The National Security Agency's "Perfect Citizen" program--revealed July 8 by The Wall Street Journal--raises a host of troubling questions for individual citizens and corporations. The agency disputed the newspaper's characterization of the program as a network monitoring endeavor, calling it instead a "research and engineering" initiative, but that provides little insight into what's going on. More worrisome, we have not been given a clearly articulated justification for further involving the surveillance agency--which is part of the Department of Defense--in private, domestic affairs.

In a statement released after The Wall Street Journal's story ran, the NSA said that Perfect Citizen is a contract for "vulnerabilities-assessment and capabilities-development." The agency says that the program does not involve monitoring communications or using sensors, but that raises questions about how vulnerabilities are assessed, and what is being researched and engineered. 

We can all probably agree that it's understandable for a spy agency to remain deliberately vague about its activities--even, perhaps, if they are taking place on our own soil. But it seems that before big changes are made to the nation's fundamental policies on military involvement in civilian enterprises, the necessity for those changes should be made imminently clear.   

Numerous information security writers raced to defend Perfect Citizen, echoing long-heard, dire-sounding warnings about cyberwar.  (Take a look at our recap of the story and some of the reaction in the blogosphere.) Yet, absent from the warnings are concrete examples of the threat, the enemies or battlefield activities to date.

In what is perhaps an ironic bit of timing, the day before The Wall Street Journal story ran, CNN.com posted a column from security technologist Bruce Schneier, who argued that "the entire national debate on cyberwar is plagued with exaggerations and hyperbole."  To be sure, Schneier says, there are threats to networks every day, and much can and should be done to improve network security. However, he says, it is dangerous to give such threats the ominous label "war" when they don't rise to that level of danger.

"If we frame the debate in terms of war, if we accept the military's expansive cyberspace definition of 'war,' we feed our fears," Schneier writes. "We invite the military to take over security, and to ignore the limits on power that often get jettisoned during wartime."

Schneier maintains that we are not in the midst of a cyberwar, and I have not seen any solid evidence refuting his assessment. If we are going to expand the NSA's involvement in private companies' networks, we should be given a better idea about who the enemies are, what acts they've committed against us so far, and what dangers they pose. - Caron