WASHINGTON – Homeland Security and Governmental Affairs Committee Chairman Joe Lieberman, ID-Conn., and Ranking Member Susan Collins, R-Me., Wednesday – as well as all four witnesses at a Committee hearing on a new cyber security threat – said the public and private sectors must work together to deter the very real possibility of cyber attacks on the operating systems of the nation’s critical infrastructure – not just by a recently discovered worm, known as Stuxnet, but also by far less powerful threats.
At a hearing on the implications of the recently discovered malware known as Stuxnet, the Senators heard testimony describing the malware as potentially far more destructive than any previously known cyber threat.
Lieberman said that the discovery makes passage of cyber security legislation that he, Collins, and Senator Tom Carper, D-Del., drafted and passed out of Committee all the more important. He promised it would be a top Committee priority in the 112th Congress since the White House and other key members of Congress did not engage sufficiently to pass the bill in the lame duck session.
“Stuxnet really takes the reality of the cyber threat to a new level and should awaken the skeptics,” Lieberman said. “It is really chilling, in terms of its effect. I would compare it to a guided missile in conventional warfare… But the reality is that the current, porous state of our nation’s infrastructure means that it wouldn’t take malware as robust and sophisticated as Stuxnet to cripple many of our critical systems. We want to make sure we put proper security in place before a major attack.”
Collins said: “Much attention has been paid to cyber crimes such as identity theft and to cyber attacks intended to steal proprietary information or government secrets. But lurking beyond those serious threats are potentially devastating attacks that could disrupt, damage, or even destroy some of our nation’s critical infrastructure, such as the electric power grid, oil and gas pipelines, dams, or communication networks. The newest weapon in the cyber toolkit was introduced to the world in June, when cybersecurity experts detected a cyber worm called Stuxnet.
“I believe that this problem is urgent,” Collins continued. “We have introduced bipartisan, comprehensive legislation to deal with this threat. Unless this legislation becomes law, my fear is that we’ll wait until we have a successful ‘cyber 9/11’ before acting. So I’d like to see us be proactive on this issue and I believe our bill points the way.”
Stuxnet specifically targets computer systems that control electricity, water treatment, nuclear and chemical plants, pipelines, communications networks, transportation systems and other critical infrastructure, and it is unique in its complexity, flexibility, and resilience. Neither its creator nor its target is known.
HSGAC has held numerous hearings over the years on denial of service attacks that shut down commercial websites and phishing schemes that trick people into giving away crucial information that could then be used to empty corporate bank accounts or steal industrial or national secrets. But Stuxnet is called a “game changer” by those who have studied it.
Here’s how it works: Stuxnet initially infects computers through tainted USB thumb drives, and exploits four different Microsoft Windows security vulnerabilities that had been unknown until Stuxnet was set loose.
Stuxnet has some 4,000 functions; by comparison, the software that runs the average e-mail server has about 2,000 functions. Stuxnet can even update itself automatically.
The “Protecting Cyberspace as a National Asset Act of 2010” (S.3480) would give the federal government modern tools to secure and defend the nation’s most critical cyber networks and establish public/private partnerships that will help set those kinds of national cyber security priorities. Specifically, the bill would establish a National Center for Cybersecurity and Communications within the Department of Homeland Security and empower that Center to help secure critical infrastructure networks. This would raise the security bar for all systems, making attacks more difficult, and putting in place processes that will help remediation after a successful attack.
Witnesses were: Sean McGurk, Acting Director, National Cybersecurity and Communications Integration Center, Department of Homeland Security; Michael J. Assante, President and Chief Executive Officer, National Board of Information Security Examiners; Dean Turner, Director of Global Intelligence Network, Symantec Corporation; and Mark W. Gandy, Global Manager, Information Technology Security and Information Asset Manager at Dow Corning Corporation, and representing the American Chemical Association.