Cyber-attacks have already come close several times to shutting down parts of the country's critical infrastructure, according to the U.S. Department of Homeland Security Secretary.
The number of cyber-attacks on financial systems, transportation and other networks is growing, Secretary Janet Napolitano said at an Oct. 28 event on cyber-security in Washington, D.C. hosted by The Washington Post. When asked how many attacks may have occurred during the course of the 45 minute question-and-answer session at the event, Napolitano told the audience, "Thousands."
Some cyber-assaults had come close to crashing key infrastructure. There have been attempts on Wall Street, transportation systems, and "things of those sorts," Napolitano said. The Wall Street attack may be a reference to an attack on the Nasdaq stock exchange a year ago.
"I think we all have to be concerned about a network intrusion that shuts down part of the nation's infrastructure in such a fashion that it results in a loss of life," Napolitano said, noting that it was still theoretical and there hasn't been any deaths yet as a result of these attacks.
In fiscal year 2011, the United States Computer Emergency Readiness Team responded to more than 100,000 incident reports and released more than 5,000 actionable cyber-security alerts and information products, she said.
Department of Homeland Security networks have been probed by adversaries attempting to breach systems. Napolitano declined to discuss the specifics of the intrusion.
Congress needs to act to enact legislation to protect critical infrastructure, Napolitano said. One of the problems facing the United States in defending against cyber-attackers is the fact that current international law, rules of conflict and government policies have not really kept up with the changes in cyber-threats.
The Obama administration has released a proposal in May outlining how the private sector should work with DHS to develop cyber-security plans to protect critical infrastructure. The proposal also includes requirements for a federal data breach notification law and a call for tougher penalties for computer crimes.
There are several cyber-security bills in both houses of Congress focusing on critical infrastructure in circulation, none of them have reached the floor yet. Congressional observers are not sure if they would come up for a vote this legislative session.
Napolitano didn't share that pessimism, saying that Congress was aware of the importance of cyber-security. "If there's any area of international concern that the Congress is going to move on this session, it's going to be cyber," she said.
Homeland Security needs to serve as the nation's "incident response center" in the event of a major attack.
Security experts have long warned that critical infrastructure, such as electrical grids and power plants, were vulnerable to attack. The Federal Bureau of Investigation's executive assistant director, Shawn Henry, said the threats were "incredibly real" and intrusions into corporate networks, personal computers and government systems were "occurring every single day by the thousands," in a speech at a recent conference in Baltimore.
"It could shut down our electric grid or water supply. It could cause serious damage to parts of our cities, and ultimately, even kill people," Henry said.
There have already been several "high-tech catastrophes," Eugene Kaspersky said at a cyber-security summit in New York earlier this month, referencing the Spanair flight 5022 crash in 2008 and the blackout that blanketed the East Coast in 2003. Malware was "not the reason" the incidents happened, but they would not have happened without malware, according to Kaspersky. In the case of the blackout, some of the critical systems in key data centers used by utility companies had been infected by the Blaster worm.
It was inevitable that attackers would someday go after the electric grid, Kaspersky said. Governments need to share threat intelligence with the private sector, defend critical systems, and work with other governments to track down cyber-adversaries, according to Kaspersky.
"We need an Internet Interpol, an international cyber-police," Kaspersky said.