The chief of United States cyber forces believes that a major cyber attack within the United States is only a matter a time and will likely happen inside the next 10 years.
Cyber intrusions against critical infrastructure and government networks in the United States as well as attacks elsewhere by multiple nation states, individuals and groups “leads me to believe it is only a matter of the when, not the if, that we are going to see something traumatic,” Adm. Michael Rogers, director of the National Security Agency and chief of U.S. Cyber Command, told the House Intelligence Committee on Nov. 20.
Rep. Dutch Ruppersberger (D-Md.), the ranking member on the committee, mentioned a Pew Research Center survey from October that canvassed thousands of technology experts, with more than 60 percent responding that a nation will be harmed by a major cyber attack by 2025. Adm. Rogers said he believes such an attack will occur before then.
“We have seen individuals, groups inside critical U.S. infrastructure that has a presence that suggests to us, that this is a vulnerability that others want to exploit,” Rogers said. In response to a query from Committee Chairman Mike Rogers (R-Mich.) about cyber attacks on U.S. government networks, the cyber chief said currently there are “People trying to gain unauthorized access, people trying to steal data, potentially people attempting to manipulate data.”
Adm. Rogers said there are multiple nation states and groups that have the capability to “shut down” the nation’s infrastructure by attacking industrial control system and computer systems that control remote equipment, called supervisory control and data acquisition, or SCADA.
These states and groups are doing reconnaissance of networks, probably to understand the system and find vulnerabilities, Adm. Rogers said.
Industrial control and SCADA systems are instrumental to the operation of modern infrastructure such as power generation and distribution, water facilities, transportation and the like.
Chairman Rogers pointed to a February 2013 report by the cyber security firm Mandiant, which is now part of FireEye [FEYE], that pinpointed the Chinese military unit behind cyber espionage against companies, most of which are based in the United States. Asked by the chairman if other nation states able to get on U.S. systems, Adm. Rogers said there are “probably one or two others,” although the information is classified.
Adm. Rogers also said “we’re watching multiple nation states invest in this capability.” That means doing research, reconnaissance, examining the structure of “our systems,” and trying to steal detailed information about the schematics of these systems to be able to defeat them.
Adm. Rogers also said that international organized cyber crime groups, which typically have penetrated networks looking to find data they can resell, such as personal and credit card information, in some cases are obtaining the tools that nation states have historically used. He believes a new trend that will emerge in the near-term is the use by nation states of these organized crime groups “because I’m watching nation states attempt to obscure, if you will, their fingerprints, and one of the ways to do that is to use surrogate groups to attempt to execute those things for you.”
Chairman Rogers called this trend “Cyber hit men for hire.”
Adm. Rogers said, “That’s a troubling new development for us.”
At the outset of the hearing to examine cyber security threats, Chairman Rogers said China’s economic cyber espionage against U.S. companies continues to grow, saying that that country’s intelligence agencies “have little fear because we have no practical deterrents to that theft. This problem is not going away until that changes.”
Adm. Rogers agreed.
“There doesn’t seem to be a sense of risk among nation state, groups and individuals and the behaviors we see in cyber; that you can just do literally almost anything you want and there isn’t a price to pay for it,” Adm. Rogers said. “That’s not a good place I would argue for us a nation and I would argue more broadly internationally for us to be in.”
There needs to be internationally agreed norms and behaviors for nations in the cyber environment, Adm. Rogers said. The White House has developed an “initial set of points” for this, which have already been brought up in United Nations forums.
Some of the areas that are being discussed for normal behavior in the international cyber domain include leaving alone the computer emergency capabilities of nations states so that they can respond to cyber emergencies and how to define offensive capabilities and an “active war,” he said. There are also discussions around standards for critical infrastructure. If steps are taken against it beyond normal behavior, there could be repercussions, he said.
The United States also believes it’s wrong for nation states to conduct espionage against the commercial sector, Adm. Rogers said. Other topics include going after infrastructure that could cost lives or a loss of control, he added.
Without these agreed to norms of behavior, it’s “Not a good place for us to be,” Adm. Rogers said.