NSA Hunting Down Network Security Vulnerabilities

By | Dec 27, 2012

Newly released documents indicate that the National Security Agency (NSA) is proactively looking for vulnerabillities in key computer systems and networks such as those at public utilities. Reportedly among the targeted systems are those associated with natural gas pipelines and the electrical power grid.

For the IT community at midsize firms, this effort may at once raise concerns and alleviate worries. On the one hand, no one is very comfortable hearing about shadowy intruders, and the involvement of a secretive federal agency can raise privacy concerns. On the other hand, in an era of growing cyber threats, there is an element of comfort in hearing of measures to find and respond to vulnerabilities before potential enemies can exploit them.

"Puzzle Palace"

The NSA is among the most secretive components of the US intelligence system. Its historical emphasis has been on SIGINT, signals intelligence, which naturally involves it with computer networks. The group is widely believed to be the creator of Stuxnet, the worm cyber weapon that reputedly wrecked thousands of Iranian centrifuges used for nuclear fuel enrichment.

Now, as Declan McCullagh reports at CNET, documents obtained by the Electronic Privacy Information Center (EPIC) have shone some light on the agency's domestic activities. Under a program called Perfect Citizen, the NSA has been conducting "vulnerability exploration and research" aimed at "large scale" utility control systems.

For some years, technology observers have been noting that the so-called "internet of things" - networked control devices, for example - could be vulnerable to attack. Stuxnet showed that physically wrecking industrial devices via Internet commands is indeed feasible. Early this year, the chairman of the Joint Chiefs of Staff, Gen. Martin Dempsey, said that he was "extraordinarily concerned about the cyber capabilities of other nations."

Penetration Testing

The Perfect Citizen was mentioned as early as 2010, but the newly released documents give a broader picture of its scope of activities. According to EPIC, the documents show that, contrary to previous assertions, the agency is involved in monitoring private networks.

It is too early to say what level of controversy the released documents may trigger. There is certainly a good deal of public concern about possible government snooping on private communications. On the other hand, status information provided by utility-firm sensor networks may not fall within the scope of worries.

For IT professionals, the most immediate impact of the new information may be to confirm growing concern about cyber-threats not just to data but to operating systems of all sorts. IT departments at midsize firms may want to examine their own networks and systems for potential vulnerability to cyber-attacks.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Like us on Facebook. Follow us on Twitter.

IBM Solution Security & Resiliency

IBM IT security expertise can help medium-sized businesses develop, implement and maintain comprehensive strategies to combat ever-evolving security threats without increasing complexity, cost, or resources required for administration.

Learn More »

More on This Topic

Three Security Concerns for 2016

By Allan Pratt on Dec 4, 2015
As we near the end of 2015, what will 2016 look like in the information security sector? Undoubtedly there be an increase in data breaches across all industries, but will businesses take the high road and inform their customers and ...