WASHINGTON—The
nation's top spies warned Tuesday of the rising threat of cyberattacks
to national and economic security, comparing the concern more directly
than before to the dangers posed by global terrorism.
U.S. intelligence officials told a
Senate hearing that the nation is vulnerable to cyberespionage,
cybercrime and outright destruction of computer networks, both from
sophisticated, government-sponsored assault as well as criminal hacker
groups and cyberterrorists.
"It's hard to overemphasize its significance," Director of National
Intelligence James Clapper said, addressing members of the Senate
Intelligence Committee. "These capabilities put all sectors of our
country at risk—from government and private networks to critical
infrastructures."
Federal Bureau of Investigation
Director Robert Mueller cited cybersecurity as something that keeps him
awake at night, saying at the hearing it "has grown to be right up
there" with terrorism.
The intelligence officials, in
describing an annual inventory of global problems, didn't reveal
imminent new cyberthreats or previously undisclosed plots.
But they amplified their warnings by
casting them in terms usually reserved for threats emanating from al
Qaeda and Iran, and they included projections of where the danger is
expected to lead in the next two years.
The warnings came as part of an aggressive Obama administration
campaign to draw attention to cybersecurity and to stir action to
counter infiltrations and attacks that officials have said could allow
foes to commandeer a nuclear-power plant or disrupt the financial
system.
Last month, President Barack Obama
signed an executive order aimed at bolstering computer-network
protections, and he noted the "rapidly growing threat from cyberattacks"
in his State of the Union address.
"We cannot look back years from now and
wonder why we did nothing in the face of real threats to our security
and our economy," he said then.
The following week, the administration
rolled out a strategy to combat the theft of trade secrets. And Monday,
in a speech in New York, National Security Adviser Thomas Donilon
singled out China as a top perpetrator, demanding it adopt international
standards of behavior in cyberspace.
Chinese officials deny that Beijing engaged in such activities.
On Saturday, China's foreign minister,
Yang Jiechi, called for cooperation on cybersecurity and said that China
is a victim of cyberattacks. "Cyberspace needs not war, but rules and
cooperation," Mr. Yang said at a news conference. He said cyberspace
shouldn't become a "new battlefield."
Mr. Obama discussed the issue with
lawmakers when he met behind closed doors Tuesday with a group of Senate
Democrats, participants in the meeting said. The administration push
continues Wednesday when Mr. Obama holds a meeting with U.S. executives
in the White House Situation Room to discuss cybersecurity.
But for all the collective worrying,
there was little agreement between the Obama administration and Congress
Tuesday over how to address the problem.
At a second Senate hearing, before the
Armed Services Committee, lawmakers tussled over the role of the federal
government in guarding against threats.
Army Gen. Keith Alexander, head of the
U.S. Cyber Command, a part of the military, acknowledged that the Obama
administration is debating internally how to proceed when U.S. companies
are under cyberattack.
"The issue that we're weighing is: When
does a nuisance become a real problem and when are you prepared to step
in for that?" he said at the hearing. "That's the work that I think the
administration is going through right now and highlighting that."
Lawmakers, too, acknowledged they can't agree on legislative measures to bolster protections for computer networks.
Last year, Republicans defeated a White
House-backed bill that would have established voluntary cybersecurity
standards for companies running critical infrastructure such as the
electrical grid, citing concerns about a government role in
cybersecurity.
Mr. Obama's executive order last month established voluntary
standards as an interim measure, but the order lacks key incentives for
companies to participate, like liability protections, that would require
legislation.
The cost of protections remains another
stumbling block, particularly for power companies, Gen. Alexander said,
as he provided a relative ranking of computer protections in private
industry.
"The banks and the Internet-service companies are pretty good; the power companies, not so good," Gen. Alexander said.
In testimony before the House
Intelligence Committee in February, Kenneth W. DeFontes Jr., chief
executive of Baltimore Gas & Electric Co., told lawmakers that the
electric industry takes cybersecurity "very seriously."
Intelligence officials cited
cyberassaults last year on the websites of many U.S. banks and a more
destructive attack on a Saudi oil company that destroyed 30,000
computers as examples of the kind of disruptions already taking place.
They didn't discuss who mounted those
attacks, but U.S. defense and intelligence officials have said the
Iranian government is behind them. Iran has denied any involvement in
the attacks.
"What we're seeing with the banks today
I am concerned is going to grow significantly throughout the year,"
Gen. Alexander said at the hearing.
Looking ahead, Mr. Clapper said that
chances of an ultrasophisticated attack capable of wiping out major
nationwide computer networks are "remote." Countries most capable of
carrying out such an attack—China and Russia—are unlikely to launch such
assaults in the absence of a conflict or crisis, according to the
assessment.
But even relatively unsophisticated
hackers were projected by the intelligence officials of eventually being
capable of disrupting insecure computer networks running parts of vital
functions—like the power grid.
Cyberattacks from "less advanced but
highly motivated actors" could do great harm because of impacts on
computer networks connected to the one under attack, the assessment
concluded.
U.S. intelligence has picked up indications that terrorists, too, are weighing cyberattacks, according to the annual assessment.
Fear Factors
The government's annual intelligence review cites threats other than cyberattacks:
•
Terrorism and organized crime: A decentralized extremist movement still poses dangers.
•
Nuclear fears: Iran may develop longer-range
missiles that could carry weapons of mass destruction; North Korea is a
threat to neighbors and the U.S
•
Space wars: U.S. reliance on satellites for communications, navigation and surveillance could be undermined
•
Food, water, energy, minerals: Natural disasters and growing competition tighten supplies.
•
Health and pandemic threats: Pathogens jumping from animals to humans increases risks
•
Eurozone crisis: Economic deterioration remains a threat.
Write to Siobhan Gorman at
siobhan.gorman@wsj.com and Siobhan Hughes at
siobhan.hughes@dowjones.com