A little while ago, The Wall Street Journal ran an article that detailed a massive effort by the National Security Agency to monitor high-risk targets in the U.S. against the possibility of attack by foreign interests or by terrorists. The story suggested that this effort was somehow invasive, that the agency planned to plant sensors at private industries and in quasi-public interests, and in general keep an eye on things. Privacy advocates were appalled.
So I decided to do something that the WSJ folks didn't do. I called up some people at the NSA and asked them what was up. I should mention that the NSA has a public affairs office, that they'll answer questions from the media if asked, and are, in general, a lot more responsive than other more secretive agencies such as say, Congress.
Before I talk about what's going on here, there's one more disclosure I should make. I'm a retired naval officer, and I've run military data centers and I've served for years on board combatant ships. One of the things that we practiced constantly is how to protect U.S. commercial interests from harm on the high seas. I look at efforts by the NSA to protect U.S. business interests as being analogous to my years on destroyers practicing convoy duty. Just because the asset is owned by a business doesn't make it less important to the nation.
So shortly after I called, Judith Emmel at the NSA sent me a statement explaining what the NSA is doing in its Perfect Citizen program. Basically, she told me, it's a vulnerability assessment effort being performed by a private contractor . The idea is to make sure that the digital infrastructure of the U.S. has sufficient depth to provide adequate protection from whoever might decide to cause harm, whether they're the Chinese, the Russians or a terrorist group.
In other words, the NSA is doing for the national digital infrastructure exactly the same thing that you should be doing for your company's infrastructure already. A company that plans to keep its intellectual property to itself, keep its customers' personal information protected, and keep itself from becoming a host to a botnet needs to be scanning its data systems on a nearly continuous basis. If your company isn't doing this, then you're probably vulnerable, and it's very likely that someone is already taking advantage of you.
Unfortunately, you have to do this for yourself. For a variety of reasons, including a pesky prohibition against domestic surveillance, the NSA isn't going to do it for you. But what it can do is guard against vulnerabilities that can be attacked from outside. The result of this vulnerability assessment will be a better picture of the current threats to the U.S. from groups that would harm U.S. interests. They didn't say, but I would presume that this will be an ongoing effort since any vulnerability profile can be a moving target, whether it's your company's or the nation's.
Since the story broke a few days ago, the vulnerability picture in the U.S. has become more clear. There's no question that the vulnerability of our systems is being tested by outside interests on a nearly constant basis. Just like the Chinese government tried to penetrate Google, they're trying to penetrate virtually every company that does business with the U.S. government, any organization that controls critical infrastructure or that controls important financial interests. And it's not just the Chinese, it's everyone else, too.
In this ongoing cyber war to control the infrastructure of the U.S., the enemy never sleeps. We should hope that the NSA never sleeps, either.