be the creator of Stuxnet, the worm cyber weapon that reputedly wrecked thousands of Iranian centrifuges used for nuclear fuel enrichment.
Now, as Declan McCullagh reports at CNET, documents obtained by the Electronic Privacy Information Center (EPIC) have shone some light on the agency's domestic activities. Under a program called Perfect Citizen, the NSA has been conducting "vulnerability exploration and research" aimed at "large scale" utility control systems.
For some years, technology observers have been noting that the so-called "internet of things" - networked control devices, for example - could be vulnerable to attack. Stuxnet showed that physically wrecking industrial devices via Internet commands is indeed feasible. Early this year, the chairman of the Joint Chiefs of Staff, Gen. Martin Dempsey, said that he was "extraordinarily concerned about the cyber capabilities of other nations."
The Perfect Citizen was mentioned as early as 2010, but the newly released documents give a broader picture of its scope of activities. According to EPIC, the documents show that, contrary to previous assertions, the agency is involved in monitoring private networks.
It is too early to say what level of controversy the released documents may trigger. There is certainly a good deal of public concern about possible government snooping on private communications. On the other hand, status information provided by utility-firm sensor networks may not fall within the scope of worries.
For IT professionals, the most immediate impact of the new information may be to confirm growing concern about cyber-threats not just to data but to operating systems of all sorts. IT departments at midsize firms may want to examine their own networks and systems for potential vulnerability to cyber-attacks.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.