Cyber-attacker are already targeting the country's financial services, transportation and other critical infrastructure and have come close to crashing portions of them.
Cyber-attacks have already come close several times to
shutting down parts of the country's critical infrastructure, according to the U.S.
Department of Homeland Security Secretary.
The number of cyber-attacks on financial systems,
transportation and other networks is growing, Secretary Janet Napolitano said
at an Oct. 28 event on cyber-security in Washington, D.C. hosted by The
. When asked how many attacks may have occurred during the
course of the 45 minute question-and-answer session at the event, Napolitano
told the audience, "Thousands."
Some cyber-assaults had come close to crashing key
infrastructure. There have been attempts on Wall Street, transportation
systems, and "things of those sorts," Napolitano said. The Wall
Street attack may be a reference to an attack on the Nasdaq stock exchange a
"I think we all have to be concerned about a network
intrusion that shuts down part of the nation's infrastructure in such a fashion
that it results in a loss of life," Napolitano said, noting that it was
still theoretical and there hasn't been any deaths yet as a result of these
In fiscal year 2011, the United States Computer Emergency
Readiness Team responded to more than 100,000 incident reports and released
more than 5,000 actionable cyber-security alerts and information products, she
Department of Homeland Security networks have been probed by
adversaries attempting to breach systems. Napolitano declined to discuss the
specifics of the intrusion.
Congress needs to act to enact legislation to protect
critical infrastructure, Napolitano said. One of the problems facing the United
States in defending against cyber-attackers is the fact that current
international law, rules of conflict and government policies have not really
kept up with the changes in cyber-threats.
The Obama administration has released a proposal in May
outlining how the private sector should work with DHS to develop cyber-security
plans to protect critical infrastructure. The proposal also includes
requirements for a federal data breach notification law and a call for tougher penalties
for computer crimes.
There are several cyber-security bills in both houses of
Congress focusing on critical infrastructure in circulation, none of them have
reached the floor yet. Congressional observers are not sure if they would come
up for a vote this legislative session.
Napolitano didn't share that pessimism, saying that Congress
was aware of the importance of cyber-security. "If there's any area of
international concern that the Congress is going to move on this session, it's
going to be cyber," she said.
Homeland Security needs to serve as the nation's
"incident response center" in the event of a major attack.
Security experts have long warned that critical
infrastructure, such as electrical grids and power plants, were vulnerable to
attack. The Federal Bureau of Investigation's executive assistant director,
Shawn Henry, said the threats were "incredibly real" and intrusions
into corporate networks, personal computers and government systems were
"occurring every single day by the thousands," in a speech at a
recent conference in Baltimore.
"It could shut down our electric grid or water supply. It
could cause serious damage to parts of our cities, and ultimately, even kill people,"
There have already been several "high-tech
catastrophes," Eugene Kaspersky said at a cyber-security summit in New
York earlier this month, referencing the Spanair flight 5022 crash in 2008 and
the blackout that blanketed the East Coast in 2003. Malware was "not the
reason" the incidents happened, but they would not have happened without
malware, according to Kaspersky. In the case of the blackout, some of the
critical systems in key data centers used by utility companies had been
infected by the Blaster worm.
It was inevitable that attackers would someday go after the
electric grid, Kaspersky said. Governments need to share threat intelligence
with the private sector, defend critical systems, and work with other
governments to track down cyber-adversaries, according to Kaspersky.
"We need an Internet Interpol, an international
cyber-police," Kaspersky said.