Using only a few computers, researchers at the federal Idaho National Laboratory managed to launch a cyberattack that crippled an electricity generator earlier this year. The test, performed on a replica of common power plant control systems that operate over the Internet, tricked the machine into operating at levels that caused it to smoke and then destroy itself. Funded by the Department of Homeland Security, this was an unsettling demonstration of how vulnerable America's critical infrastructure is to online assaults.
As early as this week, the Bush administration is expected to request significant new funding to ratchet up its cybersecurity efforts. Under a new initiative, a broad set of federal agencies would coordinate the monitoring and defense of government networks, as well as private systems that operate key services like electricity, telecommunications, and banking. But officials are divided over how much of the program, which will be run by DHS, to discuss publicly because of the sizable involvement of U.S. intelligence agencies.
Persistent attack. The sensitivity also reflects how officials increasingly view cybersecurity as a national security concern, with threats coming not only from whiz-kid hackers but also foreign intelligence agencies and militaries. The nation's computer networks "are under persistent attack now," warns Joel Brenner, the nation's top counterintelligence official. "These attacks can be designed to steal our nation's intellectual property or manipulate information to cause financial, logistical, or military chaos." He points to a massive cyberattack in May against the nation of Estonia that shut down many government networks and forced its largest bank to close its website briefly.
In just the past year, officials reported that the number of cyberattacks on government computer networks more than doubled. "The adversaries are becoming more nimble, more focused, and more sophisticated in their attempts to exploit our vulnerabilities," says a DHS source. But in some ways, the private networks that operate critical infrastructure could be even more vulnerable. "There is no government entity that can require cybersecurity controls be put in place in the private sector," says Rep. Jim Langevin, chairman of a House cybersecurity subcommittee.
Currently, the government's leading experts in cybersecurity, who work at the supersecret National Security Agency, are responsible only for guarding classified networks. As first reported in the Baltimore Sun, the new effort envisions expanding NSA's cyberdefense efforts to unclassified government systems and private industry. The proposal, however, has sparked some concerns about privacy, because defending networks is such an invasive process. "In order to defend the cyberspace on which these critical systems depend, we have to be able to both monitor and control them," says Sami Saydjari, a former NSA official who runs the Cyber Defense Agency, a private consulting firm. "That's an intelligence system, and one could use that intelligence system for good or for evil."