Adm. Michael Rogers, director of the National Security Agency and head of U.S. Cyber Command, told lawmakers yesterday that China and “one or two” other countries are capable of mounting cyberattacks which would paralyze the U.S electric grid and other critical infrastructure systems across the country.
A cyberattacks of such scope has been discussed in the past – it was even dubbed a “cyber Pearl Harbor” – but Rogers was the first high official to confirm that such a crippling attack on the United States was not a mere speculation.
The Wall Street Journal reports that Rogers, speaking at a hearing of the House intelligence committee, said U.S. adversaries are conducting electronic “reconnaissance” on a regular basis so that they will be well-positioned to damage and disrupt the industrial control systems which run chemical facilities, nuclear power plants, water treatment facilities, dams, and much more.
“All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” he said (see also(“A major cyberattack causing widespread harm to national security is imminent: Experts,” HSNW, 3 November 2014).
Rogers rejected the argument that since the United States itself has offensive cyber capabilities which could be used to damage the critical infrastructure of an adversary, we should expect a cold war-like “mutual cyber assured destruction” balance to emerge. Rogers, without confirming that the United States possessed offensive cyber capabilities, said that the nuclear deterrence model did not apply to cyberattacks.
Only a handful of countries had nuclear capabilities during the cold war, he said, and nuclear attacks could be detected and their source ascertained in time to retaliate. The source of a cyberattack, however, can easily be disguised, and the capability do significant infrastructure damage is possessed not only by nation states but by non-state actors such as criminal groups and individuals, Rogers noted.
What complicates the issue further, Rogers said, was that U.S. intelligence officials have seen cyber criminal groups acting “as a surrogate for other groups, other nations,” he said, adding “I’m watching nation states attempt to obscure, if you will, their finger prints.”
In cyberspace, “You can literally do almost anything you want, and there is not a price to pay for it,” he said (on the question of U.S. offensive cyber capabilities, see “New report urges policy overhaul, transparency in offensive cyber operations,” HSNW, 10 November 2014; and “U.S. Cyber Command plans to recruit 6,000 cyber professionals, as U.S. mulls offensive cyber strategy,” HSNW, 6 October 2014).
The Journal notes that Roger’s remarks came in response to questioning from Representative Mike Rogers (R-Michigan), chairman of the House Intelligence Committee, who asked the NSA director about a report from a private cybersecurity firm which offered details of China-originated intrusions into the U.S. power grid and other critical systems – intrusions which security experts said were consistent with being precursors to attack. Rep. Rogers wanted to what other countries have the capability.
“One or two others,” the NSA director said. He declined to name them, saying the information is classified. “There shouldn’t be any doubt in our minds that there are nation states and groups out there that have the capability to do that. We’re watching multiple nation states invest in this capability.”
The NSA director said the Obama administration is engaged in an effort to establish a set of principles to govern military cyber operations, such as banning attacks on hospitals. “We need to define what would be offensive, what’s an act of war,” he said. “Being totally on the defensive is a very losing strategy to me.”
Rep. Rogers, in his opening remarks, note that damage done to American companies and to the U.S. economic well-being and national security by the systematic campaign, conducted by the Chinese government, to steal intellectual property through cyberattacks.
“China’s economic cyber espionage … has grown exponentially in terms of volume and damage done to our nation’s economic future. The Chinese intelligence services that conduct these attacks have little to fear because we have no practical deterrents to that theft. This problem is not going away until that changes,” Rep. Rogers said.
The NSA director said that U.S. networks would be better protected Congress passed a bill which would allow companies to share malware signatures and other threat information with one another and with the government, and be protected from liability by doing so. Such a cybersecurity bill has been debated in Congress for a more than two years now, but the Edward Snowden disclosures eighteen months ago have made unlikely that such a bill would pass anytime time soon, according to lawmakers.