Nation's Infrastructure Still Vulnerable to Cyber Attack
Experts worried malicious hackers could bring down America's infrastructure.
Aug. 4, 2011 — -- In past wars, a hostile army would send troops to sabotage a bridge. Now a terrorist can send a suicide bomber to attack a mass transit system. In the future, experts are worried that malicious hackers -- perhaps even working for China, Iran or North Korea -- could bring down America's critical infrastructure.
Nuclear reactors, the electric grid and the banking sector are all attractive targets, according to testimony Tuesday before the House Subcommittee on Oversight and Investigations by the director of information security issues at the Government Accountability Office. And while foreign attackers have yet to launch a serious attack on U.S.-based infrastructure, some security experts say that terrorists are looking for ways to make it happen.
The GAO didn't name specific foreign adversaries, but one security expert that spoke to ABC News provided insight into who is trying to obtain high-tech hacking tools.
"We know that North Korea wants it, we know that Iran wants it and that some of the terrorist groups are interested in it," said Jim Lewis, who is a senior fellow at the Center for Strategic and International Studies.
The testimony came on the heels of a report from the security firm McAfee that showed evidence of a five-year cyber data-stealing operation likely conducted by a nation state that targeted more than 70 different governmental, non-profit and corporate entities. While the security firm didn't point any fingers, many other security experts have read the data and suspect China as the point of origin.
But people shouldn't be too worried about a massive assault anytime soon according to Lewis.
"Right now, only a few nation states have the capability to disrupt critical infrastructure," Lewis said.
Talented engineers are scarce and essential to building the tools necessary to attack specialized U.S. infrastructure. Attacking a power plant is different than defacing a website. The tool required to pull pranks on the public Web have existed for years, while the tools necessary to breach private networks are only available to those with the resources to build them.
But that dynamic could change as those tools become more readily available.
"What could happen is that one day you'll be able to buy the software that will let people do things," said Lewis.
In fact, the Department of Homeland Security released a warning on Thursday that Stuxnet, a worm that used in July 2010 to breach an Iranian nuclear reactor network, could be re-purposed to attack other systems with a similar configuration.
DHS is currently working with the private sector to share information on prevalent attacks, but further legislation is needed to ensure a clear chain of command in the event of a crisis.
Lawmakers in Congress are stalled on legislation that would overhaul the nation's cyber security. Senate Majority Leader Harry Reid, R-Nev., sent a letter Wednesday to Senate Republican leaders urging them to put cyber security back on the agenda.
Republicans have expressed concerns with provisions in the bill that they believe would grant DHS the authority to regulate the private sector. But one administration official defended the plan at a House Oversight and Government Reform hearing earlier this July.
"I believe this proposal is designed to give the private sector immense input into the process," said Greg Schaffer who testified on behalf of DHS.
While lawmaker from both parties have made no concrete plans to move forward with legislation, many cyber security experts believe that now is the time for action.
"We have known about our vulnerabilities in our critical infrastructure for well over a decade, and while there has been some progress we are still remarkably exposed," David Bodenheimer, a lawyer with Crowell & Moring LLP who consults with businesses on cyber issues.