Cybersecurity center director warns of Stuxnet copycats

The Homeland Security Department is worried that copycat attackers may reengineer malicious software that allegedly infected Iran's nuclear operations last year to unleash a wider attack, said the head of the department's 24-hour cyber warning center.

Last year, the National Cybersecurity and Communications Integration Center discovered that the worm called Stuxnet has the capability to penetrate systems operating machinery that handle critical infrastructure -- water treatment, electricity and other vital services -- and invisibly manipulate the equipment to, for example, contaminate water.

"The department is concerned that attackers could use the increasingly public information about the code to develop variants targeted at broader installations of programmable equipment in control systems," the center's director Sean McGurk told lawmakers at a House Oversight and Government Reform subcommittee hearing on Wednesday afternoon. "Copies of the Stuxnet code, in various different iterations, have been publicly available for some time now."

The warning comes at a time when lawmakers are reviewing legislative text the White House proposed earlier this month to bolster domestic cybersecurity, particularly critical infrastructure protection. Because the commercial sector operates the majority of U.S. government and private critical infrastructure, a public-private partnership is necessary to defend such networks, all sides agree.

The Obama administration's draft bill would expand and make permanent Homeland Security's authority to work with industry in responding to what experts say are looming threats to services Americans rely on daily.

Cyberwar and cyberterrorism are grave, but not present dangers, testified James A. Lewis, a senior fellow at the nonprofit Center for Strategic and International Studies who studies technology and national security.

Perhaps only five or six nations have the have the advanced military or intelligence sophistication to pull off Stuxnet-like cyberattacks that could disrupt critical infrastructure, he said. And those governments would not use such technology against the United States unless America entered into a military conflict with them, said Lewis, a former Foreign Service officer and federal senior executive assigned to projects involving technology transfer and Internet policy.

"Confrontational states such as North Korea and Iran do not yet have the capability to launch cyberattacks," he said. But "it is inevitable that they will succeed, which is one reason why it is important for the United States to strengthen its defenses as soon as possible."

Likewise, "Terrorists currently lack the capability to launch cyberattacks," Lewis testified. "If they had it, they would have already used it. The day a terrorist group can launch a cyberattack, it will do so."

Wednesday's hearing was a lead up to a full committee hearing scheduled for next week that will assess the White House's proposal to, among other things, charge Homeland Security with enforcing critical infrastructure security.

Committee Chairman Darrell Issa, R-Calif., has yet to publicly take a position on the proposal's rules for vital privately owned networks. "Chairman Issa is supportive of a comprehensive approach that recognizes the fact that approximately 85 percent of the nation's critical infrastructure is owned by the private sector and that cooperation between the federal government and the private sector is vital," committee spokesman Ali Ahmad said Thursday.

The administration's measure relies largely on industry and the marketplace to penalize noncompliant companies operating critical networks. DHS officials would publicly name businesses that fail independent security audits -- a strategy the department says would force companies to either fix vulnerabilities or lose customers.

Lewis said that in the past the U.S. government has depended too much on the private sector to defend the nation's critical infrastructure.

"The private sector owns most of the shoreline, but we still need a navy," Lewis explained. "We do not ask airlines to defend our airspace against ballistic missiles, bombers or fighter jets because they are incapable of defeating these foes. The same is true for cyberspace. We should ask companies to do only what makes sense from a business perspective and not ask them to shoulder national defense burdens for which they are unequipped."

While protecting critical infrastructure requires a close alliance among companies and Homeland Security, voluntary approaches to guarding systems and self-regulation are not safe, he said. "We have used voluntary self-regulation for the last 13 years, and it is inadequate for national security," Lewis said.

Industry should develop standards to block potential threats, and the government should ensure they are adequate, he said, adding that this arrangement has the benefit of avoiding prescriptive regulations without jeopardizing national security.

Some industry groups are urging against uniform mandates for every network, advocating instead for voluntary strategies tailored to each system's level of risk.

"We encourage Congress to draw a bright line between critical and noncritical infrastructure," testified TechAmerica President Phil Bond. "Industry and government need to work together to make the right determinations for what is critical, and what the implications are for that designation."

In addition, industry wants the government to establish incentives that would encourage buy-in among companies. One example Bond gave was exempting a company from a requirement to notify consumers about data breaches if the organization shows that it took precautions in advance of the infiltration to render the data illegible should it fall into the wrong hands.