Several foreign countries, including China, have infiltrated the computers of critical industries in the United States to steal information that could be used in the planning of a destructive attack, the director of the National Security Agency said Thursday.
That was one of the cyberthreats outlined at a congressional hearing by Adm. Michael S. Rogers, who also said he expects that criminal gangs may become proxies for nations carrying out attacks on other nations.
“There are multiple nation-states that have the capability and have been on the [industrial] systems,” he said before the House Intelligence Committee.
“We see them attempting to do reconnaissance on our systems” to steal “specific schematics of most of our control systems” down to the engineering details, said Rogers, who also heads U.S. Cyber Command, the Pentagon’s cyberoffensive unit.
In the past, U.S. intelligence officials warned that the Chinese had penetrated the electric grid. Now, Rogers has confirmed that “there’s probably one or two others” that have also wormed their way in.
“There shouldn’t be any doubt in our minds that there are nation-states and groups out there that have the capability . . . to shut down, forestall our ability to operate our basic infrastructure, whether it’s generating power across this nation, whether it’s moving water and fuel,” he said. “Those tend to be the biggest focus areas that we have seen.”
A recent report by Mandiant, a security company, stated that Chinese government hackers have stolen data relating to manufacturing processes from a maker of power systems. Other security researchers say they have found evidence of the Russian government targeting U.S. industrial control systems.
Rogers, who in April became the head of the NSA and of Cyber Command, said that foreign criminal gangs have traditionally hacked into U.S. commercial systems to steal information, such as credit card numbers, that they could sell to generate revenue. He forecast that, in the coming year, “you will start to see . . . in many instances some of those criminal gangs not engaging just in the theft of information . . . but also potentially as a surrogate for other groups, other nations” that want to “obscure their fingerprints.”
The gangs, most of which are Russian-speaking, have begun in some cases to use the tools developed by nation-states. “That’s a troubling development for us,” he said.
“Cyber hit men for hire,” quipped Rep. Mike Rogers (R-Mich.), the committee chairman.
The Cyber Command head said he agreed with a recent Pew Research Center report that found a majority of cyberexperts predicted a catastrophic attack within the United States by 2025. “I fully expect that during my time as a commander, we are going to be tasked with defending critical infrastructure in the United States,” he said. “It’s only a matter of the when, not the if, that we’re going to see something dramatic. . . . I bet it happens before 2025.”
Over the past year and a half, the NSA has been the focus of intense controversy over revelations that it has been collecting in bulk the phone-call data — not the content — of millions of Americans. Concerns about overreach in the surveillance area have bled into the cybersecurity realm.
Rogers said that in cybersecurity, the NSA wants technical data, such as malware signatures, and not personal identifying information. “I don’t want people’s personal data,” he said. “Names, addresses — that’s none of the kind of thing we’re talking about.”
Gathering such data, he said, “will slow us down” because of rules regarding the protection of U.S. citizens’ information.
Legislation to encourage the sharing of cyberthreat data between the private sector and the government has stalled in part because of concerns that the NSA will obtain Americans’ personal data.
Rogers also said the NSA is not monitoring private-sector networks. “You don’t want NSA in the private-sector network,” he said. “I’m not in the private-sector network.”
The NSA, however, does help companies that seek its assistance during a breach.
In the area of surveillance, Rep. Adam B. Schiff (D-Calif.) pressed Rogers as to why the NSA could not stop collecting the phone data in bulk and instead seek it on a case-by-case basis when it has identified a suspected terrorist’s number. On Tuesday, the Senate failed to advance a bill aimed at achieving that.
Rogers did not answer the question directly, instead referring to a January speech in which President Obama directed the government to continue the program while Congress enacts changes.
In response to a question from Schiff, Rogers said the NSA has not begun to work with the phone companies on a transition away from the NSA storing the data “in no small part because the corporate sector has indicated to us they’d rather wait for . . . the specific requirements.”