Electric Grid Is Vulnerable to Cyber-Attacks – Siobhan Gorman on WSJ.com

By SIOBHAN GORMAN

Computer networks controlling the electric grid are plagued with security holes that could allow intruders to redirect power delivery and steal data, the Energy Department warned in a recent report.

Many of the security vulnerabilities are strikingly basic and fixable problems, including a failure to install software security patches or poor password management. Many of the fixes would be inexpensive, according to the Idaho National Lab, an Energy Department facility that conducted the study.

via Electric Grid Is Vulnerable to Cyber-Attacks – WSJ.com.

Siobhan Gorman is my favorite reporter on national security (actually, she may just be my favorite reporter on anything as I’ve followed her work since she reported on education for National Journal, some years ago).  She writes well, gets to the point, and does not carry water for anyone or any interest.  When you think of the costs incurred to keep anyone with a bomb off an airplane and then read about the vulnerabilities of the electric grid, you get a sense of how important good reporting is to pushing the government to take action.

“Perfect Citizen” Plan-Orwell is alive and well… WSJ’s Siobhan Gorman

Wall Street Journal, JULY 8, 2010 and Bloomberg News (edited to take out internal links)
U.S. Plans Cyber Shield for Utilities, Companies

By SIOBHAN GORMAN

Bloomberg News
The control room at a nuclear-power plant in Limerick, Pa. The National Security Agency’s ‘Perfect Citizen’ program will detect cyber assaults on critical infrastructure, but could also help companies in other fields, such as Google, which sustained a major attack late last year.

(See Corrections & Amplifications item below.)

The federal government is launching an expansive program dubbed “Perfect Citizen” to detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants, according to people familiar with the program.

The surveillance by the National Security Agency, the government’s chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system, these people said.

Defense contractor Raytheon Corp. recently won a classified contract for the initial phase of the surveillance effort valued at up to $100 million, said a person familiar with the project.

An NSA spokeswoman said the agency had no information to provide on the program. A Raytheon spokesman declined to comment.

Some industry and government officials familiar with the program see Perfect Citizen as an intrusion by the NSA into domestic affairs, while others say it is an important program to combat an emerging security threat that only the NSA is equipped to provide.

“The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security,” said one internal Raytheon email, the text of which was seen by The Wall Street Journal. “Perfect Citizen is Big Brother.”
Raytheon declined to comment on this email.

A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It’s a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.

U.S. intelligence officials have grown increasingly alarmed about what they believe to be Chinese and Russian surveillance of computer systems that control the electric grid and other U.S. infrastructure. Officials are unable to describe the full scope of the problem, however, because they have had limited ability to pull together all the private data.

Perfect Citizen will look at large, typically older computer control systems that were often designed without Internet connectivity or security in mind. Many of those systems—which run everything from subway systems to air-traffic control networks—have since been linked to the Internet, making them more efficient but also exposing them to cyber attack.

The goal is to close the “big, glaring holes” in the U.S.’s understanding of the nature of the cyber threat against its infrastructure, said one industry specialist familiar with the program. “We don’t have a dedicated way to understand the problem.”

The information gathered by Perfect Citizen could also have applications beyond the critical infrastructure sector, officials said, serving as a data bank that would also help companies and agencies who call upon NSA for help with investigations of cyber attacks, as Google did when it sustained a major attack late last year.

The U.S. government has for more than a decade claimed a national-security interest in privately owned critical infrastructure that, if attacked, could cause significant damage to the government or the economy. Initially, it established relationships with utility companies so it could, for instance, request that a power company seal a manhole that provides access to a key power line for a government agency.

With the growth in concern about cyber attacks, these relationships began to extend into the electronic arena, and the only U.S. agency equipped to manage electronic assessments of critical-infrastructure vulnerabilities is the NSA, government and industry officials said.

The NSA years ago began a small-scale effort to address this problem code-named April Strawberry, the military official said. The program researched vulnerabilities in computer networks running critical infrastructure and sought ways to close security holes.
That led to initial work on Perfect Citizen, which was a piecemeal effort to forge relationships with some companies, particularly energy companies, whose infrastructure is widely used across the country.

The classified program is now being expanded with funding from the multibillion-dollar Comprehensive National Cybersecurity Initiative, which started at the end of the Bush administration and has been continued by the Obama administration, officials said. With that infusion of money, the NSA is now seeking to map out intrusions into critical infrastructure across the country.

