Loss of Life in Major Computer Attack, Warns Homeland Security

Department of Homeland Security Secretary Janet Napolitano said today that a major computer attack against critical U.S. infrastructure could result in a loss of life and massive economic damages.

“The network intrusion that shuts down the nation’s critical infrastructure .. . could cause loss of life but also a huge economic loss.” Napolitano said at a cybersecurity event sponsored by the Washington Post.   “We’ve seen attempts on Wall Street, transportation systems, things of those sorts.”

Cybersecurity experts have long warned that hackers could target electrical grids and power plants, which could affect hospitals and water treatment plants.

Napolitano also said DHS offices had been probed in computer intrusions by hackers attempting to infiltrate the department’s systems, although Napolitano declined to comment on the specifics of the intrusions or specify if the intrusions had specifically targeted her office.

Napolitano discussed a wide range of computer security issues at the event and urged Congress to push forward with cybersecurity legislation that the White House proposed had in May.  Despite the partisan rancor that often comes from Congress, Napolitano said she hoped the legislation could gain strong bipartisan support.

“Cyber attacks are increasing in frequency, in complexity  and in consequence,” Napolitano said. “In [fiscal year] 2011 alone, our U.S. Computer Emergency Readiness Team, CERT, responded to more than 100,000 incident reports and released more than 5,000 actionable cybersecurity alerts and information products.”

Although the DHS Secretary declined to address specific instances, there have been a slew of high-profile hacking intrusions in the past 2 years:

• The FBI and U.S. Secret Service are investigating intrusions into computer systems run by NASDAQ-OMX, the parent company of the NASDAQ stock exchange, which were compromised last year.
• Earlier this year RSA, the security division of the EMC Corp., suffered a computer intrusion that resulted in a breach of its firm’s   intellectual property, Secure ID, which provides encrypted authentication services.
• During 2009, groups in China were behind a highly sophisticated hacking of Google and more than 30 other companies that went undetected until January 2010.

“We are in a constant state of seeing activity against critical infrastructure,” said Greg Schaffer, DHS assistant secretary for cybersecurity and communications, who also spoke at Thursday’s event.

U.S. officials believe that China had been behind many of the infiltrations; members of Congress have recently  mentioned this, but diplomatic and security officials are more reluctant to attribute the infiltrations  to China.

Last week, Shawn Henry, the FBI’s executive assistant director, also highlighted the damage a major computer attack could have on the United States.

“The cyberthreat is an existential one, meaning that a major cyberattack could potentially wipe out whole companies,” Henry said in a speech in Baltimore Oct. 20.  “It could shut down our electric grid or water supply. It could cause serious damage to parts of our cities, and ultimately, even kill people. While it may sound alarmist, the threat is incredibly real, and intrusions into corporate networks, personal computers  and government systems are occurring every single day by the thousands.”

Henry proposed having a separate Internet architecture set up for critical infrastructure assets.

“U.S. innovation and ingenuity created the Internet, which is now a global phenomenon that has provided tremendous opportunities. With it, however, have come tremendous security challenges to certain users. For them, the current system will never be good enough. But it’s too late to disconnect. It’s not possible to be offline anymore, and there’s currently no alternative.” Henry said. “I don’t have the answers about how to build greater choices in the security architectures used today, but I do feel strongly that the discussions must begin now.”