Secret NSA Cybersecurity Program Aims to Defend US Power Grid

Citing unnamed sources, the original Wall Street Journal article said that the program did indeed involve placing sensors that can detect illegitimate cyberactivity. But the new documents don't clarify this point. Deploying such sensors would be especially sensitive since the NSA is an arm of the Pentagon charged with collecting and analyzing foreign communications and defending U.S. government communications and computer networks – not domestic spying.

"This is a research and engineering effort. There is no monitoring activity involved, and no sensors are employed in this endeavor," the 2010 statement says.

Indeed, the NSA is not authorized to intercept the communications of U.S. citizens unless specifically authorized to do so by a special court acting under theForeign Intelligence Surveillance Act. Yet The New York Times reported in 2005 that the NSA had been involved in conducting wiretaps of calls made by U.S. citizens to persons overseas without first getting a warrant from the court.

"Any suggestions that there are illegal or invasive domestic activities associated with this [Perfect Citizen] contracted effort are simply not true," says the NSA's 2010 statement. "We strictly adhere to both the spirit and the letter of U.S. laws and regulations."

Spies Penetrate U.S. Power Grid Watch Video

Safety Online Watch Video

Still, privacy rights groups remain worried the program is focused on digital filtering or monitoring – and developing systems to do that. The Statement of Work document, for instance, requires development of "Computer Network Defense best practices/capabilities that defend against vulnerabilities identified in a SCS."

"Previously the agency had said it was just a research program," says Ginger McCall, director of the Open Government Program at EPIC, which won release of the documents. "But we see in these documents that they do intend to conduct testing, actual research, actual vulnerability testing and develop software tools that could be operational."

Other experts say the documents are suggestive, but do not ultimately clarify Perfect Citizen's scope.

"It's hard to say if the project is only research, only operational, or a combination of both," says John Bumgarner, a research director for the U.S. Cyber Consequences Unit, a nonprofit security think tank that advises government and industry. "The contract cost for the project seems way too low to be an operational program to, say, protect the entire U.S. electric grid from cyberattack."

But EPIC's main concern is that Perfect Citizen could be already conducting, or planning to conduct, online digital monitoring of data without proper authorizations or having the program itself evaluated for privacy implications. When the Department of Homeland Security undertakes such projects, Ms. McCall notes, it is required to conduct privacy impact assessments. She questions what has happened in this case (which is not under the authority of DHS).

"It appears as though the NSA is trying to develop cybersecurity protective technology, but that as part of this contract, they're conducting testing already," she says. "This isn't merely research."

Others, however, applaud the project, saying such measures are needed.

"The project makes sense, as the government relies on industry for most of its requirements in the way of water, sewer, and power," says one cybersecurity expert who requested anonymity because his company does business with the government.