America's Failing Grade on Cyber Attack Readiness
U.S. infrastructure unprepared for major cyber attack: NSA head.
July 27, 2012 — -- The man in charge of America's cyber operations said that on a scale of one to 10, the nation's preparedness to deal with a major cyber attack on critical infrastructure sits at a dismal three.
"Somebody who finds vulnerability in our infrastructure could cause tremendous problems," Army Gen. Keith Alexander, Director of the National Security Agency and chief of U.S. Cyber Command, told audience members at the Aspen Institute's annual security forum late Thursday, according to multiple reports. Alexander said that since 2009, attempted cyber attacks on the nation's infrastructure systems have risen seventeen-fold.
"I'm worried most about power. I'm worried about water. I think those are the ones that need the most help," he said.
Top current and former U.S. security officials have for years been decrying vulnerabilities in the computer networks of critical infrastructure industries from water treatment centers to electric power plants -- largely facilities owned and operated by private entities. In his remarks, Alexander reportedly pushed for greater role of government, specifically the Department of Homeland Security, in regulating security measures across industries.
Two years ago, computer experts discovered Stuxnet, a cyber weapon of unprecedented power and complexity that was apparently designed to damage an Iranian nuclear facility. The worm had demonstrated what computer experts had long though possible but had never actually seen: computer code that was no longer confined to disrupting computer systems internally but could reach out and physically alter how a facility works, or potentially destroy it.
Before the worm was alleged to have been a creation of a joint U.S.-Israeli cyber operation, other U.S. officials quickly realized that such a powerful cyber tool may be turned on the homeland. In a Senate Homeland Security committee hearing in November 2010, committee chairman Joe Lieberman (D.-Connecticut) warned the worm could be used as a "blueprint" for other "malicious hackers."
Richard Clarke, former White House counterterrorism advisor, cyber security expert and ABC News consultant, said in January that since Stuxnet was a "plug-and-play" worm, other hackers or foreign governments could take it, modify it and turn it against the U.S.
"You can take out certain components and put in others and you have a very powerful weapon that could be used against the electric power grid or any other system that has computers telling machines what to do," he said. "The best cyber weapon in the world has been spread around for other people to have copies of… I think it's very likely that somebody could do this."
Months later, the Department of Homeland Security revealed that the original Stuxnet worm did manage to infiltrate a computer system in the U.S., but since it was only tailored to hit the Iranian nuclear facility, it didn't do any known damage to the American facility.
Sean McGurk, a former DHS official who is now senior policy officer at the Industrial Controls Systems Information Sharing and Analysis Center, told a radio show in early June that he had already seen hackers modifying Stuxnet for their own uses. He also noted that as one of the most computer-reliant nations on the planet, the U.S. is also one of the most vulnerable.
"Because everything from elevators to prison doors are controlled by computers in our country, these systems lend themselves to manipulation and potentially to destruction," he said.
Since Stuxnet's discovery, cyber experts have found two other highly-sophisticated cyber weapons: Duqu, a cyber program built in the style of Stuxnet but for espionage rather than offensive operations, and Flame, the largest espionage program in history designed to capture any keystroke, image and conversation even near the infected system. Based on stunning similarities in the code of all three programs, researchers said they believe they were all created by either the same team, or at least teams of computer experts with access to each other's original work.