Cyber-attacks on US grow, experts say

A panel of government experts Tuesday once again warned lawmakers that cyber-attacks against the nation’s computer networks are growing more frequent and increasingly sophisticated, while the U.S. has lagged behind on implementing the necessary protections.

The House Energy and Commerce subcommittee on Oversight and Investigations held the first in a series of hearings on cybersecurity and securing the nation’s critical infrastructure featuring two representatives from the Department of Homeland Security’s cyberdivision.

In their opening statements, full committee Chairman Fred Upton (R-Mich.) and subcommittee chairman Cliff Stearns (R-Fla.) both argued that the committee should play a significant role in the upcoming debate over comprehensive cybersecurity legislation.

“In the face of cyberthreats that are both more frequent and more sophisticated, this committee is well-positioned to play an important role in any comprehensive cybersecurity legislation that moves through the House,” Upton said.

A turf battle between two Senate committees — Commerce, Science and Transportation and Homeland Security and Governmental Affairs — delayed comprehensive cybersecurity legislation in the upper chamber for the better part of a year. Both committees sought jurisdiction over federal cybersecurity standards for private networks deemed critical infrastructure.

Senate Majority Leader Harry Reid (D-Nev.) indicated a compromise had been reached around the time the White House released its own comprehensive cybersecurity legislation in May, which would give the Department of Homeland Security the task of protecting the nation’s non-military networks.

Stearns said he plans to call additional hearings to examine how such individual sectors as communications and energy are protected. The
House Homeland Security Committee held a hearing last month on the
administration’s proposal; the House Oversight and Government Reform Committee held its own
earlier this month.

Gregory Wilshusen, director of information technology for the Government Accountability Office, told lawmakers the administration has implemented only two of 24 recommendations generated by the president’s cyberspace policy review to improve security.

Officials told the GAO that progress has been slower than expected because agencies lack cybersecurity officials with defined roles and responsibilities, Wilshusen said in his opening statement. He added that the DHS team in charge of responding to attacks must improve its analysis and warning capabilities.

“In summary, the threats to information systems are evolving and growing, and systems supporting our nation’s critical infrastructure are not sufficiently protected to consistently thwart the threats.” Wilshusen said.

When asked by Stearns specifically about the Stuxnet virus, which affected Siemens industrial systems used by the Iranian nuclear program, Wilshusen said Stuxnet had exploited an unknown vulnerability, performed advanced reconaissance and left behind malicious code that resulted in physical damage to Iran’s nuclear ambitions.

Sean McGurk, director of the National Cybersecurity and Communications Integration Center at DHS’s cyberdivision, told Stearns he couldn’t be sure if the 300 companies using the same Siemens systems in the U.S. had implemented the recommended security precautions to guard against the worm. If implemented, he said, those precautions would fend off an attack.

McGurk and Acting Assistant Secretary of the DHS Office of Cyber Security Bobbie Stempfley agreed with Wilshusen that attacks on U.S. government networks are growing more frequent and increasingly sophisticated.

When asked, Stempfley said the Monday resignation of Randy Vickers as head of DHS’s Computer Emergency Readiness Team had been a personal decision.