"Stopping terrorists is the number one priority," said FBI director Robert Mueller. "But down the road, the cyber threat will be the number one threat to the country. I do not think today it is necessarily [the] number one threat, but it will be tomorrow."
The rare open hearing of the Senate's intelligence committee, an annual one that surveys the threats to the United States from around the globe, included testimony by Mueller, director of national intelligence James Clapper, and CIA director David Petraeus. Tuesday's hearing looked at the broad spectrum of threats to the nation, but numerous administration officials will brief Congress in a classified hearing today that will focus more pointedly on cybersecurity.
Congress' interest in cybersecurity remains high. Both the House and Senate continue to work toward comprehensive legislation on the issue. The House Committee on Homeland Security is marking up cybersecurity legislation Wednesday, and the Senate will move to consider a comprehensive cybersecurity bill later this month, though industry has raised concerns about cost over the Senate bill. The Senate homeland security and governmental affairs committee has indicated that it may hold a hearing on that bill within the next two weeks.
Clapper said that cybersecurity is already at the forefront of national security concerns, right there with terrorism, proliferation of weapons, and espionage. "In the last year, we observed increased breadth and sophistication of computer network operations by both state and non-state actors," he said in prepared testimony.
[ Read about the Obama Administration's efforts to update current cybersecurity legislation: White House Presses For New Cybersecurity Laws. ]
The greatest challenges to protecting against cyber threats, Clapper said, are the difficulty of providing timely and actionable warning of attacks--he cautioned that "many intrusions into U.S. networks are not being detected"--and the complex vulnerabilities within the IT supply chain. Attribution remains a difficult technical challenge, but the government is increasingly sharing threat information among government agencies and with the private sector. Vulnerabilities in the IT supply chain have been a concern for the Department of Defense for several years, but the issue has not been raised to the same level of public discourse as information sharing and the range of cybersecurity technologies that agencies are implementing to thwart attacks.
Clapper singled out attacks from China and Russia as the biggest threats from state actors and said that those two countries have been responsible for "extensive illicit intrusions" into U.S. networks, but also said that Iran's cyber capabilities have "increased in depth and complexity" in recent years. China and Russia have been high on cyber-watchers' lists of concerns for several years now, but Iran is a relatively new addition. Iran's military recently claimed that it brought down an American drone by hacking into its guidance systems.
The intelligence community isn't concerned only with threats from other countries, however. Clapper said that non-state actors are increasingly gaining in prominence, and in fact already have "easy access to potentially disruptive and even lethal technology." For example, he noted that hacker groups like Anonymous and LulzSec have been carrying out a consistent campaign of distributed denial of service attacks and website defacements, and that intrusions into NASDAQ and the International Monetary Fund "underscore the vulnerability of key sectors of the economy."
Targets against security technologies themselves, such as last year's attack against security company RSA, which led to several other attacks, are also of particular concern, Clapper said. He also lashed out against "wholesale plundering" of American intellectual property.
At the hearing, senators also sparred with witnesses about which agencies would take charge in the event of a major cyber-attack, and what the role of the president would be. For example, Sen. Barbara Mikulski, D-Md., raised concerns about what would happen in the event of an attack on the electrical grid of a city hosting a political convention. While representatives from the DHS and FBI both said the initial response would fall to DHS, FBI director Mueller said that the FBI or NSA would be the ones to determine attribution.
InformationWeek's 2012 Government IT Innovators program will feature the most innovative government IT organizations in the 2012 InformationWeek 500 issue and on InformationWeek.com. Does your organization have what it takes? The nomination period for 2012 Government IT Innovators closes April 27.