Ten to fifteen years ago, some of us on this blog (well, both of us) were called fear-mongers, and worse, for trying to raise the alarum about the threat to our security posed by cyberattacks. Times certainly have changed—or at least attitudes. Today, Director of National Intelligence James Clapper, in testimony before the US Senate, listed the cyber threat first among all the national security threats the country faces – ahead of terrorism, transnational organized crime, and proliferation of Weapons of Mass Destruction. This follows on the heels of a speech yesterday by National Security Advisor Tom Donilon which cited “cyber intrusions emanating from China on an unprecedented scale” as a “key point of concern and discussion with China,” and President Obama’s warning in the State of the Union address of “the rapidly growing threat from cyber-attacks,” including our enemies’ focus on “the ability to sabotage our power grid, our financial institutions, and our air traffic control.”
The DNI’s testimony, which covered the Intelligence Community’s “World Wide Threat Assessment,” discussed the cyber threats posed by a variety of actors, including nation states, terrorist groups, “hacktivists,” and organized crime groups. Here are the most important excerpts:
“We judge that there is a remote chance of a major cyber attack against US critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services, such as a regional power outage. The level of technical expertise and operational sophistication required for such an attack—including the ability to create physical damage or overcome mitigation factors like manual overrides—will be out of reach for most actors during this time frame. Advanced cyber actors—such as Russia and China—are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests.
However, isolated state or nonstate actors might deploy less sophisticated cyber attacks as a form of retaliation or provocation. These less advanced but highly motivated actors could access some poorly protected US networks that control core functions, such as power generation, during the next two years, although their ability to leverage that access to cause high-impact, systemic disruptions will probably be limited. At the same time, there is a risk that unsophisticated attacks would have significant outcomes due to unexpected system configurations and mistakes, or that vulnerability at one node might spill over and contaminate other parts of a networked system.”
“Foreign intelligence and security services have penetrated numerous computer networks of US Government, business, academic, and private sector entities. Most detected activity has targeted unclassified networks connected to the Internet, but foreign cyber actors are also targeting classified networks. Importantly, much of the nation’s critical proprietary data are on sensitive but unclassified networks; the same is true for most of our closest allies.
• We assess that highly networked business practices and information technology are providing opportunities for foreign intelligence and security services, trusted insiders, hackers, and others to target and collect sensitive US national security and economic data. This is almost certainly allowing our adversaries to close the technological gap between our respective militaries, slowly neutralizing one of our key advantages in the international arena.
• It is very difficult to quantify the value of proprietary technologies and sensitive business information and, therefore, the impact of economic cyber espionage activities. However, we assess that economic cyber espionage will probably allow the actors who take this information to reap unfair gains in some industries.”
“We have seen indications that some terrorist organizations have heightened interest in developing offensive cyber capabilities, but they will probably be constrained by inherent resource and organizational limitations and competing priorities.
Hacktivists continue to target a wide range of companies and organizations in denial-of-service attacks, but we have not observed a significant change in their capabilities or intentions during the last year. Most hacktivists use short-term denial-of-service operations or expose personally identifiable information held by target companies, as forms of political protest. However, a more radical group might form to inflict more systemic impacts—such as disrupting financial networks—or accidentally trigger unintended consequences that could be misinterpreted as a state-sponsored attack.
Cybercriminals also threaten US economic interests. They are selling tools, via a growing black market, that might enable access to critical infrastructure systems or get into the hands of state and nonstate actors. In addition, a handful of commercial companies sell computer intrusion kits on the open market. These hardware and software packages can give governments and cybercriminals the capability to steal, manipulate, or delete information on targeted systems. Even more companies develop and sell professional-quality technologies to support cyber operations—often branding these tools as lawful-intercept or defensive security research products. Foreign governments already use some of these tools to target US systems.”
Unfortunately, accurately assessing the threat, though long in coming, is the relatively easy part of the task. Figuring out how to harden our infrastructures against intrusion and disruption and to share threat and vulnerability information better, and setting policy for if, when, and how to respond to attacks, are far more difficult. Don’t count on Congress doing anything significant in this area until there’s a major, disruptive attack. Which means that to some extent, cyber policy will follow the course of counterterrorism policy since 9/11, with unilateral Executive actions being the only game in town. Is this really what the cyber libertarians want?