NSA, DHS and the Perfect Citizen Trojan Horse

NSA, DHS and the Perfect Citizen Trojan Horse

By TheAvalonRoundTable

All Rights Reserved © 2010

July 13, 2010 17:30 EST

In any war or struggle, strategy plays the central role, whether the warfare is a political (grand) strategy or not. Among the key elements of strategy is timing. Four levels of warfare exist, political goals or grand strategy, strategy, operations, and tactics.

Advocates of Liberty who possess a mature concept of what that means; freedom of action with ownership and responsibility for their actions, are seemingly in direct opposition to the controls of authority, especially government. These proponents of control, in their never ending designs of the mechanisms of control have just come up with another instrument to impose on our society.

The Master Plan as has been well documented, being a micro-chipping of the population with RFID devices moves along at a slow pace, however, don’t be deceived in its apparent stand-by mode. Again, the timing is of utmost importance in matters where an entire population is to adopt a new control system, a rejection of which has been expressed over and over again by the population at-large. Perhaps a Catastrophic Event would change that.

Personal Liberties and National Security vs. Individual Security are at odds again and will continue to be until there is a winner in this battle – simply put. While security always seems to come at the cost of personal liberties, be mindful of the famous quote from Benjamin Franklin

“Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety.

Arguably, there are threats in today’s world. It could be demonstrated that many of the threats against the United States have come about as a result of our policies and actions, that being a good statement to debunk for anyone naive enough to dismiss the recent war against Iraq and Afghanistan – both of which are still being waged, in case you weren’t aware of it.

Terrorism – Insurgents – Weapons of Mass Destruction – The Trumpet Sounds Again and Again

Fortunately, these repeating alarms have been nothing more than hyperbole to justify spending Billions of Dollars on a self-perpetuating machine known as The Military Industrial Complex. Fear not, they will protect us, at the cost of every god given right we have; the Right to Peaceably Assemble, the Right to Travel Freely, the Right to Keep and Bear Arms. Ultimately, it will be the destruction of the very thing they are charged and duty bound to protect.

“All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.” – Sun Tzu the Art of War

Now, let’s go to the primary subject of this article. The National Security Agency is reportedly launching a program known as “Perfect Citizen“, to monitor for cyber-attacks against government agencies and private companies responsible for key services such as electricity, nuclear power, and transportation.

According to a story in the Wall Street Journal dated July 8, 2010, the program is designed to “detect cyber assaults on private companies and government agencies running such critical infrastructure as the electricity grid and nuclear-power plants according to people familiar with the program. The program, known as “Perfect Citizen,” is already triggering mixed reactions, says the Journal. Some in industry and government see it as an attempt by the NSA to intrude into domestic matters, while others believe it’s a much-needed step in fighting the threat of cyber-attacks.”

The architecture of this system would establish a series of sensors across various computer networks that would sound an alarm in the event of a possible cyber-attack. Theoretically, the sensors would be deployed at agencies and private companies that handle the nation’s most critical infrastructure, including the electrical grid, nuclear power plants, subway systems, and air-traffic control networks. It is reasonable to ask what mechanisms will be installed to deter, block or terminate any unwanted or malicious activity.

The proposed program cannot legally force private companies yet to accept Perfect Citizen. According to The WSJ, “the government would dangle various incentives to get them to tie into the new system.” As is usually the case, these dangles would become requirements as do all similar programs that are phased in – no citation needed.

A CNET.com article by Lance Whitney states that, In spite of privacy concerns, many businesses might find the extra protection valuable, as in the case of Google, which enlisted the aid of the NSA last year to help investigate the cyberattacks launched from China. Reportedly, Google and the NSA chatted earlier this year about a more formal partnership to thwart future cyber-attacks. The new program is getting funding from the Comprehensive National Cybersecurity Initiative. This multi-billion initiative hinted at the Perfect Citizen project with plans by the NSA to expand its surveillance into the private sector through a network monitoring system named Einstein. Defense company Raytheon has already scored a contract worth up to $100 million for the initial stage of the project, the Journal said, citing a person familiar with the project.”

In an follow-up article by Lance Whitney dated July 9, 2010 12:53 PM PDT, titled “NSA offers explanation of Perfect Citizen” in what appears to be a complete 180 degree position as expressed by the NSA spokeswoman Judith Emmel who stated in a WSJ interview that, “The Perfect Citizen project is purely a research-and-engineering effort, not an attempt to monitor companies against cyber-attack. Judith Emmel went on to say that the Perfect Citizen program is “purely a vulnerabilities assessment and capabilities development contract.” And that “it does not involve the monitoring of communications or the placement of sensors on utility company systems.”

The NSA said (referring to Perfect Citizen as a contract), that it “provides a set of technical solutions that help the agency better understand the threats to national-security networks, which is a critical part of NSA’s mission of defending the nation.” And that “any suggestions that there are illegal or invasive domestic activities associated with this contracted effort are simply not true. We strictly adhere to both the spirit and the letter of U.S. laws and regulations.”

In a closely related development, the White House, in coordination with the Department of Homeland Security, is taking suggestions from John Q. Public (sure…) in an effort to develop a comprehensive strategy to better protect people in cyberspace.

