Thursday, March 14, 2013

WSJ Article: U.S. Steps Up Alarm Over Cyberattacks

WASHINGTON—The nation's top spies warned Tuesday of the rising threat of cyberattacks to national and economic security, comparing the concern more directly than before to the dangers posed by global terrorism.

U.S. intelligence officials told a Senate hearing that the nation is vulnerable to cyberespionage, cybercrime and outright destruction of computer networks, both from sophisticated, government-sponsored assault as well as criminal hacker groups and cyberterrorists.

"It's hard to overemphasize its significance," Director of National Intelligence James Clapper said, addressing members of the Senate Intelligence Committee. "These capabilities put all sectors of our country at risk—from government and private networks to critical infrastructures."

Federal Bureau of Investigation Director Robert Mueller cited cybersecurity as something that keeps him awake at night, saying at the hearing it "has grown to be right up there" with terrorism.

The intelligence officials, in describing an annual inventory of global problems, didn't reveal imminent new cyberthreats or previously undisclosed plots.

But they amplified their warnings by casting them in terms usually reserved for threats emanating from al Qaeda and Iran, and they included projections of where the danger is expected to lead in the next two years.

The warnings came as part of an aggressive Obama administration campaign to draw attention to cybersecurity and to stir action to counter infiltrations and attacks that officials have said could allow foes to commandeer a nuclear-power plant or disrupt the financial system.

Last month, President Barack Obama signed an executive order aimed at bolstering computer-network protections, and he noted the "rapidly growing threat from cyberattacks" in his State of the Union address.

"We cannot look back years from now and wonder why we did nothing in the face of real threats to our security and our economy," he said then.

The following week, the administration rolled out a strategy to combat the theft of trade secrets. And Monday, in a speech in New York, National Security Adviser Thomas Donilon singled out China as a top perpetrator, demanding it adopt international standards of behavior in cyberspace.
Chinese officials deny that Beijing engaged in such activities.

On Saturday, China's foreign minister, Yang Jiechi, called for cooperation on cybersecurity and said that China is a victim of cyberattacks. "Cyberspace needs not war, but rules and cooperation," Mr. Yang said at a news conference. He said cyberspace shouldn't become a "new battlefield."
Mr. Obama discussed the issue with lawmakers when he met behind closed doors Tuesday with a group of Senate Democrats, participants in the meeting said. The administration push continues Wednesday when Mr. Obama holds a meeting with U.S. executives in the White House Situation Room to discuss cybersecurity.

But for all the collective worrying, there was little agreement between the Obama administration and Congress Tuesday over how to address the problem.

At a second Senate hearing, before the Armed Services Committee, lawmakers tussled over the role of the federal government in guarding against threats.

Army Gen. Keith Alexander, head of the U.S. Cyber Command, a part of the military, acknowledged that the Obama administration is debating internally how to proceed when U.S. companies are under cyberattack.

"The issue that we're weighing is: When does a nuisance become a real problem and when are you prepared to step in for that?" he said at the hearing. "That's the work that I think the administration is going through right now and highlighting that."

Lawmakers, too, acknowledged they can't agree on legislative measures to bolster protections for computer networks.

Last year, Republicans defeated a White House-backed bill that would have established voluntary cybersecurity standards for companies running critical infrastructure such as the electrical grid, citing concerns about a government role in cybersecurity.

Mr. Obama's executive order last month established voluntary standards as an interim measure, but the order lacks key incentives for companies to participate, like liability protections, that would require legislation.

The cost of protections remains another stumbling block, particularly for power companies, Gen. Alexander said, as he provided a relative ranking of computer protections in private industry.
"The banks and the Internet-service companies are pretty good; the power companies, not so good," Gen. Alexander said.

In testimony before the House Intelligence Committee in February, Kenneth W. DeFontes Jr., chief executive of Baltimore Gas & Electric Co., told lawmakers that the electric industry takes cybersecurity "very seriously."

Intelligence officials cited cyberassaults last year on the websites of many U.S. banks and a more destructive attack on a Saudi oil company that destroyed 30,000 computers as examples of the kind of disruptions already taking place.

They didn't discuss who mounted those attacks, but U.S. defense and intelligence officials have said the Iranian government is behind them. Iran has denied any involvement in the attacks.
"What we're seeing with the banks today I am concerned is going to grow significantly throughout the year," Gen. Alexander said at the hearing.

Looking ahead, Mr. Clapper said that chances of an ultrasophisticated attack capable of wiping out major nationwide computer networks are "remote." Countries most capable of carrying out such an attack—China and Russia—are unlikely to launch such assaults in the absence of a conflict or crisis, according to the assessment.

But even relatively unsophisticated hackers were projected by the intelligence officials of eventually being capable of disrupting insecure computer networks running parts of vital functions—like the power grid.

Cyberattacks from "less advanced but highly motivated actors" could do great harm because of impacts on computer networks connected to the one under attack, the assessment concluded.
U.S. intelligence has picked up indications that terrorists, too, are weighing cyberattacks, according to the annual assessment.


Fear Factors

The government's annual intelligence review cites threats other than cyberattacks:
Terrorism and organized crime: A decentralized extremist movement still poses dangers.
Nuclear fears: Iran may develop longer-range missiles that could carry weapons of mass destruction; North Korea is a threat to neighbors and the U.S
Space wars: U.S. reliance on satellites for communications, navigation and surveillance could be undermined
Food, water, energy, minerals: Natural disasters and growing competition tighten supplies.
Health and pandemic threats: Pathogens jumping from animals to humans increases risks
Eurozone crisis: Economic deterioration remains a threat.

Write to Siobhan Gorman at and Siobhan Hughes at