Intel boss' warning on cyber attacks no joke, say experts

Top cybersecurity experts echoed a dire warning from a top intelligence chief on the vulnerability of the U.S. power grid, with one telling that state-sponsored hackers could send America’s nerve centers on an “uncontrollable, downward spiral.”

Admiral Michael Rogers, director of the National Security Agency and commander of the U.S. Cyber Command, told lawmakers Thursday that adversaries of the U.S. conduct regular electronic reconnaissance to reveal weaknesses in America’s industrial control systems, ranging from power plants to sewage facilities. The nation's entire power infrastructure could prove vulnerable to a crippling assault, should China or any of the other nations who sponsor such efforts find an Achilles' heel and move to exploit it, he said.

Rogers was not exaggerating, according to experts.

“Unlike the recent headline attacks, which result in significant loss of data, attacking a nation state’s critical infrastructure requires persistence and long term discipline of not being detected. The scale and techniques required to do this exist in the military and intelligence functions of various world governments,” said Ron Gula, CEO of Columbia, Md.,-based Tenable Network Security.

Rogers told members of the House Intelligence Committee China along with “one or two” other countries have the capability to mount devastating cyber-attacks, and merely remaining on the defensive is a “losing strategy.” The possibility of such cyberattacks by U.S. adversaries has been widely known, but never confirmed publicly by the nation's top cyber official.


Brian Ingram, cyber security investigator and owner of Consulting Investigation Services, headquartered in Dallas, called the assessment “dead on accurate.”

“China has, for years, participated in massive electronic probing of networks in the U.S.,” Ingram said. “The ability to conduct these network scans is not new, the sophistication of the newer methodologies is growing exponentially and our defenses, from the little made public or known to those in the industry, has not kept pace.”

There is a "huge risk" that America's own power utilities could be turned into a weapon used against U.S. citizens and controlled from another land, said Larry Ponemon, chairman and founder of the Ponemon Institute.


“We could lose the ability to control our power systems," said Ponemon, whose organization is based in Traverse City, Mich. "If this happens with a nuclear power facility, the attack could cause a melt down or explosions, cause considerable damage for people at or near the plant, and put it out of commission for many, many months.”

The U.S. and Israel are believed to have mounted just such an attack on Iran's nuclear weapons program, Ponemon noted, referring to the engineered computer virus known as Stuxnet that was discovered in 2010. The attack, delivered by an infected thumb drive, targeted Iran's Natanz nuclear facility, and is believed to have shut down some one-fifth of Iran’s nuclear centrifuges. The virus was used to obtain information on the nuclear facility and put pressure on centrifuges, causing them to spin out of control.

Paul Rosenzweig, visiting fellow at the Heritage Foundation, said experts have known for a long time that an even more devastating and costly attack could be mounted on the U.S., where the power grid is a vast complex of public and private infrastructure.

“While security has improved substantially, there is no way, none at all, to prevent an attack,” Rosenzweig said.

The private sector has cooperated with the U.S. government for years to share information and increase the ability to defend itself from cyber attacks, Gula said. However, this is a growing challenge.

“The problem is the attack surface is so large that we are constantly reacting to moves made by our potential adversaries,” Gula says.

Network security is much like airline or automobile safety, Gula explained. Government regulations, technology breakthroughs from industry and development of best practices will minimize the threat to the energy infrastructure, but there is no one entity responsible for this, he said.


“Private industries should be expected to defend themselves from less skilled hackers, corporate espionage and maintain a network compliant with their industry’s regulations. They should also expect to work with the various U.S. government groups to share information and respond to nation-state attacks,” Gula said.

For now, the best protection the U.S. has is its economic ties to China - and the fact that America could answer an attack with one of its own - the strategy known in the Cold War as "mutually assured destruction."

“What would China would gain from turning off Los Angeles and why would China do that in light of its investment in the U.S. and the possibility that the U.S. could reciprocally turning off Beijing?” Rosenzweig asked, before cautioning that America’s vulnerability would become relevant if there was a major conflict with China.

There is a general sense the U.S. faces more of a threat from irrational actors, such as smaller nations and independent terrorist groups, who probably don’t have capabilities now, but could at some point in the future, Rosenzweig said.

If and when committed enemies of the U.S. gain the ability to strike, America's dependence on its power grid could prove to be a fatal weakness..

“Can you plan anything in the electronic age if you can’t rely on the power grid?" Ingram asked. "Financial exchanges, eCommerce, banking, medical records, postal/mail delivery, trucking, railways…all of them are interconnected in our society and the ability to protect that, to ensure that our way of life is not dependent on a foreign power’s benevolence is vital to have a thriving and prosperous U.S.”