Widespread blackouts sweep across the country, traffic signals go haywire, global financial markets freeze, the Pentagon’s data network collapses.
These calamities and much worse are exactly what could happen in the event of a large-scale “attack” on computer networks in the United States, or so the experts say. The problem will start small, say, bringing down an electrical grid within minutes. However, what may have seemed like an isolated incident could create scores of network outages across the country’s critical infrastructure. To many in the American military, federal agencies and high-tech companies, the threat from America’s fiercest adversaries is ominous. Their target isn’t necessarily military, but rather the networks owned and maintained by private companies with household names like Consolidated Edison, Citigroup, Exxon and Google. And to many of these gatekeepers, it’s not a matter of if, but when — unless something is done now to shore up security of these networks.
“There’s a perfect storm coming,” said David Chronister, a self-described “ethical hacker” and founder of Parameter Security, a consulting company. “Companies think they are secure because they are compliant with standards, but they really don’t know enough. There’s a false sense of security.”
The pace at which hackers and other intruders are inventing ways of breaking into private networks, including critical U.S. infrastructure, is far outpacing the ability to protect them, said Chronister. At the same time, people routinely underestimate the damage a region would sustain if its electrical network, perhaps even its water supply, were to go down for an extended period. The impact, Chronister said, could be devastating.
Yet effective protection from cyber-threats requires unprecedented cooperation between the public and private sectors. Unfortunately the two sides are not even close.
To the private sector, the federal government is falling dramatically short of meeting its cyber-security expectations. According to the Government Accountability Office’s Critical Infrastructure Protection report, fewer than one-third of private-sector respondents said they felt the federal government was meeting their expectations for “timely and actionable” information and alerts related to cyber-threats. And roughly four out of five private-sector respondents indicated that they felt the mechanisms for sharing information between the public and private sectors were inadequate.
The report also showed that federal agencies weren’t meeting private industry’s expectations for assisting with security tests, offering training opportunities or providing necessary security clearances. These companies reported a lack of a “single centralized government cyber-information source.” These shortcomings, the report concluded, hinder the private sector’s ability to thwart cyber-attacks.
But federal agencies say the private sector shares responsibility for shortcomings in the partnership. Public agencies would like the private sector to be more willing to share proprietary information with federal agencies — something it’s currently reluctant to do — the report states. Restrictions within the private sector on the kind of information it can share make it difficult to provide individualized treatment to any single business sector.
Jeffrey Carr, a cyber-security expert and author of Inside Cyber Warfare, said the private network operators, most notably the nation’s largest utility companies, should be blamed for addressing security delays, not the public sector. Most of the nation’s energy companies, for example, have been very adversarial toward federal security efforts from the start. “Private industry has been dragging its feet, finding ways to be excluded,” he said.
Invisible Threat
The threat of cyber-attacks has been steadily increasing for several years, while it has become much clearer that the United States is unprepared to protect itself against such attacks. Estimates vary as to the exact cost of cyber-crime, but in a 2009 speech, President Barack Obama put the 2007-2008 combined total at $8 billion.
The sources of cyber attacks take many forms, from individual unauthorized hackers accessing private networks, criminal groups seeking monetary gain, to individuals or terrorist organizations attempting to break into critical data networks to threaten national security, perhaps even cripple the economy. It is this last category that poses the greatest national threat.
So-called botnets are a particularly dangerous security threat because they can remain nearly invisible while siphoning data to a new destination. These intrusions focus on stealing intellectual property, rather than taking down networks. Perhaps the most malicious form of cyber-attack seen so far is the denial of service, which is when hackers send repeated requests to a network to overload and shut it down.
Reports of cyber-attacks over the past few years illustrate the seriousness of the problem and its potentially devastating impact on private industry and public safety. While more than 100 countries can launch cyber-attacks, China is considered the greatest threat to the United States, and relations between the two countries have become fraught with hostility and suspicions over cyber-security. According to Chronister, Russia is considered an increasing threat as well.
In March 2008, according the Critical Infrastructure Protection report, the Department of Defense and other federal agencies and contractors reported that their computer networks were targets of intrusion, and the attacks appeared to have originated in China.
In 2009, North Korea was suspected of an attack that started July Fourth weekend and took down the Web servers of the U.S. Treasury, Secret Service and Federal Trade Commission, among others. (South Korean government Web servers were hit at roughly the same time.)
And in 2010, it came to light that more than 30 private companies, many of them in Silicon Valley, had experienced intrusions of their data networks. Of those companies, Google said it had been the victim of a “highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google.”
But perhaps the most dramatic example of a cyber-attack came last summer when a malicious computer worm found its way into an Iranian nuclear plant after infecting thousands of computer systems worldwide. The incident, caused by a malicious software program called Stuxnet, made it glaringly obvious how vulnerable the world’s critical computer networks really are, and perhaps more importantly, just how difficult it can be to find the source of malicious programs. The exact origin of the Stuxnet worm has never been discovered, but its ferocity — along with its surreptitiousness — sent shock waves through the federal agencies charged with preventing such attacks and showed the private industry just how little is known about securing the nation’s infrastructure.
New Approach, New Controversy
The most recent approach to protecting U.S. infrastructure from cyber-attacks came in the form of a new program from the National Security Agency (NSA). Called Perfect Citizen, the program is intended to monitor threats to the country’s infrastructure, including electrical networks, nuclear power plants and transportation systems, and to trigger an alarm in the event of an impending intrusion.
