US Vulnerable to Major Cyberattacks

In September 2001, a week after the 9/11 attacks, hackers could have used the Nimda worm to shut down the 911 emergency dialling system in the US causing major public panic.

The US government needs to take action now to avoid crippling cyberattacks that could shut down major communications systems nationwide, a group of cybersecurity experts told US lawmakers.

"We are a nation unprepared to properly defend ourselves and recover from a strategic cyberattack," said O. Sami Saydjari, president of Professionals for Cyber Defense and CEO of Cyber Defense Agency, speaking before the US House of Representatives Subcommittee on Emerging Threats, Cybersecurity and Science and Technology.

"Inaction isn't an option."

Saydjari and other experts urged the US Congress to take several steps to improve the nation's cybersecurity, work that could be begun with an investment of $US500 million.

The US has been lucky so far to avoid a major attack, added Daniel Geer Jr., principal owner of Geer Risk Services. "I don't think we can go much farther and say that, 'I didn't know it had a flaw,' is any kind of defence," he said. "Software licences, to the last one of them, have that built into them."

Geer recommended that the government develop better security metrics and recruit and train cybersecurity experts.

The US has had some near-misses, he said. In September 2001, a week after the 9/11 attacks, hackers could have used the Nimda worm to shut down the 911 emergency dialling system in the US, causing major public panic, he said.

"The nation's cybersecurity challenges are profound and not easily addressed," Geer said. "Wishful thinking, whether explicit or implicit, intentional or delusional, will allow the problem to get bigger."

Not all witnesses agreed with Geer and Saydjari that a crippling attack was possible. While attackers could knock out pieces of communications networks, the possibility of a widespread outage may be overstated, said James Lewis, director of the Technology and Public Policy Program at the Centre for Strategic and International Studies.

It's difficult to knock out the communications systems in even small countries, he said. "A very big country turns out to be hard to derail," Lewis added.

Still, Lewis acknowledged that the US has cybersecurity problems, particularly defending against espionage. "Cybersecurity is at this time primarily a spy story," he said. "Foreign intelligence agencies must weep with joy when they contemplate US government networks."

The US government has placed sensitive data on unsecured networks, Lewis said, repeating criticisms from a cybersecurity hearing before the committee. "The last 20 years have seen an unparalleled looting of US government databases," he added.

A small group of hackers couldn't pull off a major cyberattack, Saydjari said. But an organization with three years to plan and $US500 million to spend could make it happen, he said. Many nations and major terrorist organizations have those resources, he added.

A recent hearing on cyberattacks at the US departments of Commerce and State was "eye-opening", said Representative subcommittee chairman James Langevin. "We learned that our federal systems and privately owned critical infrastructure are all extremely vulnerable to hacking," he said. "We learned that the federal government has little situational awareness of what is going on inside our systems."