A draft of the new National Strategy for Trusted Identities in Cyberspace was just released on Friday, July 9, 2010.

Interestingly enough, the goal, as described in a patronizing blog post by White House cyber-security chief Howard Schmidt, “is to secure and protect transactions in cyberspace through use of a special ID–a smart card or digital certificate–that would prove that people are who they say they are. These digital IDs would be offered to consumers by online vendors for financial transactions.”

As a reminder, back in March 2009, the then Cyberspace Security Director Rod Beckstrom resigned.

Rod Beckstrom, a former Silicon Valley entrepreneur, said in his resignation letter that the NSA’s central role in cybersecurity is “a bad strategy” because it is important to have a civilian agency taking a key role in the issue.

The NSA is part of the Department of Defense. Mr. Beckstrom wrote to Homeland Security Secretary;

“NSA currently dominates most national cyber efforts. While acknowledging the critical importance of NSA to our intelligence efforts, I believe this is a bad strategy on multiple grounds.” …

The threats to our democratic processes are significant if all top level government network security and monitoring are handled by any one organization (either directly or indirectly).”

In another first, the U.S. Department of Homeland Security has launched a Web site to elicit ideas and feedback on the NSTIC, however, because there is no way to authenticate the identity of these posts, they may very well have been generated by the Department of Homeland Security itself.

On a side note, I think it needs to be pointed out that most people do not go to the Department of Homeland Security website because of a very real belief that within hours of doing so, Storm Troopers would be busting down their door, trash their house and confiscate anything they could get their hands on. One rhetorical question might be, “Who are the Terrorists in society today?” but we won’t ask that.

According to Schmidt, “The initial draft of the NSTIC was created with input from key government agencies, business leaders, and privacy advocates in response to one of the action items in President Obama’s Cyberspace Policy Review.” (Lie #4,268)  Playing the superhero, Schmidt actually went on record saying, “With online consumers and companies grappling with fraud and identity theft, the administration wants an identity ecosystem in which people can feel more safe and secure, as they conduct business over the Internet.”

Schmidt outlined a number of specific benefits that relate to the NSTIC’s digital-ID initiative, paraphrasing, “A smart identity card would eliminate–or at least reduce–the need to juggle a multitude of usernames and passwords for each online service. Such an ID system would also let individuals choose and control how much private information they wished to reveal to authenticate themselves online.”

The final piece of this complex puzzle is being readied to put in place, namely OpenID. The final step will probably be a requirement to authenticate your identity at the edge, meaning your access point (computer), or else not be allowed to gain access to the internet.

OpenID is an open standard that describes how users can be authenticated in a decentralized manner, obviating the need for services to provide their own ad hoc systems and allowing users to consolidate their digital identities. The OpenID protocol does not rely on a central authority to authenticate a user’s identity. Moreover, neither services nor the OpenID standard may mandate a specific means by which to authenticate users, allowing for approaches ranging from the common (such as passwords) to the novel (such as smart cards or biometrics).

The term OpenID may also refer to an ID as specified in the OpenID standard; these IDs take the form of a unique URL, and are managed by some ‘OpenID provider’ that handles authentication. OpenID authentication is now used and provided by several large websites. Providers include AOL, BBC, Facebook, Google, IBM, Microsoft, MySpace, Orange, PayPal, VeriSign, LiveJournal, Yandex, Ustream, Stackoverflow and Yahoo!

Fortunately, there is still time to participate in how this develops and becomes law – and it will become law. By taking a look at the OpenID Foundation website, one can read the following:

The US Government has reached out to the OpenID Foundation for collaboration in support of the Government Services Administration’s pilot adoption of OpenID technology.

The recent objection by Industry giants, Cisco, IBM & Oracle, to the Internet Kill Switch demonstrates a degree of sanity by Corporate Executives who see much of this as Government Control, to the decisions being made without much public input. Of significant interest is that in searching for this letter to the Senators, the number of sources was extremely low in number – as if this information is being suppressed.

If one is to have any effect on these systems of control being permanently put into law, it might be a good time to step up and participate in what’s going on in your government.

Take the governments advice and be a “Perfect Citizen” – Get Involved


Cisco, IBM, Oracle Misread Bill on Supply Chain Risk Management

July 1, 2010

Mr. John T. Chambers
Chairman, President and Chief Executive Officer
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134

Mr. Samuel J. Palmisano
Chairman, President and Chief Executive Officer
IBM Corporation
1 New Orchard Road
Armonk, New York 10504

Mr. Lawrence J. Ellison
Chief Executive Officer
Oracle Corporation
500 Oracle Parkway
Redwood Shores, CA 94065

Dear Mr. Chambers, Mr. Palmisano, and Mr. Ellison:

On June 24, 2010, your companies wrote to us concerning the Protecting Cyberspace as a National Asset Act, S. 3480. We introduced this bill on June 10, and it was favorably reported out of the Homeland Security and Governmental Affairs Committee on June 24 by a unanimous voice vote. This legislation is informed by years of oversight by this Committee and is the result of more than a year of drafting. Our staff spent considerable time working with industry representatives – including representatives from your companies – and the bill, as reported, addresses many of the concerns your companies raised during that time.

It is extremely misleading to argue that our legislation would grant the NCCC any authority to monitor or compel the production of information from the private sector.  Indeed, the legislation expressly states – in numerous places – that it would grant no authority to the federal government to conduct surveillance on private networks or compel the production of information. Indeed, in the very section (Sec. 242(f)(1)(C)) cited in your letter regarding “dynamic, comprehensive, and continuous situational awareness of the security status of . . . the national information infrastructure,” our legislation makes clear that the NCCC’s analysis will be based on “sharing and integrating classified and unclassified information . . . on a routine and continuous basis” with several federal cyber operations centers and the private sector.  Moreover, as it relates to the private sector, that section explicitly states that information will be shared with the NCCC from “any non-Federal entity, including, where appropriate, information sharing and analysis centers, identified by the Director, with the concurrence of the owner or operator of that entity and consistent with applicable law.”  (Emphasis added).    Indeed, our legislation carefully distinguishes between the “situational awareness” required under Section 242(f)(1)(C) and the “automated and continuous monitoring” that would be required for federal networks under Title III.  It is simply incongruous to interpret section 242, as your letter does, as an authorization to deploy “government monitoring devices on private networks.”

Section 248(b). The assertion in your letter that the regulatory authority in Section 248(b) is “apparently unbounded” is equally without merit. Quite to the contrary, our bill specifies that only those systems or assets whose disruption would cause a national or regional catastrophe could be subject to the bill’s mandatory risk-based security performance requirements.  To qualify as a national or regional catastrophe, the disruption of the system or asset would have to cause:

•    mass casualties with an extraordinary number of fatalities;
•    severe economic consequences;
•    mass evacuations of prolonged duration; or
•    severe degradation of national security capabilities, including intelligence and defense functions.

Thus, the bill sets up a process that clearly defines – and limits – the systems and assets that the Secretary of Homeland Security can identify as covered critical infrastructure.

OpenCongress S.3480 – Protecting Cyberspace as a National Asset Act of 2010


Texts on Strategy

Classic texts such as Chanakya’s Arthashastra written in the 3rd century BC, Sun Tzu’s The Art of War, written in China 2,500 years ago, the political strategy of Niccolò Machiavelli’s The Prince, written in 1513, or Carl von Clausewitz’s On War, published in 1832, as with the Japanese classic The book of five rings by Miyamoto Mushashi written in 1645, are still well known, and highly influential. In the 20th century, the subject of strategic management has been particularly applied to organizations, most typically to business firms and corporations.

Designing Organization for Higher Performance published in 1988; It is a good guide to develop higher levels of performance since it offers strategies that are viable in large organizations. – Wikipedia

Fabian strategy is a military strategy where pitched battles and frontal assaults are avoided in favor of wearing down an opponent through a war of attrition and indirection. While avoiding decisive battles, the side employing this strategy harasses its enemy through skirmishes to cause attrition, disrupt supply and affect morale.

Capstone Concept for Joint Operations Version 3.0

The United States inevitably will find it necessary to respond to a variety of civil crises by acting to relieve human suffering and restore civil functioning, most often in support of civil authorities.[13] These crises include any kind of disruption to civil functioning resulting from any natural or manmade disaster, civic disturbance, or endemic condition that creates a significant threat to human life or public welfare. They may be foreign or domestic. They may occur independently, as in a natural disaster disrupting an otherwise functioning society, or they may occur within the context of a conflict, such as widespread suffering in a nation embroiled in an insurgency.

Security may often be a factor in crisis response, as the result of the breakdown of civil order, even when there is no military adversary involved. Moreover, even when a civil crisis occurs independently of existing conflict, there often is the risk that violent conflict might arise out of the disorder and suffering. This challenge is likely to become more common in the future as more states find themselves unable to cope with the demographic and natural resource trends described in the Joint Operating Environment.


National Security Agency (NSA)

Report: NSA initiating program to detect cyberattacks

By Lance Whitney July 8, 2010 7:06 AM PDT

U.S. Plans Cyber Shield for Utilities, Companies


NSA offers explanation of Perfect Citizen

By Lance Whitney July 9, 2010 12:53 PM PDT

White House drafting plan for cyberspace safety

By Lance Whitney June 28, 2010 8:30 AM PDT


OpenID Foundation

OpenCongress S.3480 – Protecting Cyberspace as a National Asset Act of 2010


Fair Use Notice:

The material on this site is provided for educational and informational purposes. It may contain copyrighted material the use of which has not always been specifically authorized by the copyright owner. It is being made available in an effort to advance the public understanding of political, social, and economic issues. It is believed that this constitutes a ‘fair use’ of any such copyrighted material as provided for in section 107 of the US Copyright Law. In accordance with Title 17 U.S.C. Section 107, the material on this site is distributed without profit to those who have an interest in using the included information for research and educational purposes. If you wish to use copyrighted material from this site for purposes of your own that go beyond ‘fair use’, you must obtain permission from the copyright owner. The information on this site does not constitute legal or technical advice.


About this entry