China and probably “one or two” other countries have the capacity to use a cyber attack and shut down the entire United States power grid, a catastrophe that could lead to significant loss of life, NSA Director Michael Rogers told a House panel Thursday.
“This is not theoretical,” Rogers said.
Rogers’ stark words came only three weeks after a report by the Pew Research Center predicted that by 2025, the nation will suffer a “major cyber attack” that will cause “widespread harm,” substantial loss of life and damage in the tens of billions of dollars.
Pew surveyed 1,625 computer and Internet experts for the report, and Rogers told the panel he did not disagree with it. He said the attack could shut down not only the power grid but other critical infrastructure.
Rogers also serves as head of U.S. Cyber Command.
“There shouldn’t be any doubt in our mind that there are nation states and groups out there that have the capability to do that – to enter those industrial [power grid] control systems and to shut down … our basic infrastructure,” Rogers told the House Intelligence Committee.
Worse, Rogers indicated the US already has found malware from China on major computer systems that is capable of doing great harm.
“It enables you to shut down very segmented, very tailored parts of our infrastructure that forestall the ability to provide that service to us as citizens,” Rogers said.
Such malware can cause “truly significant, almost catastrophic, failures if we don’t take action.”
Story continues below video
Should the power grid go down for just a single week, it is estimated approximately 1 million Americans likely would die from a lack of medical care and sanitation, and from civil unrest. If the power grid stays down a year, two-thirds of the population (200 million people) could die from starvation and lawlessness, according to the EMP Commission report to Congress.
In 2013 a report from the cyber security company Mandiant found that “a group of hackers in China were gaining access into American corporations, organizations and government agencies,” including “critical infrastructure” such as the “power grid, gas lines and waterworks.”
China and nations like it have a specific goal, Rogers said.
“We see them attempting to steal information on how our systems are configured, the very schematics of most of our control systems, down to engineering level of detail so they can look at where are the vulnerabilities, how are they constructed, how could I get in and defeat them,” Rogers said, according to CNN. “We’re seeing multiple nation-states invest in those kinds of capabilities.”
Patrick Tucker, a grid and computer security expert and the author of The Naked Future, said he fear politicians will take action on the threat only after it’s too late.
“Today, cities around the world use supervisory control and data acquisition (SCADA) systems to manage water, sewage, electricity, and even traffic lights,” he told Pew. “Independent analysis has found that these systems suffer from 25 different security vulnerabilities. That’s bad enough, but then consider how human error and incompetence makes these common systems even less secure.
He added, “Many of the IT managers that use these systems haven’t changed the manufacturer-installed security codes. As writers Indu B. Singh and Joseph N. Pelton have pointed out in The Futurist magazine, that failure to take even the most basic security precautions leaves these systems open to remote hacking.”
Former Department of Homeland Security Secretary Janet Napolitano once said that a power grid cyber attack is a matter of “when,” not “if.”
“Our country will, at some point, face a major cyber event that will have a serious effect on our lives, our economy and the everyday functioning of our society,” Napolitano said. “While we have built systems, protections and a framework to identify attacks and intrusions, share information with the private sector and across government, and develop plans and capabilities to mitigate the damage, more must be done, and quickly.”
Do you believe America is vulnerable to a cyber attack? Share your thoughts in the section below: