BY KIM ZETTER 03.12.13 at Wired.com
Contrary to much of the fear-mongering that has been spreading through the nation’s capital on cybersecurity matters lately, the director of national intelligence bucked that trend on Tuesday when he told a senate committee that there was little chance of a major cyberattack against critical infrastructure in the next two years.
DNI James Clapper was a singular voice of reason when he told the Senate Select Committee on Intelligence that lack of skills on the part of most attackers and the ability to override attacks on critical infrastructure with manual controls would make such attacks unfeasible in the near future. He also said that nation states that might have the skills to pull off such an attack lack the motive at this point.
“We judge that there is a remote chance of a major cyber attack against U.S. critical infrastructure systems during the next two years that would result in long-term, wide-scale disruption of services, such as a regional power outage,” Clapper said in his statement to the committee. “The level of technical expertise and operational sophistication required for such an attack — including the ability to create physical damage or overcome mitigation factors like manual overrides — will be out of reach for most actors during this time frame. Advanced cyber actors — such as Russia and China — are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests.”
Clapper’s words come in the wake of increased rhetoric in Washington over a recent report that Chinese hackers, presumed to be supported by that nation’s military and Communist Party apparatus, have been responsible for unprecedented cyberespionage attacks that have resulted in millions of dollars of intellectual property being lost. That report, published by computer security firm Mandiant, suggested that Chinese spies were also targeting critical infrastructure systems with the possible intention of causing sabotage.
But Clapper noted that destructive attacks were more likely to come from less-skilled, non-nation-state attackers who could cause damage on a smaller scale.
“These less advanced but highly motivated actors could access some poorly protected US networks that control core functions, such as power generation, during the next two years, although their ability to leverage that access to cause high-impact, systemic disruptions will probably be limited. At the same time, there is a risk that unsophisticated attacks would have significant outcomes due to unexpected system configurations and mistakes, or that vulnerability at one node might spill over and contaminate other parts of a networked system,” he said.