DNI worries about cumulative, not catastrophic, cyber threat

Director of National Intelligence James Clapper told Congress on Feb. 26 that he is more worried about enduring, low-to-medium grade cyberattacks on U.S. infrastructure than any one-off, crippling attack.

"Although we must be prepared for a catastrophic, large-scale strike – a so-called 'cyber armageddon' – the reality is that we've been living with a constant and expanding barrage of cyberattacks for some time," Clapper told the Senate Armed Services Committee. "This insidious trend, I believe, will continue."

Moderate, iterative cyberattacks will "impose cumulative costs on U.S. economic competitiveness and national security," the intelligence chief said in written testimony that stressed that the government's unclassified networks remain vulnerable to cyber threats.

Clapper’s prediction that "cyber armageddon" is not on the horizon contrasts with National Security Agency Director Adm. Michael Rogers' dire warning to Congress in November that a major cyberattack could hit U.S. infrastructure before 2025. "Cyber armageddon" is a variation of the "cyber Pearl Harbor" doomsday metaphor frequently employed by officials and pundits in recent years.

The cyber threat to U.S. critical infrastructure is real. Sophisticated malware has been found burrowed in industrial control systems, for example.

But the public discussion of cyber threats to critical infrastructure needs to move beyond clichés, said Jason Healey, director of the Atlantic Council's Cyber Statecraft Initiative. "We started talking about digital Pearl Harbors in 1991," said Healey, who was director for cyber infrastructure protection at the White House from 2003 to 2005.

Casting the threat as either a one-off catastrophe or a continuation of the status quo "strikes me as a very, very limited way of talking about" cybersecurity, he said, adding that he worries it "accurately reflects the lack of deep thinking on this" in U.S. policy circles.

Policymakers should be more imaginative in considering future cyberspace scenarios, Healey added. If, for example, cyber offense and defense are more automated in the future, he asked, what implications will that have for the cyber workforce the United States is building?

But there is also the here and now. Tony Cole, vice president and global government CTO at FireEye, said a major cyberattack on the electric grid or other critical infrastructure was a "distinct possibility" in the near future, and that attacks carried out by nation-states are here to stay.

"As long as we live in [the] volatile world that we live in today, we're going to continue to see nation-state attacks," Cole said.

Clapper would seem to agree. At the Armed Services hearing, he rattled off four countries on his radar. Although Iran and North Korea "have lesser technical capabilities in comparison to Russia and China, these destructive attacks demonstrate that Iran and North Korea are motivated and unpredictable cyber actors," Clapper said. He was referencing the hacks last year of Sony Pictures Entertainment and Las Vegas Sands Corp., which were, respectively, attributed to North Korea and Iran.

The attack on Sony Pictures has been called one of the biggest corporate hacks ever. While movie studios fall under DHS's vast definition of critical infrastructure, it was not an attack on the electric grid or transport systems, which is a bigger fear for lawmakers and officials.

"Russia and China continue to develop very sophisticated cyber programs," he added. "While I can’t go into detail here, the Russian cyber threat is more severe than we have previously assessed."