A report tying the Chinese military to computer attacks against American interests has sent a chill through cyber-security experts, who worry that the very lifelines of the United States — its energy pipelines, its water supply, its banks — are increasingly at risk.
The experts say that a successful hacker attack taking out just a part of the nation’s electrical grid, or crippling financial institutions for several days, could sow panic or even lead to loss of life.
“I call it cyberterrorism that makes 9/11 pale in comparison,” Rep. Mike Rogers, a Michigan Republican and chair of the House Intelligence Committee, told NBC News on Tuesday.
An American computer security company, Mandiant, reported with near certainty that members of a sophisticated Chinese hacking group work out of the headquarters of a unit of the Chinese army outside Shanghai.
The report was first detailed in The New York Times, which said that the hacking group’s focus was increasingly on companies that work with American infrastructure, including the power grid, gas lines and waterworks.
The Chinese embassy in Washington told The Times that its government does not engage in computer hacking.
As reported, the Chinese attacks constitute a sort of asymmetrical cyberwarfare, analysts said, because they bring the force of the Chinese government and military against private companies.
“To us that’s crossing a line into a class of victim that’s not prepared to withstand that type of attack,” Grady Summers, a Mandiant vice president, said on the MSNBC program “Andrea Mitchell Reports.”
The report comes as government officials and outside security experts alike are sounding ever-louder alarms about the vulnerability of the systems that make everyday life in the United States possible.
Outgoing Defense Secretary Leon Panetta warned in October that the United States was facing a threat that amounted to “cyber Pearl Harbor” and raised the specter of intentionally derailed trains, contaminated water and widespread blackouts.
“This is a pre-9/11 moment,” Panetta told business executives in New York. “The attackers are plotting.”
The Times report described an attack on Telvent, a company that keeps blueprints on more than half the oil and gas pipelines in North and South America and has access to their systems.
A Canadian arm of the company told customers last fall that hackers had broken in, but it immediately cut off the access so that the hackers could not take control of the pipelines themselves, The Times reported.
Dale Peterson, founder and CEO of Digital Bond, a security company that specializes in infrastructure, told NBC News that these attacks, known as vendor remote access, are particularly worrisome.
“If you are a bad guy and you want to attack a lot of different control systems, you want to be able to take out a lot,” he said. “The dirty little secret in these control systems is once you get through the perimeter, they have no security at all. They don’t even have a four-digit pin like your ATM card.”
The 34-minute blackout at the Super Bowl earlier this month highlighted weak spots in the nation’s power system. A National Research Council report declassified by the government last fall warned that a coordinated strike on the grid could devastate the country.
That report considered blackouts lasting weeks or even months across large parts of the country, and suggested they could lead to public fear, social turmoil and a body blow to the economy.
Vital systems do not have to be taken down for very long or across a particularly widespread area, the experts noted, to cause social disorder and to spread fear and anxiety among the population.
Last fall, after Hurricane Sandy battered the Northeast, it took barely two days for reports of gasoline shortages to cause hours-long lines at the pumps and violent fights among drivers.
Peterson described being in Phoenix, Ariz., during a three-day gas pipeline disruption “when people were waiting in line six hours and not going to work. You can imagine someone does these things maliciously, with a little more smarts, something that takes three months to replace.”
Similarly, hacking attacks last fall against major American banks — believed by some security experts and government officials to be the work of Iran — amounted to mostly limited frustration for customers, but foreshadowed much bigger trouble if future attacks are more sophisticated.
What worries Dmitri Alperovitch, co-founder of the computer security company CrowdStrike, is a coordinated attack against banks that modifies, rather than destroys, financial data, making it impossible to reconcile transactions.
“You could wreak absolute havoc on the world’s financial system for years,” he said. “It would be impossible to roll that back.”
While the report Tuesday focused on China, the experts also highlighted Iran as a concern. That is because China, as a “rational actor” state, knows that a major cyberattack against the United States could be construed as an act of war and would damage critical economic cooperation between the U.S. and China.
“With the Iranians in the game,” Rogers said, “what’s worrisome is they don’t care. They have no economic lost opportunity.”
Security experts have for years expressed concern, if not outrage, that the nation’s critical infrastructure remains so vulnerable so long after Sept. 11, 2001.
But the escalating threats from hackers in China and Iran, in addition to Russia and North Korea, appear to be lending new urgency to efforts to make sure companies and government agencies are better prepared.
President Barack Obama announced in his State of the Union message last week that he had signed an executive order directing federal agencies to share certain unclassified reports of cyber threats with American companies.
The next day, Rogers and Rep. Dutch Ruppersberger, a Maryland Democrat, reintroduced legislation designed in part to help companies share information. The bill passed the House last year but stalled in the Senate.
State Department spokeswoman Victoria Nuland said Tuesday that the United States has “substantial and growing” concerns about threats to the U.S. economy and national security posed by cyberattacks.
“I think as recent public reports make clear, we’re obviously going to have to keep working on this,” she said. “It’s a serious concern.”
Peterson said that oil, gas and electric companies had led the way in developing security perimeters, with water companies “kind of in the middle” and transportation and mining companies lagging.
But even the protections enacted by companies so far leave too many holes, he said.
“They’re all in the same situation,” Peterson said. “If you get through the perimeter, you can do whatever you want.”