Risk
2/1/2012
11:33 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Cyber Attacks Becoming Top Terror Threat, FBI Says

Hackers will one day outstrip terrorists as top threat to U.S., FBI director tells a Senate committee. Attacks predicted to become more complex and frequent.

Inside DHS' Classified Cyber-Coordination Headquarters
(click image for larger view)
Slideshow: Inside DHS' Classified Cyber-Coordination Headquarters
Cyber attacks against government agencies and businesses in the United States continue to rise, and cyber threats will one day surpass the danger of terrorism to the United States, intelligence community officials said in an open hearing of the Senate select intelligence community Tuesday.

"Stopping terrorists is the number one priority," said FBI director Robert Mueller. "But down the road, the cyber threat will be the number one threat to the country. I do not think today it is necessarily [the] number one threat, but it will be tomorrow."

The rare open hearing of the Senate's intelligence committee, an annual one that surveys the threats to the United States from around the globe, included testimony by Mueller, director of national intelligence James Clapper, and CIA director David Petraeus. Tuesday's hearing looked at the broad spectrum of threats to the nation, but numerous administration officials will brief Congress in a classified hearing today that will focus more pointedly on cybersecurity.

Congress' interest in cybersecurity remains high. Both the House and Senate continue to work toward comprehensive legislation on the issue. The House Committee on Homeland Security is marking up cybersecurity legislation Wednesday, and the Senate will move to consider a comprehensive cybersecurity bill later this month, though industry has raised concerns about cost over the Senate bill. The Senate homeland security and governmental affairs committee has indicated that it may hold a hearing on that bill within the next two weeks.

Clapper said that cybersecurity is already at the forefront of national security concerns, right there with terrorism, proliferation of weapons, and espionage. "In the last year, we observed increased breadth and sophistication of computer network operations by both state and non-state actors," he said in prepared testimony.

[ Read about the Obama Administration's efforts to update current cybersecurity legislation: White House Presses For New Cybersecurity Laws. ]

The greatest challenges to protecting against cyber threats, Clapper said, are the difficulty of providing timely and actionable warning of attacks--he cautioned that "many intrusions into U.S. networks are not being detected"--and the complex vulnerabilities within the IT supply chain. Attribution remains a difficult technical challenge, but the government is increasingly sharing threat information among government agencies and with the private sector. Vulnerabilities in the IT supply chain have been a concern for the Department of Defense for several years, but the issue has not been raised to the same level of public discourse as information sharing and the range of cybersecurity technologies that agencies are implementing to thwart attacks.

Clapper singled out attacks from China and Russia as the biggest threats from state actors and said that those two countries have been responsible for "extensive illicit intrusions" into U.S. networks, but also said that Iran's cyber capabilities have "increased in depth and complexity" in recent years. China and Russia have been high on cyber-watchers' lists of concerns for several years now, but Iran is a relatively new addition. Iran's military recently claimed that it brought down an American drone by hacking into its guidance systems.

The intelligence community isn't concerned only with threats from other countries, however. Clapper said that non-state actors are increasingly gaining in prominence, and in fact already have "easy access to potentially disruptive and even lethal technology." For example, he noted that hacker groups like Anonymous and LulzSec have been carrying out a consistent campaign of distributed denial of service attacks and website defacements, and that intrusions into NASDAQ and the International Monetary Fund "underscore the vulnerability of key sectors of the economy."

Targets against security technologies themselves, such as last year's attack against security company RSA, which led to several other attacks, are also of particular concern, Clapper said. He also lashed out against "wholesale plundering" of American intellectual property.

At the hearing, senators also sparred with witnesses about which agencies would take charge in the event of a major cyber-attack, and what the role of the president would be. For example, Sen. Barbara Mikulski, D-Md., raised concerns about what would happen in the event of an attack on the electrical grid of a city hosting a political convention. While representatives from the DHS and FBI both said the initial response would fall to DHS, FBI director Mueller said that the FBI or NSA would be the ones to determine attribution.

InformationWeek's 2012 Government IT Innovators program will feature the most innovative government IT organizations in the 2012 InformationWeek 500 issue and on InformationWeek.com. Does your organization have what it takes? The nomination period for 2012 Government IT Innovators closes April 27.

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-2413
Published: 2014-10-20
Cross-site scripting (XSS) vulnerability in the ja_purity template for Joomla! 1.5.26 and earlier allows remote attackers to inject arbitrary web script or HTML via the Mod* cookie parameter to html/modules.php.

CVE-2012-5244
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Banana Dance B.2.6 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) return, (2) display, (3) table, or (4) search parameter to functions/suggest.php; (5) the id parameter to functions/widgets.php, (6) the category parameter to...

CVE-2012-5694
Published: 2014-10-20
Multiple SQL injection vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 allow remote attackers to execute arbitrary SQL commands via the (1) agentPhNo, (2) controlPhNo, (3) agentURLPath, (4) agentControlKey, or (5) platformDD1 parameter to frameworkgui/attach2Agents.p...

CVE-2012-5695
Published: 2014-10-20
Multiple cross-site request forgery (CSRF) vulnerabilities in Bulb Security Smartphone Pentest Framework (SPF) 0.1.2 through 0.1.4 allow remote attackers to hijack the authentication of administrators for requests that conduct (1) shell metacharacter or (2) SQL injection attacks or (3) send an SMS m...

CVE-2012-5696
Published: 2014-10-20
Bulb Security Smartphone Pentest Framework (SPF) before 0.1.3 does not properly restrict access to frameworkgui/config, which allows remote attackers to obtain the plaintext database password via a direct request.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.