When a large Southern California water system wanted to probe the vulnerabilities of its computer networks, it hired Los Angeles-based hacker Marc Maiffret to test them. His team seized control of the equipment that added chemical treatments to drinking water — in one day.
The weak link: County employees had been logging into the network through their home computers, leaving a gaping security hole. Officials of the urban water system told Maiffret that with a few mouse clicks, he could have rendered the water undrinkable for millions of homes.
“There’s always a way in,” said Maiffret, who declined to identify the water system for its own protection.
The weaknesses that he found in California exist in crucial facilities nationwide, U.S. officials and private experts say.
The same industrial control systems Maiffret’s team was able to commandeer also run electrical grids, pipelines, chemical plants and other infrastructure. Those systems, many designed without security in mind, are vulnerable to cyber attacks that have the potential to blow up city blocks, erase bank data, crash planes and cut power to large sections of the country.
Terrorist groups such as Al Qaeda don’t yet have the capability to mount such attacks, experts say, but potential adversaries such as China and Russia do, as do organized crime and hacker groups that could sell their services to rogue states or terrorists.
U.S. officials say China already has laced the U.S. power grid and other systems with hidden malware that could be activated to devastating effect.
“If a sector of the country’s power grid were taken down, it’s not only going to be damaging to our economy, but people are going to die,” said Rep. Jim Langevin (D-R.I.), who has played a lead role on cyber security as a member of the House Intelligence Committee.
Some experts suspect that the U.S. and its allies also have been busy developing offensive cyber capabilities. Last year, Stuxnet, a computer worm some believe was created by the U.S. or Israel, is thought to have damaged many of Iran’s uranium centrifuges by causing them to spin at irregular speeds.
In the face of the growing threats, the Obama administration’s response has received mixed reviews.
President Obama declared in a 2009 speech that protecting computer network infrastructure “will be a national security priority.” But the follow-through has been scant.
Obama created the position of federal cyber-security “czar,” and then took seven months to fill a job that lacks much real authority. Several cyber-security proposals are pending in Congress, but the administration hasn’t said publicly what it supports.
“I give the administration high marks for doing some things, but clearly not enough,” Langevin said.
The basic roadblocks are that the government lacks the authority to force industry to secure its networks and industry doesn’t have the incentive to do so on its own.
Meanwhile, evidence mounts on the damage a cyber attack could inflict. In a 2006 U.S. government experiment, hackers were able to remotely destroy a 27-ton, $1-million electric generator similar to the kind commonly used on the nation’s power grid. A video shows it spinning out of control until it shuts down.
In 2008, U.S. military officials discovered that classified networks at the U.S. Central Command, which oversees military operations in the Middle East and Central Asia, had been penetrated by a foreign intelligence service using malware spread through thumb drives.
That attack led to the creation in 2009 of U.S. Cyber Command, a group of 1,000 spies and hackers charged with preventing such intrusions. They also are responsible for mounting offensive cyber operations, about which the government will say next to nothing.
The head of Cyber Command, Gen. Keith Alexander, also leads the National Security Agency, the massive Ft. Meade, Md.-based spy agency in charge of listening to communications and penetrating foreign computer networks.
Together, the NSA and Cyber Command have the world’s most advanced capabilities, analysts say, and could wreak havoc on the networks of any country that attacked the U.S. — if they could be sure who was responsible.
It’s easy to hide the source of a cyber attack by sending the malware on circuitous routes through computers and servers in third countries. So deterrence of the sort relied upon to prevent nuclear war — the threat of massive retaliation — is not an effective strategy to prevent a cyber attack.
Asked in a recent interview whether the U.S. could win a cyber war, Alexander responded, “I believe that we would suffer tremendously if a cyber war were conducted today, as would our adversaries.”
Alexander also is quick to point out that his cyber warriors and experts are legally authorized to protect only military networks. The Department of Homeland Security is charged with helping secure crucial civilian infrastructure, but in practice, the job mostly falls to the companies themselves.
That would’ve been akin to telling the head of U.S. Steel in the 1950s to develop his own air defenses against Soviet bombers, writes Richard Clarke, who was President George W. Bush’s cyber-security advisor, in his 2010 book, “Cyber War: The Next Threat to National Security and What to Do About It.”
The comparison underscores the extent to which the U.S. lacks the laws, strategies and policies needed to secure its cyber infrastructure, experts say.
“If we don’t get our act together, the consequences could be dire,” said Scott Borg, who heads the U.S. Cyber Consequences Unit, which analyzes the potential damage from various scenarios.
(Source: LA Times)