Nation's Infrastructure Still Vulnerable to Cyber Attack

Aug. 4, 2011 — -- In past wars, a hostile army would send troops to sabotage a bridge. Now a terrorist can send a suicide bomber to attack a mass transit system. In the future, experts are worried that malicious hackers -- perhaps even working for China, Iran or North Korea -- could bring down America's critical infrastructure.

Nuclear reactors, the electric grid and the banking sector are all attractive targets, according to testimony Tuesday before the House Subcommittee on Oversight and Investigations by the director of information security issues at the Government Accountability Office. And while foreign attackers have yet to launch a serious attack on U.S.-based infrastructure, some security experts say that terrorists are looking for ways to make it happen.

The GAO didn't name specific foreign adversaries, but one security expert that spoke to ABC News provided insight into who is trying to obtain high-tech hacking tools.

"We know that North Korea wants it, we know that Iran wants it and that some of the terrorist groups are interested in it," said Jim Lewis, who is a senior fellow at the Center for Strategic and International Studies.

The testimony came on the heels of a report from the security firm McAfee that showed evidence of a five-year cyber data-stealing operation likely conducted by a nation state that targeted more than 70 different governmental, non-profit and corporate entities. While the security firm didn't point any fingers, many other security experts have read the data and suspect China as the point of origin.

But people shouldn't be too worried about a massive assault anytime soon according to Lewis.

"Right now, only a few nation states have the capability to disrupt critical infrastructure," Lewis said.

Talented engineers are scarce and essential to building the tools necessary to attack specialized U.S. infrastructure. Attacking a power plant is different than defacing a website. The tool required to pull pranks on the public Web have existed for years, while the tools necessary to breach private networks are only available to those with the resources to build them.

But that dynamic could change as those tools become more readily available.

"What could happen is that one day you'll be able to buy the software that will let people do things," said Lewis.

In fact, the Department of Homeland Security released a warning on Thursday that Stuxnet, a worm that used in July 2010 to breach an Iranian nuclear reactor network, could be re-purposed to attack other systems with a similar configuration.

DHS is currently working with the private sector to share information on prevalent attacks, but further legislation is needed to ensure a clear chain of command in the event of a crisis.

Lawmakers in Congress are stalled on legislation that would overhaul the nation's cyber security. Senate Majority Leader Harry Reid, R-Nev., sent a letter Wednesday to Senate Republican leaders urging them to put cyber security back on the agenda.

Republicans have expressed concerns with provisions in the bill that they believe would grant DHS the authority to regulate the private sector. But one administration official defended the plan at a House Oversight and Government Reform hearing earlier this July.

"I believe this proposal is designed to give the private sector immense input into the process," said Greg Schaffer who testified on behalf of DHS.

While lawmaker from both parties have made no concrete plans to move forward with legislation, many cyber security experts believe that now is the time for action.

"We have known about our vulnerabilities in our critical infrastructure for well over a decade, and while there has been some progress we are still remarkably exposed," David Bodenheimer, a lawyer with Crowell & Moring LLP who consults with businesses on cyber issues.

Role of the Federal Government

Infrastructure protection will fall under the jurisdiction of numerous government agencies. The GAO review has identified 18 different sectors to monitor and has suggested seven agencies to oversee responsibilities.

DHS will handle most of the domestic responsibility, but other agencies will help to oversee specific areas. For example, the Treasury Department will help protect the banking sector and the Department of Energy will help protect the electric grid and oil storage facilities.

With so many agencies in charge of infrastructure defense, some experts are worried that the departments will be confused on certain issues.

"No doubt the responsibilities are fragmented," said Bodenheimer.

Proposed legislative solutions could empower the president to take more direct control in a crisis. But some critics have already objected to further consolidation and view cyber security reform as a massive overreach by the federal government.

"If we frame this discussion as a war discussion, then what you do when there's a threat of war is you call in the military and you get military solutions," said Bruce Schneier, a cyber security author that argued that point in 2010 at the televised Intelligence Squared debate in Washington. "You get lockdown; you get an enemy that needs to be subdued. ... And so the threat of cyber war is being grossly exaggerated, and I think it's being done for a reason. This is a power grab by government."

The cyber security bill that was introduced in 2010 faced fierce criticism. Opponents slammed a provision that would give the president the ability to shut off the Internet. Opponents to the bill pointed to the Internet censorship in the middle as a reason for limiting executive power.