Back in 2010, The Wall Street Journal first uncovered evidence of an NSA program called Perfect Citizen, which was designed to detect cyber assaults on things like power grids, nuclear plants, and other critical infrastructure. The WSJ had sources within the NSA and Raytheon (who allegedly won the government contract to work on the project), but both groups initially declined to comment on the full extent of the program. The NSA told CNET in 2010 that that Perfect Citizen "does not involve the monitoring of communications or the placement of sensors on utility company systems," and called the WSJ's report an "inaccurate portrayal of the work performed at the National Security Agency" — but the intelligence agency declined to confirm or deny specifics in the report. But now, thanks to documents obtained by the Electronic Privacy Information Center (EPIC) via the Freedom of Information Act, details of Perfect Citizen have been revealed.
The recently-released document is 190 pages of dry legalese, but it does confirm that a statement of work was first released back in September of 2009, with Raytheon being awarded the government contract in June of 2010 — just before The Wall Street Journal published its story on the project. The background in the statement of work confirms the government's concern with the security of sensitive control systems (SCS), sayng that "the protection of SCS... has become a significant point of interest in support of the Department of Defense and the Intelligence Community." It goes on to say that "the prevention of a loss due to a cyber of physical attack, or recovery of operational capacity after such an event, is crucial... to the DOD, the IC, and the operation of SIGINT [signals intelligence] systems."
More than two years later, the existence of Perfect Citizen has been confirmed
As EPIC states, Perfect Citizen runs by employing sensors in computer networks that would be automatically activated by suspicious activity, but the program was not designed to monitor computers continuously. That hasn't stopped the program from triggering privacy concerns — the WSJ's 2010 report contained an internal email from a Raytheon employee that said "Perfect Citizen is Big Brother."
Shortly after that initial report, the NSA issued a brief statement claiming the program was "purely a vulnerabilities assessment and capabilities development contract" that "does not involve the monitoring of communications or the placement of sensors on utility company systems." Furthermore, the NSA made it clear that it was not engaging in any illegal or unauthorized monitoring, saying "we strictly adhere to both the spirit and the letter of U.S. laws and regulations."
While these documents don't tell the entire story of Perfect Citizen — some 98 additional pages were withheld, and the pages that were released contain a large amount of censored material — it seems pretty clear that the program is closer to what The Wall Street Journal originally reported and is a lot more than a vulnerabilities assessment. From the contracts within the released documents, it looks like Raytheon will have employees working on the program through September of 2014. We've reached out to EPIC for any more details on the Perfect Citizen program that they'd be willing to share, and will update with any other information we receive.