Because the program is still in the early stages, much remains to be worked out, such as which computer control systems will be monitored and how the data will be collected. NSA would likely start with the systems that have the most important security implications if attacked, such as electric, nuclear, and air-traffic-control systems, they said.
Intelligence officials have met with utilities’ CEOs and those discussions convinced them of the gravity of the threat against U.S. infrastructure, an industry specialist said, but the CEOs concluded they needed better threat information and guidance on what to do in the event of a major cyber attack.

Some companies may agree to have the NSA put its own sensors on and others may ask for direction on what sensors to buy and come to an agreement about what data they will then share with the government, industry and government officials said.

While the government can’t force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.

Raytheon, which has built up a large cyber-security practice through acquisitions in recent years, is expected to subcontract out some of the work to smaller specialty companies, according to a person familiar with the project.

Write to Siobhan Gorman at siobhan.gorman@wsj.com

Corrections & Amplifications:
A new cybersecurity system to be launched by the National Security Agency is called Perfect Citizen. A photo caption accompanying an earlier version of this article incorrectly called the program Private Citizen.

Online contact says he turned in analyst who wanted to leak information

The Washington Post (link below) carries this story of a Defense Department investigation of an intelligence analyst who may have leaked classified information to the whistle-blower website wikileaks.

It is certainly understandable why intelligence organizations would regard wikileaks as a serious threat to classified information as well as covert activities and operatives.  What seems absent or understated in the piece and the comments is that the threat from wikileaks and any other sources of this material would be greatly mitigated for the government, if leaks originating from politicians who leak for political advantage were stopped or prosecuted and agencies that hide incriminating or ambiguous information from public evaluation were to stop classifying so much that is worthless or only valuable for a short time and accelerate declassification of information.  It would take a while to have any favorable effect but trust would likely increase, immediately there would be less to leak and the public would be better informed.

One of the items leaked was a video of a helicopter assault on innocents.  Surely by this time the leadership of our governments, past, present and future, recognizes the futility of classifying this kind of material.  I just intuitively know that I am not that much more intelligent than Obama, Gates and Holder.  So why keep doing it and then complaining when it leaks?

One explanation is that the intelligence agencies don’t like President Obama and opening up would destroy morale.  That’s not just nonsense, its silly.  Intelligence agencies are populated by people who know that killing innocents is wrong.  They also know that it has a punitive cost and should.  They didn’t just get taught that in training, they learned it as children and it has been a part of their moral upbringing as it has for the rest of us.  By that logic, BP should not be criticized over the spill because its hard-working employees will become depressed.  I suspect many of them are already depressed by the spill and regret it as deeply as any.  I also suspect that the depressed ones who are involved in the clean-up are not less motivated to straighten things out because of their depression.

I am convinced that a government that plays by the rules it has set for itself and others will regain trust and diminish, in this case, leaks.  I am also convinced that a government that pursues leakers who are not part of the political élite and insiders to the items unnecessarily classified, will have more leaks to deal with, not fewer, and one of these days a leak will damage our national security irreparably.  There are examples of leaks having done so before now and before wikileaks.

Online contact says he turned in analyst who wanted to leak information.

Phone video of Kennedy Assassination, Tweeting 9/11, Immediate Bloodlust

What if we’d had social media when the Kennedys, and King were assassinated and on 9/11?  What is the effect of this, as well as of the internet, on our times?  The effects of the internet are treated Sunday in a New York Times book review of The Shallows: What the Internet is Doing to Our Brains, by Nicholas Carr.

(http://www.nytimes.com/2010/06/06/books/review/Lehrer-t.html)

Dan Gillmore in Salon writes on what would have happened had social media in its present state been available at the Kennedy assassination (at which the Zapruder film was the only visual record) and on 9/11, when victims were using cell phones to speak to loved ones.  (Gilmore also offers a link to his old blog, which I commend to you, that treats some of these matters at greater length.)

http://www.salon.com/technology/dan_gillmor/2010/06/05/social_media_and_september_11  (I’m a little confused about how permalinks work at Salon.com.  I hope this works for you.)

These three items and Gilmore’s question about whether or not the presence of social media at these historic events would have increased the “blood lust” felt by Americans really clicked for me.  (Others probably had this epiphany before me but one must cope with epiphanies when they come and for me it was 06/06/2010.)

