WASHINGTON – The National Security Agency (NSA) chief told a congressional panel last week several foreign countries have infiltrated the computers of critical industries of the United States to obtain information that could be used for a destructive attack.
NSA Director Adm. Michael Rogers, who took the helm of the agency in April, said that foreign criminal gangs have traditionally hacked into U.S. commercial systems to steal information that they could use or sell for a profit. But a new trend is emerging as these groups and foreign governments are increasingly cooperating with one another.
U.S. intelligence officials have seen these criminal groups acting “as a surrogate” for other groups and nations wanting to “obscure their fingerprints,” he said.
Rogers said some nations have developed the capabilities to infiltrate the networks of industrial-control systems used to operate critical infrastructure, such as the power grid, nuclear power plants, air traffic control, and subway systems.
“We see them attempting to steal information on how our systems are configured, the very schematics of most of our control systems, down to engineering level of detail so they can look at where are the vulnerabilities, how are they constructed, how could I get in and defeat them,” he testified before the House Intelligence Committee. “We’re seeing multiple nation-states invest in those kinds of capabilities.”
A recent report by Mandiant, a security company, found that Chinese government hackers have stolen information relating to intellectual property from several U.S. companies to support Chinese state-owned enterprises. The report also stated that Chinese government hackers have stolen data from a power-systems manufacturer.
Asked whether China was the only nation investing heavily in these capabilities, Rogers said there are “one or two others” that are attempting to do reconnaissance on U.S. industrial-control systems and learn more about the nation’s networks of critical infrastructure.
“There shouldn’t be any doubt in our minds that there are nation-states and groups out there that have the capability . . . to shut down, forestall our ability to operate our basic infrastructure, whether it’s generating power across this nation, whether it’s moving water and fuel,” he said. “Those tend to be the biggest focus areas that we have seen.”
The Department of Homeland Security issued an alert earlier this month that identified malicious software implanted in the software that runs some of the nation’s critical infrastructure. Sources told ABC News they have found evidence that Russian hackers believed to be sponsored by the Russian government inserted the malicious software.
Another “coming threat,” Rogers warned, is an increase of cyber attacks on mobile devices. He said the increase in popularity due to their appeal as “vehicles to enhance our productivity” makes them ideal targets for hackers.
“The flipside is those same things that make [them] attractive…the ability to use [them] in all sorts of environments almost universally in any place…also represents an increased potential for vulnerability,” he said.
Rogers said he expects a major cyber attack against the U.S. within the next decade.
“I fully expect that during my time as a commander, we are going to be tasked with defending critical infrastructure in the United States,” he said. “It’s only a matter of the when, not the if, that we’re going to see something traumatic. …I bet it happens before 2025.”
Rogers is also the head of U.S. Cyber Command, the military division responsible for U.S. offensive and defensive strategies in cyberspace. The command, which was established in 2009, is the central hub for the other U.S. military cyber commands.
Defense Secretary Chuck Hagel has called for Cyber Command to have more than 6,000 staff by 2016. Rogers noted that the command is “moving along in that journey,” meeting about 40 percent of the personnel target.
The NSA chief said two things are needed to address cyber threats: information-sharing legislation and international norms of behavior for cyberspace.
“We need to develop a set of norms and behaviors that we can fundamentally agree with as a starting point for how we’re going to behave and act within this environment,” Rogers said.
House Intelligence Committee Chairman Mike Rogers (R-Mich.) said the federal government has “an obligation to help the private sector by sharing this threat information about potential attacks before they happen.”
“Most of our critical infrastructure providers are doing their best to better secure their networks. But if they get attacked by an adversary with the resources and capabilities of a nation-state like China or Russia or Iran, it certainly isn’t a fair fight,” Rogers said.
Rogers, who is retiring from Congress after his current term, and Rep. Dutch Ruppersberger (D-Md.), the committee’s top Democrat, urged their Senate colleagues for passage in the lame-duck session of a bill that would permit sharing of cyber threat information between the private sector and the government. The House passed its version of the bill, sponsored by Rogers and Ruppersberger, in April 2013, but it drew a veto threat from the White House and generated widespread opposition due to privacy concerns.
Leaders from the intelligence committees in both chambers have been meeting regularly and “working closely” on the issue, Ruppersberger said.