Top Spy: Small Hacks Are Bigger Threat Than ‘Cyber Armageddon’
Good news: the U.S. is getting better at detecting cyber attacks already underway. Bad news: they’re multiplying.
The risk of a catastrophic cyber attack that disables a key piece of national infrastructure, such as a portion of the power grid, is “remote at this time” and not the biggest threat to U.S. national security in cyberspace, the country’s top intelligence official told a Senate panel on Thursday.
In his annual testimony about the intelligence community’s assessment of “global threats” Director of National Intelligence James Clapper sounded a more nuanced and less hyperbolic tone about the security of the Internet than some top U.S. officials have in the recent past, including Leon Panetta, who, in a speech as Secretary of Defense warned of “a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life.”
“Rather than a ‘cyber armageddon’ scenario that debilitates the entire U.S. infrastructure, we envision something different,” Clapper told the the Senate Armed Services Committee in his written testimony. “We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.”
Those sources, Clapper noted, include criminals who’ve dramatically ramped up their theft of millions of peoples financial and personal data; spies who relentlessly target U.S. companies for their trade secrets; and rogue regimes such as North Korea, which has used its offensive cyber capabilities “for political objectives,” he said, as in the recent hack of Sony Pictures Entertainment for its planned release of a film mocking the North Korean dictator, Kim Jong Un.
Clapper’s remarks were meant not to dismiss a potential major cyber event, but to draw attention to the reality that the U.S. is being bombarded by cyber attacks of a smaller scale every day—and that those campaigns are taking a toll, Brian Hale, the spokesperson for the Office of the Director of National Intelligence, told The Daily Beast.
Experts said Clapper’s remarks were notably at odds with earlier and more alarming statements.
“His testimony seems a departure from how many defense and intelligence officials have talked about the cyber threat to critical infrastructure in the past,” said Sharon Burke, a former assistant secretary of defense.
“Sometimes, it’s seemed as though officials have just been trying to get the attention of the private sector, as though they had to be alarmist to get anyone to take the threat seriously and really hype the worst case scenarios. Maybe now that everyone does take it seriously, they can talk more realistically about the clear and present threats,” Burke, now a senior adviser at think tank New America, said.
Clapper’s remarks even ratcheted down some of his own rhetoric from his previous testimony to the same committee. In his 2014 statement (PDF), the intelligence director said that “large segments” of computerized systems used to help manage water, oil,gas, and electrical facilities “remained vulnerable to attack, which might cause significant economic or human impact.” In that testimony, Clapper offered no precise assessment on the likelihood of such a cyber attack, whereas this year he described it as possible but unlikely.
The intelligence director’s modulated remarks underscored the extent to which the government’s cyber spies and analysts have gotten better at determining which groups and countries pose the most significant threats, what motivates them, and whether they are capable of a major cyber attack on a piece of infrastructure or have an incentive to conduct one.
“Although cyber operators can infiltrate or disrupt targeted [unclassified] networks, most can no longer assume that their activities will remain undetected,” Clapper said. “Nor can they assume that if detected, they will be able to conceal their identities. Governmental and private sector security professionals have made significant advances in detecting and attributing cyber intrusions.”
That’s not a new development. For instance, U.S. intelligence officials have known for years that China is the source of organized hacking campaigns, both sponsored and directed by the Chinese military, that steal U.S. companies’ trade secrets and other intellectual property. The U.S. government even has dossiers on the most active Chinese cyber hackers and keeps a running catalog of their techniques and tradecraft.
But those same officials have also noted that China is one of the U.S.’s biggest lenders and trading partners, so it has little to gain from a cyber attack on U.S. infrastructure that could wound the American economy. Furthermore, the U.S.has sent clear signals that it reserves the right to respond militarily and economically to cyber intrusions.
The Department of Defense has publicly concluded that a cyber attack that disables electrical, financial, or other infrastructure systems vital to the daily functioning of the U.S. would effectively constitute an act of war, and that the president would have the option of retaliating both in cyberspace and the physical world with a conventional military strike.(After President Obama identified North Korea as the source of the Sony hack, the administration imposed economic sanctions on the country, which Obama called a “proportional” response.)
Clapper’s testimony also reflected the fact that while, as he put it, “cyber threats to U.S. national and economic security are increasing in frequency, scale, sophistication, and severity of impact,” there has never been an attack of the magnitude that would warrant the “Armageddon” label. Far more pernicious, and largely unaddressed, experts say, is the risk that hackers will insert malicious computer code into software and hardware in the course of its manufacture and distribution.
Clapper drew attention to that risk, as well.
“Despite ever-improving network defenses, the diverse possibilities for remote hacking intrusions, supply chain operations to insert compromised hardware or software, and malevolent activities by human insiders will hold nearly all [unclassified] systems at risk for years to come,” Clapper said. “In short, the cyber threat cannot be eliminated; rather, cyber risk must be managed.”
“Clapper’s words are too often passed over (acknowledged and then ignored) by both policy folks and operators, and their lack of focus has put the nation at deep risk,” Alan Paller, the director of research at the SANS Institute and a longtime observer of how Washington addresses cyber security, told The Daily Beast.
“Those words translate directly to a simpler statement: ‘The weapons and other systems we operate today cannot be protected from cyber attack.’ Instead, as a nation, have to put in place the people and support systems who can find the intruders and excise them fast.”
If Clapper’s testimony was meant to be a wake-up call about the more likely and potentially dangerous cyber threats, he also tried to politically spur Congress into passing new cybersecurity legislation that would allow the government and corporations to share more information about a range of threats. Repeated attempts to pass such a law have met with stiff opposition from business interests, who see it as a gateway to further regulation.
But more recently some have expressed hopes that a law could be enacted if it provides specific protections from lawsuits when companies share information about their networks, and potentially their customers, with the government.
Defending cyberspace “is not something the government can do all by itself,” Clapper told senators.