Risk
2/1/2012
11:33 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Attacks Becoming Top Terror Threat, FBI Says

Hackers will one day outstrip terrorists as top threat to U.S., FBI director tells a Senate committee. Attacks predicted to become more complex and frequent.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
Cyber attacks against government agencies and businesses in the United States continue to rise, and cyber threats will one day surpass the danger of terrorism to the United States, intelligence community officials said in an open hearing of the Senate select intelligence community Tuesday.

"Stopping terrorists is the number one priority," said FBI director Robert Mueller. "But down the road, the cyber threat will be the number one threat to the country. I do not think today it is necessarily [the] number one threat, but it will be tomorrow."

The rare open hearing of the Senate's intelligence committee, an annual one that surveys the threats to the United States from around the globe, included testimony by Mueller, director of national intelligence James Clapper, and CIA director David Petraeus. Tuesday's hearing looked at the broad spectrum of threats to the nation, but numerous administration officials will brief Congress in a classified hearing today that will focus more pointedly on cybersecurity.

Congress' interest in cybersecurity remains high. Both the House and Senate continue to work toward comprehensive legislation on the issue. The House Committee on Homeland Security is marking up cybersecurity legislation Wednesday, and the Senate will move to consider a comprehensive cybersecurity bill later this month, though industry has raised concerns about cost over the Senate bill. The Senate homeland security and governmental affairs committee has indicated that it may hold a hearing on that bill within the next two weeks.

Clapper said that cybersecurity is already at the forefront of national security concerns, right there with terrorism, proliferation of weapons, and espionage. "In the last year, we observed increased breadth and sophistication of computer network operations by both state and non-state actors," he said in prepared testimony.

[ Read about the Obama Administration's efforts to update current cybersecurity legislation: White House Presses For New Cybersecurity Laws. ]

The greatest challenges to protecting against cyber threats, Clapper said, are the difficulty of providing timely and actionable warning of attacks--he cautioned that "many intrusions into U.S. networks are not being detected"--and the complex vulnerabilities within the IT supply chain. Attribution remains a difficult technical challenge, but the government is increasingly sharing threat information among government agencies and with the private sector. Vulnerabilities in the IT supply chain have been a concern for the Department of Defense for several years, but the issue has not been raised to the same level of public discourse as information sharing and the range of cybersecurity technologies that agencies are implementing to thwart attacks.

Clapper singled out attacks from China and Russia as the biggest threats from state actors and said that those two countries have been responsible for "extensive illicit intrusions" into U.S. networks, but also said that Iran's cyber capabilities have "increased in depth and complexity" in recent years. China and Russia have been high on cyber-watchers' lists of concerns for several years now, but Iran is a relatively new addition. Iran's military recently claimed that it brought down an American drone by hacking into its guidance systems.

The intelligence community isn't concerned only with threats from other countries, however. Clapper said that non-state actors are increasingly gaining in prominence, and in fact already have "easy access to potentially disruptive and even lethal technology." For example, he noted that hacker groups like Anonymous and LulzSec have been carrying out a consistent campaign of distributed denial of service attacks and website defacements, and that intrusions into NASDAQ and the International Monetary Fund "underscore the vulnerability of key sectors of the economy."

Targets against security technologies themselves, such as last year's attack against security company RSA, which led to several other attacks, are also of particular concern, Clapper said. He also lashed out against "wholesale plundering" of American intellectual property.

At the hearing, senators also sparred with witnesses about which agencies would take charge in the event of a major cyber-attack, and what the role of the president would be. For example, Sen. Barbara Mikulski, D-Md., raised concerns about what would happen in the event of an attack on the electrical grid of a city hosting a political convention. While representatives from the DHS and FBI both said the initial response would fall to DHS, FBI director Mueller said that the FBI or NSA would be the ones to determine attribution.

InformationWeek's 2012 Government IT Innovators program will feature the most innovative government IT organizations in the 2012 InformationWeek 500 issue and on InformationWeek.com. Does your organization have what it takes? The nomination period for 2012 Government IT Innovators closes April 27.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-5084
Published: 2015-08-02
The Siemens SIMATIC WinCC Sm@rtClient and Sm@rtClient Lite applications before 01.00.01.00 for Android do not properly store passwords, which allows physically approximate attackers to obtain sensitive information via unspecified vectors.

CVE-2015-5352
Published: 2015-08-02
The x11_open_helper function in channels.c in ssh in OpenSSH before 6.9, when ForwardX11Trusted mode is not used, lacks a check of the refusal deadline for X connections, which makes it easier for remote attackers to bypass intended access restrictions via a connection outside of the permitted time ...

CVE-2015-5537
Published: 2015-08-02
The SSL layer of the HTTPS service in Siemens RuggedCom ROS before 4.2.0 and ROX II does not properly implement CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack, a different vulnerability than CVE-2014-3566.

CVE-2015-5600
Published: 2015-08-02
The kbdint_next_device function in auth2-chall.c in sshd in OpenSSH through 6.9 does not properly restrict the processing of keyboard-interactive devices within a single connection, which makes it easier for remote attackers to conduct brute-force attacks or cause a denial of service (CPU consumptio...

CVE-2015-1009
Published: 2015-07-31
Schneider Electric InduSoft Web Studio before 7.1.3.5 Patch 5 and Wonderware InTouch Machine Edition through 7.1 SP3 Patch 4 use cleartext for project-window password storage, which allows local users to obtain sensitive information by reading a file.

Dark Reading Radio
Archived Dark Reading Radio
What’s the future of the venerable firewall? We’ve invited two security industry leaders to make their case: Join us and bring your questions and opinions!