General warns of dramatic increase in cyber-attacks on U.S. firms
Computer intrusions by hackers, criminals and nations against U.S. infrastructure increased seventeenfold from 2009 to 2011, the nation’s chief cyber defender says, and it’s only a matter of time before such an attack causes physical damage.
Gen. Keith Alexander, who heads the National Security Agency and the U.S. Cyber Command, revealed the statistics in a rare public interview Thursday at the Aspen Security Forum, a gathering of national security officials. He called for passage of legislation being debated by the Senate that would set up a voluntary system for companies to shore up their computer defenses.
The NSA eavesdrops on communications around the world, and it also monitors cyber-attacks. U.S. Cyber Command is responsible for offensive cyber operations.
Alexander did not say how many attacks happen each year against critical infrastructure, such as electrical, water, chemical and nuclear plants. Such intrusions are typically designed to probe defenses and lay the groundwork for a destructive attack. Many plants and factories are run by networked industrial control systems, so an attacker who seizes control of such a system could wreak havoc.
Echoing remarks he has made before, Alexander said the U.S. lacks sufficient defenses against cyber-attacks. On a scale of 1 to 10, he said, American preparedness for a large-scale cyber-attack is “around a 3.”
He said he was particularly worried about attacks that could shut down parts of the electrical grid or compromise public water systems.
“Destructive cyber-attacks against critical infrastructure are coming,” Alexander said.
Alexander said the military had yet to work out rules of engagement for responding to cyber-attacks, and he pointed out that neither of his agencies have the authority to defend against a cyber-attack on a private company, even if that company owns crucial infrastructure. The pending bill would fix that, he said.
Some business groups oppose the bill as intrusive, and some civil liberties groups say it compromises privacy.
Alexander pointedly refused to comment on Stuxnet, a cyber-attack on Iran’s nuclear enrichment facilities that has been reported to have been the work of the U.S. and Israeli intelligence. He also pushed back against the notion that the uptick in attacks on the U.S. is related to Stuxnet, which was first discovered in June 2010.
Alexander repeated his view that computer-based espionage against the industrialized world amounted to “the biggest transfer of wealth in history” because “adversaries have gone into our companies and taken intellectual property.”
He cited one estimate by the security firm McAfee that the losses from such spying add up to a trillion dollars. But, he said, “we don’t know. And which is more alarming: that it’s really large, or we don’t even know how large it is? ? What other countries are doing are stealing the next generation of [our] capabilities.”
Alexander didn’t name the countries, but China and Russia have been cited by government officials as the biggest culprits, a charge they deny.