Cyber attacks on computers that run the nation’s energy grid, nuclear reactors and water-treatment plants are increasing with potentially lethal effects, the Department of Homeland Security’s top investigator said.
Successful infiltrations of computer networks have the potential to create large-scale power outages or cause “physical damage, loss of life and other cascading effects that could disrupt services,” Charles Edwards, the agency’s acting inspector general, said in prepared testimony for a congressional hearing today.
At the same time, the department doesn’t always share timely information about cyber threats with companies responsible for ensuring the security of those computers and some data provided can be confusing, Edwards said in written testimony for the a House Homeland Security Subcommittee on Cybersecurity.
“These attacks range from hackers looking for attention and notoriety to sophisticated nation-states intent on damaging equipment and facilities,” Edwards said.
Cybersecurity is a top policy priority for President Barack Obama’s administration, which is seeking to prevent electronic attacks that could disrupt the nation’s banks, utilities and telecommunications networks.
The Pentagon has accused the Chinese military of intruding into U.S. government and corporate computers, while the network security firm Mandiant Corp. believes a new hacking group based in Iran has started attacks inside the U.S.
The Homeland Security Department “needs to consolidate its information sharing and communication efforts” with companies and other agencies, Edwards said.
Company officials interviewed by the inspector general complained that searching the department’s Web portal for relevant, useful information about cyber threats can be difficult and time-consuming.
The concern from these companies is “that a great deal of time might elapse” before they are made aware of an incident that could affect their systems, Edwards said.
The House has passed legislation, H.R. 624, that would encourage governments and businesses to share information about cyber threats.
The U.S. Federal Energy Regulatory Commission on April 18 proposed revisions to cybersecurity standards for the nation’s electric grid, expanding the rules to more than 60 additional companies. The North American Electric Reliability Corp., an Atlanta-based organization that develops standards for utilities, submitted the revisions to the commission in January.
Roberta Stempfley, acting assistant secretary for Homeland’s Office of Cybersecurity and Communications, defended the agency’s efforts to share information and respond to cyber attacks.
“The department has repeatedly demonstrated its ability to expeditiously support private sector partners with cyber intrusion mitigation and incident response,” she said in prepared testimony for today’s hearing.
The U.S. Computer Emergency Readiness Team, housed within the agency, reacted to about 190,000 “cyber incidents” on government and company networks in 2012, a 68 percent increase from the previous year, she said.
The department has issued more than 26,000 cybersecurity alerts since 2009, including 7,455 last year that were used by companies and agencies to protect their computers, Stempfley said.
“We continue to believe that carefully crafted information sharing provisions, as part of a comprehensive suite of cybersecurity legislation, are essential to improve the nation’s cybersecurity to an acceptable level, and we will continue to work with Congress to achieve this,” she said.