U.S. government pronouncements about the danger of a major cyberattack can be confusing. The director of national intelligence, James Clapper, and the head of the U.S. military's Cyber Command, Army Gen. Keith Alexander, delivered mixed messages this week while testifying on Capitol Hill.

Clapper told the Senate Intelligence Committee that the prospect of a computer attack on the nation's critical infrastructure is now the top security threat facing the country, surpassing terrorism.

"It's hard to overestimate its significance," Clapper said.

In a separate appearance before the Senate Armed Services Committee, Alexander issued a similar warning.

"All our systems today — our power systems, our water systems, our governments, our industry — depend on computers, depend on computerized switches, depend on these networks," Alexander said. "All are at risk. If an adversary were to get in, they could essentially destroy those components."

Asked by Republican Sen. Lindsey Graham whether such an intrusion would cause as much or more damage than the attacks of Sept. 11, 2001, Alexander answered, "That's correct. I think it would."

The Clapper and Alexander testimonies, however, were worded carefully. Clapper, in an assessment representing the views of the entire U.S. intelligence community, characterized the chance of a major cyberattack against U.S. infrastructure in the next two years as "remote."

"The level of technical expertise and operational sophistication required for such an attack will be out of reach for most actors during this time frame," the assessment stated. "Advanced cyber actors — such as Russia and China — are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests."

Alexander was similarly reassuring in his written testimony.

"We feel confident that foreign leaders believe that a devastating attack on the critical infrastructure and population of the United States by cyber means would be correctly traced back to its source and elicit a prompt and proportionate response," Alexander said. "We [therefore] have some confidence in our ability to deter major state-on-state attacks in cyberspace."

So what about a cyber-9/11, or a "cyber-Pearl Harbor," the scenario envisioned in an October 2012 speech by then-U.S. Defense Secretary Leon Panetta? Is the scare talk just hype?

Cyber expert James Lewis of the Center for Strategic and International Studies says he put that question recently to what he calls "one of the leading hypers" of the cyberthreat.

"I said, 'Oh, come on, you know it's not going to be Pearl Harbor,' " Lewis says. "And he said, 'Yeah.' But he wants people to pay attention. And nobody is doing anything."

Cybersecurity experts in both industry and government say the country is unprepared to deal with computer threats.

"So there are some folks out there who have believed we needed to hype the threat to get the country to move, on the theory that democracies don't do anything until they've had a disaster," Lewis notes. "He's probably right, but I think it has been overhyped."

The immediate security problem is cybercrime and cyberespionage, not cyberwar. President Obama's national security adviser, Tom Donilon, this week accused computer hackers from China of stealing confidential business information and technology.

"Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft through cyber-intrusions emanating from China on a very large scale," Donilon said.

Industry and government leaders say the everyday theft of trade secrets is undermining the U.S. economy. Beyond that is the danger that some country, in the future, might be tempted to launch a major cyberattack that could knock out portions of the U.S. power grid or paralyze the financial system. It is unlikely now, but some up-and-coming cyber powers are a cause for concern. Among them is Iran, suspected of carrying out a recent attack against the state oil company in Saudi Arabia.

"One thing most of us didn't expect was the Iranians [going] from zero to 60 in about eight months," Lewis notes. "China, Russia, these are responsible countries. They're not going to start a war. How comfortable do you feel saying that about the Iranian Revolutionary Guard?"

At this point, even the leaders of Iran may see little reason to spark a major cyber-confrontation with the United States. Their calculation, however, could change at some point, considering the current hostility between the two countries.

Copyright 2015 NPR. To see more, visit http://www.npr.org/.

Transcript

RENEE MONTAGNE, HOST:

This is MORNING EDITION from NPR News. I'm Renee Montagne.

STEVE INSKEEP, HOST:

And I'm Steve Inskeep. Good morning. The director of National Intelligence says the prospect of a cyber attack is now the number one security threat. In remarks this week, James Clapper ranked the cyber threat above terrorism. Plenty of leaders have issued warnings, like former defense secretary Leon Panetta's statement about a cyber Pearl Harbor. NPR's Tom Gjelten has covered this threat for years, yet some of the rhetoric got him wondering if the threat is overstated.

TOM GJELTEN, BYLINE: The country's top intelligence officer and the top cyber officer were both on Capitol Hill this week warning that the danger of computer attacks needs to be taken a lot more seriously. National Intelligence Director James Clapper said it's hard to over-estimate its significance. General Keith Alexander, head of the U.S. military's Cyber Command, explained the threat to Republican Senator Lindsey Graham.

(SOUNDBITE OF HEARING)

GENERAL KEITH ALEXANDER: All our systems today, our power systems, our water systems, our governments, our industry, depend on computers, depend on computerized switches, depend on these networks. All that are at risk. If an adversary were to get in, they could essentially destroy those components.

REPRESENTATIVE LINDSEY GRAHAM: Could do as much or more damage than the attacks of 9/11?

ALEXANDER: That's correct. I think it would.

GJELTEN: A cyber Pearl Harbor? A cyber attack as bad as 9/11? But Clapper and Alexander's testimonies were worded carefully. Clapper, speaking for the U.S. intelligence community, said there's only, quote, a remote chance, unquote, of a major computer attack during the next two years. Russia and China, the powers capable of mounting such an attack, have no reason to, Clapper suggested.

General Alexander of Cyber Command said foreign leaders know a big cyber attack on the United States might be traced back to them and therefore would not want to run the risk of a U.S. counter-attack. So is the scare talk just hype? James Lewis of the Center for Strategic and International Studies says he put that that question to what he calls one of the leading hypers of the cyber threat.

JAMES LEWIS: I said, oh, come on, you know it's not going to be Pearl Harbor. And he said, yeah, but he wants people to pay attention and nobody's doing anything. So there are some folks out there who believed we needed to hype the threat to get the country to move, on the theory that democracies don't do anything until they've had a disaster. He's probably right. But I think it has been over-hyped.

GJELTEN: Cyber security experts in both industry and government say the country is unprepared to deal with computer threats. But the immediate problem is cyber crime and cyber espionage, not cyber war. President Obama's national security adviser, Tom Donilon, this week accused computer hackers from China of stealing confidential business information and technology.

THOMAS DONILON: Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft through cyber intrusions emanating from China on a very large scale.

GJELTEN: Industry and government leaders say the everyday theft of trade secrets is undermining the U.S. economy. Beyond that, there is the danger in the future that some country might be tempted to launch a major cyber attack that could knock out the power grid or paralyze the financial system. That would be seen as an act of war, according to U.S. officials.

It's unlikely now, but some up and coming cyber powers are a cause for concern. Cyber expert James Lewis notes that Iran, previously considered a minor cyber player, apparently went after the state oil company in Saudi Arabia recently.

LEWIS: One thing most of us didn't expect was the Iranians to go from zero to 60 in about eight months. China, Russia, these are responsible countries. They're not going to start a war. How comfortable do you feel saying that about the Iranian Revolutionary Guard?

GJELTEN: At this point, even the leaders of Iran may see little reason to spark a major cyber confrontation with the United States. That calculation, however, could at some point change, considering the current hostility between the two countries. Tom Gjelten, NPR News, Washington. Transcript provided by NPR, Copyright NPR.

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate