Recent security breaches at Sony Pictures, Target and Home Depot have put a spotlight on the vulnerabilities of the nation’s cyber systems.
But an NBC Bay Area investigation reveals concerns from some of the country’s leading cyber security experts that threats have moved beyond movies, credit cards and bank accounts, to the ability to hack into computer systems that control vital infrastructure.
For nearly two decades, the United States government has known and warned about potential threats to critical infrastructure, including nuclear plants, electric substations, gas pipelines, transit systems, chemical facilities and drinking water supplies.
“It’s those systems, that if we lose them, it’s going to have a serious impact on our way of life,” said Perry Pederson, a Washington, D.C.-based expert on cyber security.
In 2007, when Pederson worked for the Department of Homeland Security (DHS), he helped design a government test now known as Project Aurora. The experiment involved hacking into a replica of an Idaho power plant’s control system and causing it to smoke, shake and self-destruct.
“It ultimately proved and demonstrated on video that you can destroy physical equipment with a cyber-attack,” Pederson said. “It’s a type of vulnerability we should be concerned about.”
But Pederson said the United States isn’t employing the lessons learned from the experiment.
“Aurora should have been a wakeup call, and we just hit the snooze button and go back to sleep,” Pederson said.
What has served as a wakeup call to some Americans is the government’s recent decision to divulge previously classified information about the Aurora experiment.
“It was an incredibly, incredibly bad thing to have done,” said Joe Weiss, a Bay Area-based control system security specialist. “What it did is put all of that information in the hands of the bad guys who never had it.”
DHS released 840 documents detailing the vulnerabilities Project Aurora revealed. It is information that implicates potential targets in the Bay Area and across California. NBC Bay Area’s investigation intentionally withholds specific details from the records.
In an email, DHS defended the decision to release the information. "The documents were thoroughly reviewed for sensitive or classified information prior to their release to ensure that critical infrastructure security would not be compromised," it wrote.
“This is a roadmap for a bad guy, and this is what DHS put out,” Weiss said. “One of [the documents] even had a picture to show where you would go to the substation to destroy the equipment.”
Weiss characterized the country’s infrastructure as very “cyber fragile,” and has testified in front of Congress about his tracking of cyber events targeting critical infrastructure overseas and on U.S. soil.
He says he has documented almost 400 attacks on systems that control infrastructure. Weiss and others believe that terrorist networks like al Qaeda have been examining the fragility of America’s vital infrastructure.
Around the time that Sony’s computer systems were breached by hackers last December, two major security incidents involving critical infrastructure were unfolding abroad. Hackers successfully accessed computer systems at a nuclear power plant in South Korea and a steel mill in Germany.
“Some people worry about we’re on the brink of a cyber-arms race,” Pederson said. “I would say, no, we’re not on the brink of it; we’re in the thick of it. We’re in it.”
Weiss believes the government has not moved fast enough to address real threats. Pederson said the government’s inaction is a symptom of “waiting for something to happen” and getting “serious after.”
While the need to address cyber security breaches has resonated with federal lawmakers, significant change to the country’s cyber security landscape hit a government roadblock as Congress struggled to understand how much change private industry and the public is willing to accept.
A bill by California Sen. Dianne Feinstein recently stalled on Capitol Hill. The legislation called for information sharing between private companies and the U.S. government, and aimed to improve the detection of cyber-attacks and slow the progress of hackers.
“Cyber-attacks cost the economy hundreds of billions of dollar a year and this will only get worse,” said Feinstein in a statement in January. “Congress must take steps to minimize the damage.”
South Bay Rep. Zoe Lofgren shares that opinion, but she said it’s not clear if government is the right lead, noting that “technology moves faster than legislation.”
“There are a lot of things the private sector should do without the government,” Lofgren said, “but since they are not, we are going to have to put some requirements into law to move them along.”
But wanting change and producing change don’t always intersect in Washington, D.C.
Back in 1998, President Bill Clinton issued an 11-page directive warning of the dangers of potential cyber-attacks. “I intend that the United States will take all necessary measures to swiftly eliminate any significant vulnerability to both physical and cyber-attacks on our critical infrastructures, including especially our cyber systems," that memo said.
Since then, federal agencies including the Environmental Protection Agency and the National Transportation Safety Board have warned about vulnerabilities in computer systems that control sources of drinking water and gas pipelines.
Just two years ago, in February 2013, President Barack Obama wrote in another presidential directive that “it is the policy of the United States to strengthen the security and resilience of its critical infrastructure against both physical and cyber threats.”
Now, in 2015, Washington has yet to develop a consensus on how to handle hackers. Pederson and others fear that it will take a significant disaster, a massive loss or major lawsuit before the American public and the private sector are willing to accept the cost that real cyber security upgrades require.
“Security is never going to be cheaper or more convenient,” Pederson said. “Until the public accepts this, recognizes that [a major attack] is what we’re going to have as a result, we are going to have continued breaches. Continued successful cyber-attacks.”
If you have a tip for the Investigative Unit, email firstname.lastname@example.org or call 888-996-TIPS.