Hackers are stepping up the intensity of their attacks, moving from “disruption” to “destruction” of key computer systems, the top US cyber-defense official said Monday.
General Keith Alexander, who is director of the National Security Agency and commander of the US Cyber Command, told a Washington forum that the new tactics could move beyond mere annoyances and begin causing severe economic damage.
“We are seeing the threat grow from exploitation to disruption to destruction,” he told the group at the Woodrow Wilson Center.
He argued that these attacks could impact organizations ranging from stock markets to power grid operators — “all of that is in the realm of the possible.”
These types of destructive attacks can wipe out data, which could bankrupt a company or disable the control systems operating key infrastructure.
“It could overwrite the ability of a system to turn on,” Alexander said.
“Think about a company that loses all the data on its system… If you wipe out the data, you wipe out the ability of the system to operate.”
Alexander said the best way to protect against these types of attacks is to implement an information sharing system between the private sector and government agencies — as was proposed in cybersecurity legislation that failed this year in Congress.
Such legislation could include mandatory or voluntary reporting guidelines for when attacks occur, and it could allow those reporting the incidents to be immune from liability.
Senator Susan Collins, a sponsor of the failed cybersecurity bill, told the same forum the need for new laws remains high.
“I hope we don’t have to wait for a ‘cyber 9/11’ for action to happen,” she said. “These problems are not going to go away.”
Both Collins and Alexander said, despite news the White House is considering an executive order, the legal framework for cybersecurity protection must come from legislation.
Collins said she told President Barack Obama that an executive order would be “a big mistake” and “cannot accomplish what legislation can.”
She added that an executive order “could lull people into a false sense of security.”
The two spoke the same day the White House acknowledged that one of its own computer networks was hit by a cyber attack, but said no classified systems were breached and there was no indication any data was lost.
An administration official spoke up after a report from a right-wing news site that Chinese hackers had breached a key White House military system.
The US official said the attack was against “an unclassified network” and was a case of “spear phishing,” in which a spoofed email tricks a user into clicking through to a website where a hacker can install malicious software or gain control of another computer.
“These types of attacks are not infrequent, and we have mitigation measures in place,” the official said.