Is the “blood lust” that I think Gillmore correctly identifies as one of the strongest immediate emotions Americans (and many others) felt reflected in our current political environment?  We didn’t know who was responsible for the tragedies he discusses but we knew they were tragic and unmerited.  Whoever did it was clearly “not our kind,” out of synch with what “we” believe (about something, but “we” didn’t know what at the time, “we” just knew that it was not how “we” do things), deserving of the harshest treatment possible, lawful if that was harsh enough but beyond the law if it was not–this was “outlaw” behavior.

Currently we read, and many feel, a similar sense of undifferentiated anger about our current circumstances and we have social media and the internet available to connect to those of like-mind.  The government seems to many or most to be responsible for our situation.  (It may be worth noting that there is no “mirror” on either social media or the internet; the aphoristic injunction to look first to ourselves finds no place in either.)  Government is big and cumbersome.  Its continent-spanning solutions don’t always (some would say “often”) work locally and locally is where people live.  If BP, the fifth largest oil company, seems ill-equipped to stop the Gulf spill after building and maintaining the well until the explosion, one has to wonder whether and where the much larger government will find the means to plug it.  Yet BP can’t be allowed to say “trust us” since it appears we have been doing that for some time and the results aren’t great.  This situation and others seems to force a choice between “bad” and “worse.”

But my question is, to what extent are the flames of political anger stoked through social media and the internet?  In the course of a day someone actively tweeting and blogging about the spill, to focus on only one of a plethora of things people are angry about including joblessness, bailouts, legislative paralysis, health care, Social Security, foreclosure, Wall Street executive pay, immigration, the wars, etc., is the anger and blood lust kept alive?  Note that at the very moment of the tragic event, there is a “we-they” divide before “we” can identify “they”.  How does this affect our polarized politics?  (I’ve deliberately left out racism, partisanship, religion and more as I want to consider the issues that are seen as legitimate for public concern, not because I don’t think these sometimes play a part.)

It isn’t news that angry people can’t be reasoned with easily but it may be news that the phase that usually follows unreasoned anger yields a cold calm to permit discussion and acceptable, if not necessarily optimal, problem-solving, may never arrive if the fires of unreason are stoked minute by minute.  Is this, or its effects at one or two degrees from the actual social media stimuli, what makes a Tea Party and keeps it running without a coherent organization?  Does unremitting stimuli make it, despite similarities with the Republican Party, willing to take on Republicans for nominations as well as incumbents generally?  Is there a continuous stimulus here to “rewind” current and recent past events until these outrageous situations are no longer facing us so that we can move forward in a different way, avoiding them?  Well…?

If the answer to these questions is “yes,” as my first thoughts suggest it is, then we can look forward to a new Republican Party, more angry and uncompromising than the present one (How about that!) in the new Congress, especially in the House but increasingly in the Senate.  New Republicans in both houses will be angry and old Republicans will feel pressure to “anger up.”  Members of congress will have to stimulate their followers constantly to maintain support/anger  (look for lots of money spent on social media by congress and the springing up of “good government” websites to monitor members time devoted to making videos, approving tweets, Facebook posts and the number of people employed to keep all this going).  Governing will be next to impossible, given the number of things already uncovered as worthy of anger.  The Democrats will feel some of this angering internally too.  Proposals for more than the minimal requirements of government operations will be “hollered over” endlessly.  Under the surface, reasonable people in both parties will struggle to make things work.

Let’s get down to it: if the Democrats and Obama don’t rally their troops (These should be the same troops but if you’ve noticed, once a president is in he presumes upon the support of his party across the spectrum. Bush did, Obama does and they aren’t the only examples.), whatever the 2010 election holds for them, 2012 is likely to be the end of the Obama administration and of Democratic strength in Congress.  The Democratic Left, of which I would consider myself a member if Obama’s actions define the center, must abandon “anger” and become the wind in his sails if he is to be re-elected.  That is more true than ever as the current Congress contains “Blue Dog” Democrats whose hold on office probably depends on embracing anger and in 2012 the total number of senators who have had to face the anger syndrome will be two-thirds of the whole.

Is all of what I’ve speculated a matter of social media stimulated and sustained “blood lust?”  No, but I think it changes the game significantly.  The speed of our communications along with the freedom we enjoy to express ourselves make it easy to fan flames that would have burned down to embers only a few years ago.  Since I don’t believe in “rewinds” and I think the freedom is the point of our civil society, I intend to ride the mustang until it throws me, I tame it or we learn how to work together.