Risk
2/1/2012
11:33 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Attacks Becoming Top Terror Threat, FBI Says

Hackers will one day outstrip terrorists as top threat to U.S., FBI director tells a Senate committee. Attacks predicted to become more complex and frequent.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
Cyber attacks against government agencies and businesses in the United States continue to rise, and cyber threats will one day surpass the danger of terrorism to the United States, intelligence community officials said in an open hearing of the Senate select intelligence community Tuesday.

"Stopping terrorists is the number one priority," said FBI director Robert Mueller. "But down the road, the cyber threat will be the number one threat to the country. I do not think today it is necessarily [the] number one threat, but it will be tomorrow."

The rare open hearing of the Senate's intelligence committee, an annual one that surveys the threats to the United States from around the globe, included testimony by Mueller, director of national intelligence James Clapper, and CIA director David Petraeus. Tuesday's hearing looked at the broad spectrum of threats to the nation, but numerous administration officials will brief Congress in a classified hearing today that will focus more pointedly on cybersecurity.

Congress' interest in cybersecurity remains high. Both the House and Senate continue to work toward comprehensive legislation on the issue. The House Committee on Homeland Security is marking up cybersecurity legislation Wednesday, and the Senate will move to consider a comprehensive cybersecurity bill later this month, though industry has raised concerns about cost over the Senate bill. The Senate homeland security and governmental affairs committee has indicated that it may hold a hearing on that bill within the next two weeks.

Clapper said that cybersecurity is already at the forefront of national security concerns, right there with terrorism, proliferation of weapons, and espionage. "In the last year, we observed increased breadth and sophistication of computer network operations by both state and non-state actors," he said in prepared testimony.

[ Read about the Obama Administration's efforts to update current cybersecurity legislation: White House Presses For New Cybersecurity Laws. ]

The greatest challenges to protecting against cyber threats, Clapper said, are the difficulty of providing timely and actionable warning of attacks--he cautioned that "many intrusions into U.S. networks are not being detected"--and the complex vulnerabilities within the IT supply chain. Attribution remains a difficult technical challenge, but the government is increasingly sharing threat information among government agencies and with the private sector. Vulnerabilities in the IT supply chain have been a concern for the Department of Defense for several years, but the issue has not been raised to the same level of public discourse as information sharing and the range of cybersecurity technologies that agencies are implementing to thwart attacks.

Clapper singled out attacks from China and Russia as the biggest threats from state actors and said that those two countries have been responsible for "extensive illicit intrusions" into U.S. networks, but also said that Iran's cyber capabilities have "increased in depth and complexity" in recent years. China and Russia have been high on cyber-watchers' lists of concerns for several years now, but Iran is a relatively new addition. Iran's military recently claimed that it brought down an American drone by hacking into its guidance systems.

The intelligence community isn't concerned only with threats from other countries, however. Clapper said that non-state actors are increasingly gaining in prominence, and in fact already have "easy access to potentially disruptive and even lethal technology." For example, he noted that hacker groups like Anonymous and LulzSec have been carrying out a consistent campaign of distributed denial of service attacks and website defacements, and that intrusions into NASDAQ and the International Monetary Fund "underscore the vulnerability of key sectors of the economy."

Targets against security technologies themselves, such as last year's attack against security company RSA, which led to several other attacks, are also of particular concern, Clapper said. He also lashed out against "wholesale plundering" of American intellectual property.

At the hearing, senators also sparred with witnesses about which agencies would take charge in the event of a major cyber-attack, and what the role of the president would be. For example, Sen. Barbara Mikulski, D-Md., raised concerns about what would happen in the event of an attack on the electrical grid of a city hosting a political convention. While representatives from the DHS and FBI both said the initial response would fall to DHS, FBI director Mueller said that the FBI or NSA would be the ones to determine attribution.

InformationWeek's 2012 Government IT Innovators program will feature the most innovative government IT organizations in the 2012 InformationWeek 500 issue and on InformationWeek.com. Does your organization have what it takes? The nomination period for 2012 Government IT Innovators closes April 27.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-4793
Published: 2014-12-27
The update function in umbraco.webservices/templates/templateService.cs in the TemplateService component in Umbraco CMS before 6.0.4 does not require authentication, which allows remote attackers to execute arbitrary ASP.NET code via a crafted SOAP request.

CVE-2013-5958
Published: 2014-12-27
The Security component in Symfony 2.0.x before 2.0.25, 2.1.x before 2.1.13, 2.2.x before 2.2.9, and 2.3.x before 2.3.6 allows remote attackers to cause a denial of service (CPU consumption) via a long password that triggers an expensive hash computation, as demonstrated by a PBKDF2 computation, a si...

CVE-2013-6041
Published: 2014-12-27
index.php in Softaculous Webuzo before 2.1.4 allows remote attackers to execute arbitrary commands via shell metacharacters in a SOFTCookies sid cookie within a login action.

CVE-2013-6043
Published: 2014-12-27
The login function in Softaculous Webuzo before 2.1.4 provides different error messages for invalid authentication attempts depending on whether the user account exists, which allows remote attackers to enumerate usernames via a series of requests.

CVE-2013-6227
Published: 2014-12-27
Unrestricted file upload vulnerability in plugins/editor.zoho/agent/save_zoho.php in the Zoho plugin in Pydio (formerly AjaXplorer) before 5.0.4 allows remote attackers to execute arbitrary code by uploading an executable file, and then accessing this file at a location specified by the format param...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.