U.S. government pronouncements about the danger of a major cyberattack can be confusing. The director of national intelligence, James Clapper, and the head of the U.S. military's Cyber Command, Army Gen. Keith Alexander, delivered mixed messages this week while testifying on Capitol Hill.
Clapper told the Senate Intelligence Committee that the prospect of a computer attack on the nation's critical infrastructure is now the top security threat facing the country, surpassing terrorism.
"It's hard to overestimate its significance," Clapper said.
In a separate appearance before the Senate Armed Services Committee, Alexander issued a similar warning.
"All our systems today — our power systems, our water systems, our governments, our industry — depend on computers, depend on computerized switches, depend on these networks," Alexander said. "All are at risk. If an adversary were to get in, they could essentially destroy those components."
Asked by Republican Sen. Lindsey Graham whether such an intrusion would cause as much or more damage than the attacks of Sept. 11, 2001, Alexander answered, "That's correct. I think it would."
The Clapper and Alexander testimonies, however, were worded carefully. Clapper, in an assessment representing the views of the entire U.S. intelligence community, characterized the chance of a major cyberattack against U.S. infrastructure in the next two years as "remote."
"The level of technical expertise and operational sophistication required for such an attack will be out of reach for most actors during this time frame," the assessment stated. "Advanced cyber actors — such as Russia and China — are unlikely to launch such a devastating attack against the United States outside of a military conflict or crisis that they believe threatens their vital interests."
Alexander was similarly reassuring in his written testimony.
"We feel confident that foreign leaders believe that a devastating attack on the critical infrastructure and population of the United States by cyber means would be correctly traced back to its source and elicit a prompt and proportionate response," Alexander said. "We [therefore] have some confidence in our ability to deter major state-on-state attacks in cyberspace."
So what about a cyber-9/11, or a "cyber-Pearl Harbor," the scenario envisioned in an October 2012 speech by then-U.S. Defense Secretary Leon Panetta? Is the scare talk just hype?
Cyber expert James Lewis of the Center for Strategic and International Studies says he put that question recently to what he calls "one of the leading hypers" of the cyberthreat.
"I said, 'Oh, come on, you know it's not going to be Pearl Harbor,' " Lewis says. "And he said, 'Yeah.' But he wants people to pay attention. And nobody is doing anything."
Cybersecurity experts in both industry and government say the country is unprepared to deal with computer threats.
"So there are some folks out there who have believed we needed to hype the threat to get the country to move, on the theory that democracies don't do anything until they've had a disaster," Lewis notes. "He's probably right, but I think it has been overhyped."
The immediate security problem is cybercrime and cyberespionage, not cyberwar. President Obama's national security adviser, Tom Donilon, this week accused computer hackers from China of stealing confidential business information and technology.
"Increasingly, U.S. businesses are speaking out about their serious concerns about sophisticated, targeted theft through cyber-intrusions emanating from China on a very large scale," Donilon said.
Industry and government leaders say the everyday theft of trade secrets is undermining the U.S. economy. Beyond that is the danger that some country, in the future, might be tempted to launch a major cyberattack that could knock out portions of the U.S. power grid or paralyze the financial system. It is unlikely now, but some up-and-coming cyber powers are a cause for concern. Among them is Iran, suspected of carrying out a recent attack against the state oil company in Saudi Arabia.
"One thing most of us didn't expect was the Iranians [going] from zero to 60 in about eight months," Lewis notes. "China, Russia, these are responsible countries. They're not going to start a war. How comfortable do you feel saying that about the Iranian Revolutionary Guard?"
At this point, even the leaders of Iran may see little reason to spark a major cyber-confrontation with the United States. Their calculation, however, could change at some point, considering the current hostility between the two countries.