Perfect Citizen

ImageOn Wednesday, July 07, 2010 the Wall Street Journal published an article titled “U.S. Program to Detect Cyber Attacks on Infrastructure.” This article was well written and only stated facts…one-sided facts. I feel the journalist could have, and should have, gone farther with the article. This blog will deconstruct the entire article and put it into perspective. One thing I do want the readers of this blog to understand is that I have worked for many government agencies in and around cyber security and was one of the many team members that helped to create the FBI’s cyber snooping system called Carnivore.

The article states in the 2nd paragraph – “The surveillance by the National Security Agency, the government’s chief eavesdropping agency, would rely on a set of sensors deployed in computer networks for critical infrastructure that would be triggered by unusual activity suggesting an impending cyber attack, though it wouldn’t persistently monitor the whole system, these people said.” The vast majority of networks in this country already have monitoring systems implemented that monitor for unusual activities. Compliance requirements such as FERC 706, PCI, CFATS, HIPAA and many others require these monitoring devices. Devices such as Host-Based Intrusion Detection systems (HID’s) and Network Intrusion Detection systems (NID’s) are on most, if not all, networks in this country, so there is no need for the NSA to implement these items.

The article states in the 6th paragraph – “The overall purpose of the [program] is our Government…feel[s] that they need to insure the Public Sector is doing all they can to secure Infrastructure critical to our National Security.” Raytheon secured an initial $100 million contract for this project but never stated that it was a good idea…only that the Government wants to ensure that the critical infrastructure is protected…wouldn’t an audit do this? If not, then why are FERC and NERC requiring audits to make sure registered entities are securing their networks and critical assets?

The article states in the 8th paragraph – “A U.S. military official called the program long overdue and said any intrusion into privacy is no greater than what the public already endures from traffic cameras. It’s a logical extension of the work federal agencies have done in the past to protect physical attacks on critical infrastructure that could sabotage the government or key parts of the country, the official said.” The fact that the military compares snooping on a company’s network which would give them access to payroll, financial and other sensitive information that could be used against them for the benefit of a politically motivated attack to a traffic camera is just plain silly. The military also says it is pertinent so as to prevent the physical attack on the critical infrastructure…what does snooping on a corporate network have to do with protecting from a physical attack?

The article states in the 9th paragraph – “U.S. intelligence officials have grown increasingly alarmed about what they believe to be Chinese and Russian surveillance of computer systems that control the electric grid and other U.S. infrastructure. Officials are unable to describe the full scope of the problem, however, because they have had limited ability to pull together all the private data.” The reason that the U.S. Intelligence Officials can’t describe the problem because they have had limited abilities is exactly right. However, they way this paragraph is worded would make it seem that the limited abilities are because companies are not cooperating. The truth is that there are too many opinions on how this should be done…including from those who have no idea of what they are doing or saying (politicians). The Government needs to hire a group of hackers like the Chaos Computer Club, Brazil Boys or Masters of Deception to come in and solve these problems. What??? You have never heard of these guys…there’s a reason for that…the best guys/gals are never caught, therefore, they are not widely known. Companies like McAfee and Symantec keep dozens of hackers on staff to fight against viruses.

The article states in the 13th paragraph – “With the growth in concern about cyber attacks, these relationships began to extend into the electronic arena, and the only U.S. agency equipped to manage electronic assessments of critical-infrastructure vulnerabilities is the NSA, government and industry officials said.” Are you kidding me??? The NSA and many other agencies to include the CIA, FBI, NASA and most other government agencies have been successfully hacked so many times that this argument has more holes in it than a slice of Swiss cheese. These people can’t protect against “60 Minutes” reporters from obtaining sensitive information, how in the world can they protect against a cyber terrorist?

The article states in the 2nd to last paragraph – “While the government can’t force companies to work with it, it can provide incentives to urge them to cooperate, particularly if the government already buys services from that company, officials said.” Incentives??? Are you kidding??? That is Government speak for “Do what we say or the President will invoke an emergency on your facility under the GRID Act and take your facility from you.

The “Perfect Citizen” project is, in my opinion, just one more way the politicians will attempt to grab control of a private company…all in the name of national security. There are only two groups who will benefit from this – Government agencies and consulting firms like Abidance Consulting. The Government needs to take a few steps back and reassess their position. A good recommendation would be to complete audits on all critical infrastructure facilities and determine their state of readiness for a cyber attack based on best practices created by organizations such as NIST 800-53 or ISO-17799. After the audits have been conducted, the Government should issue “warning citations” stating, in detail, what the shortcomings are of that facility and to give them an opportunity to make amends. If they fail to comply, then implement stronger measures against them.

By doing this, the Government will make friends, keep friends and will ensure that companies will do what they need to do for fear that they could lose everything. If you just come right out and force this on a company, there is no incentive on their part to cooperate.

How Obama Plans To Nationalize The Power Grid

ImageH.R. 5026 Grid Reliability and Infrastructure Defense Act or the ‘‘GRID Act” as is it known, is setting the table to allow the current Administration to nationalize the grid. There, I said it!

This piece of legislation passed the House Energy & Commerce Committee unanimously 47-0. Apparently no sane person on the committee read this document as it allows the President to declare an “emergency” – (Page 6, Lines 10-18) Whenever the President issues and provides to the Commission (either directly or through the Secretary) a written directive or determination identifying an imminent grid security threat, the Commission may, with or without notice, hearing, or report, issue such orders for emergency measures as are necessary in its judgment to protect the reliability of the bulk-power system or of defense critical electric infrastructure against such threat. That applies to the entire grid, an RRO or even a single facility – (Page 7, Lines 9 – 15) An order for emergency measures under this subsection may apply to —

(A) the Electric Reliability Organization;

(B) a regional entity; or

(C) any owner, user, or operator of the bulk-power system or of defense critical electric infrastructure within the United States.

The GRID Act requires a facility to protect against Electromagnetic Weapons (non-nuclear), Geomagnetic Storms, a direct attack on a facility or its systems using an electromagnetic weapon and/or a geomagnetic storm causing adverse effects on the reliability of the Bulk Electric System.

Um, if you plan on monitoring the sun for storm activity and have a “Magic 8-Ball”, you might be able to figure out how to detect and protect against these issues. If you don’t happen to possess these monitoring abilities, then just plan on getting fined or having an “emergency” declared against you.

Oh, and just in case you weren’t aware, if an emergency is declared against your facility, FERC will step in and take control of your facility(ies) until the President has determined that the emergency is over. This is the same President who recently said at Hampton University that he did not know how to use an iPod, iPad, Xbox or a PlayStation. This is the very same President who wants the ability to declare an emergency on the grid!

There is one shining light in all of this. That light is your ability as a registered entity to recover your expenses in getting compliant either through rate increases or, if that’s not possible, Congress will put in place a “mechanism” (new taxes) so that you can recover your costs. The other light…I think this light is from an oncoming locomotive…is one that allows Congress to force you to turn over all of your documentation, regardless of its sensitivity, for their full review. Mmmmm makes me feel all warm and fuzzy to think that Congress will now be able to review and, at their whim, make all of our power producers documents a matter of public record. Check Please!