China and “one or two” other countries have the ability to launch a cyber attack that could shut down the entire U.S. power grid and other critical infrastructure, the head of the National Security Agency (NSA) and U.S. Cyber Command told a congressional panel on Thursday.
Admiral Michael Rogers told the hearing that software had been detected in China that could significantly damage the nation’s economic future by interfering with power company networks and other critical systems.
Describing the malware, he told the House Intelligence Committee that: "It enables you to shut down very segmented, very tailored parts of our infrastructure that forestall the ability to provide that service to us as citizens."
"It is only a matter of the when, not the if, that we are going to see something traumatic," he added.
When asked by Republican representative for Michigan Mike Rogers, who chairs the intelligence committee, what other countries have this capability, the NSA director responded “one or two others,” but declined to name them for security reasons. "We're watching multiple nation states invest in this capability," he said.
According to cyber expert Caroline Baylon of thinktank Chatham House, the interconnectedness of power grids means that they are liable to “cascading failures”. As nearby grids take up the slack for the failed system, they become overloaded and they too fail in a chain reaction.
Rogers said that such attacks are part of “coming trends” in which so-called zero-day vulnerabilities in U.S. cyber systems are exploited.
A zero-day vulnerability refers to a hole in software that is unknown to the vendor, which can be exploited by hackers before the vendor becomes aware and hurries to patch it up. They are becoming an increasingly powerful weapon of cyber espionage as countries become more connected to the internet.
As well as espionage, there are also fears of cyber warfare. “Once an attacker finds an open vulnerability, he or she can get into the system,” Baylon told Newsweek. “This allows the adversary to place a 'backdoor' in that system, as China are doing in the U.S., which they can use to access that system again at a later date.”
"Whilst at present it is not in any country's interest to attack the power grid of another country, now is the time for countries to look for these vulnerabilities because this is when they are open,” she added. “It is a dangerous situation because a number of countries are looking for vulnerabilities in the power grids of other countries.”
A so-called ‘grey-market’ - a black market that isn’t strictly illegal yet - for zero-day vulnerabilities now exists, with companies like Vupen in France selling them to governments for use in espionage.
According to Baylon, the U.K and the U.S. are particularly at risk because they have a huge amount of critical infrastructure connected to the internet. Some countries however, like Russia, have clear government policy about being connected to the internet. “There is a huge asymmetry going on,” she said.
Russia is also regarded as having an aggressive cyber programme.
Rogers’s testimony comes shortly after the release of a report from the Pew Internet and American Life Project that says that it is likely that a catastrophic cyber-attack would have occurred by 2025, causing significant losses in life and financial damage.
“Intelligence agencies and governments are very concerned about it,” says Baylon.
She predicts that the most likely scenario would be a coordinated attack."In the event of major attack, we might see a series of simultaneous attacks on a number of areas, for example attacking a power grid and paralyzing communications networks at the same time.”
This, she says, is something we could see in the next five to 10 years. However she stresses that whilst “it is very hard to find solutions”, governments and experts are working very hard on the issue.
In his testimony to the intelligence committee, Rogers said: “The Chinese intelligence services that conduct these attacks have little to fear because we have no practical deterrents to that theft. This problem is not going away until that changes.”
The problem, Baylon says, is that security costs money, and critical infrastructures like power grids are ultimately businesses with a bottom line. Whilst they want to protect themselves, it is simply not practical or even possible to defend against all things, and moreover patching up vulnerabilities can sometimes inadvertently trigger a system failure. “It wouldn't be possible or practical to defend against everything, either financially or otherwise,” she said.
“We need to be more careful than we are being and make sure that profit is not dictating everything,” says Baylon.