When James Clapper, the country's top intelligence official, visited Capitol Hill this week to discuss the major threats facing America, he put cyberattacks at the top of the list.
The lengthy discussion of cybersecurity marked a change from testimony Clapper gave in 2012 and 2011. In his annual assessments of worldwide risks in the two previous years, digital threats were mentioned only briefly and were further down on the list of dangers. Cybersecurity is a top priority this year for President Obama, who was planning a meeting Wednesday in the White House Situation Room with business executives to discuss the issue. Concerns are growing about a potential attack that could cripple the nation's infrastructure.
Clapper, the director of national intelligence, told a Senate panel that it would be "hard to overemphasize" the significance of the threat. Here are the three areas where the country is most vulnerable to a cyberattack:
Several of the nation’s critical infrastructure networks are poorly protected, including parts of the power grid. A cyberattack could lead to regional power outages, Clapper warned. He said that a "less advanced but highly motivated" actor could access poorly protected American networks that control power servers, which experts warn are vulnerable to Web-based attacks.
“The problem with the power sector is that there’s an assumption that a lot of these things are not connected to the Internet, but it turns out that they are,” said Adam Segal, a senior fellow at the Council on Foreign Relations.
Many pieces of the electrical grid are old, and some are 10 to 20 years out of date. At many plants, there are no immediate plans to upgrade the equipment to counter cyberthreats, Segal said.
In the last six months, there have been 140 cyberattacks on Wall Street, Gen. Keith Alexander, the head of the U.S. Cyber Command at the Pentagon, told a House Armed Services Committee hearing Tuesday. Administration officials said that Iran last year attacked five leading U.S. banks around the same time it disabled 30,000 computers at a Saudi Arabian oil company.
“They have toyed at the edges of being active here,” said James Lewis, a senior fellow at the Center for Strategic and International Studies. “It wasn’t a fluke; it was a test.”
Lewis warned that Iran is capable of carrying out a larger-scale cyberattack on the United States and financial institutions could become a target because of the tensions between the two countries.
Business leaders have been open with the federal government when they get attacked. But that doesn't mean they have been open to changing their practices or letting the government regular their digital security. Part of Obama's recent outreach to the business community involves making sure that financial institutions and other businesses are well-protected.
In the last several years, the federal government has boosted the security for several of its servers, including for .mil and .gov. But experts said state and local governments lack the resources, and in many cases an awareness of the threats, to undertake the same efforts. An attack on a municipal government’s Web server could disrupt utilities and put public safety at risk. Local fire departments, water companies, and traffic lights all rely heavily on the Internet.
“If you wanted to cause disruption, this would be a good target,” Lewis said. “It depends on what your goal is. If you want Americans to run around in circles and wave their arms, governments are good targets.”
The Senate last year made progress on a broad cybersecurity bill but it ultimately collapsed. Alexander and other administration officials want to see Congress pass comprehensive legislation this year, but the general said a worst-case scenario would be if Congress were to have to pass something in haste after a cyberattack has already occurred.
All photos by the AP