The U.S. Central Intelligence Agency, working with the Federal Bureau of Investigation, the Department of Homeland Security and the Pentagon, this week will publish the first-ever classified National Intelligence Estimate (NIE) on the threat of cyberterrorism against U.S. critical infrastructures. News about the estimate, which was first requested in March 2000 by a senior member of the House Armed Services Committee, came Tuesday during a Senate Judiciary subcommittee hearing on cyberterrorist threats and capabilities.
However, Sen. John Kyl (R-Ariz.), chairman of the Senate Subcommittee on Terrorism, Technology and Homeland Security, and ranking member Sen. Diane Feinstein (D-Calif.) expressed concern that the Department of Homeland Security has not focused enough high-level attention on the threat posed by terrorist-sponsored cyber disruptions or physical attacks against critical cyber infrastructures.
“I’m afraid that we’re not taking this threat seriously enough,” said Feinstein. In particular, she said she was troubled by the decision to move the position once held by former cybersecurity czar Richard Clarke from the White House to where it now sits, several layers down in the DHS bureaucracy. She questioned the extent to which Amit Yoran, the current director of the National Cyber Security Division at the DHS, can influence the overall national homeland security strategy.
Yoran, however, said the DHS does not view cybersecurity as a separate entity, but “one element” of a larger critical infrastructure protection strategy.
Kyl pressed Yoran to answer specific questions about the cyberthreats posed to the U.S. by both nation-states and terrorist organizations. Yoran was unable to provide any answers and relied instead on supporting testimony from John Malcolm, deputy assistant attorney general at the Justice Department, and Keith Lourdeau, deputy assistant director of the FBI’s Cyber Division.
According to Yoran, the DHS takes a “threat-independent” approach to cybersecurity and does not assess the capabilities or intent of any specific group or individual. “We’ll have to wait and see what the NIE says,” Yoran told Kyl.
Lourdeau said the FBI’s assessment indicates that the cyberterrorist threat to the U.S. is “rapidly expanding.” In addition, the FBI predicts that “terrorist groups will either develop or hire hackers, particularly for the purpose of complementing large physical attacks with cyberattacks,” he said.
Describing what could have become a cyberterrorist incident, Lourdeau explained how two hackers on May 3, 2003, sent an e-mail to the National Science Foundation’s Network Operations Center. In it, they claimed to have penetrated the NSF network that controls life-support systems for dozens of scientists at a South Pole research station at a time when weather conditions would not permit aircraft to deliver assistance.
The e-mail, which threatened to expose the vulnerability data unless the attacker was paid money, “contained data only found on the NSF’s computer systems, proving that this was no hoax,” said Lourdeau.
The FBI eventually determined that the intruders were using computers in a cybercafe in Romania and had first hacked into a system operated by a trucking company in Pittsburgh before breaking into the NSF network. The two hackers were arrested in June.
Malcolm urged the committee “not to allow the provisions (of the USA Patriot Act) to sunset.” According to him, key provisions of the law, including those that permit courts to issue nationwide search warrants for electronic communications, are “essential to any prosecution of cyberterrorism.”