Several nations around the globe are capable of launching catastrophic cyberattacks but have refrained from doing so because it would be perceived as an act of war, a veteran security expert said Wednesday.
“We’ve been incredibly lucky but I do believe that things may change,” Charles Carmakal, vice president of Mandiant, a cybersecurity firm owned by FireEye of Milpitas, California, said at a forum Wednesday.
Director of National Intelligence Dan Coats opened the 8th Annual Billington Cybersecurity Summit with a warning that digital threats to the United States are mounting.
“We have not experienced — yet — a catastrophic attack. But I think everyone in this room is aware of the ever-growing threat to our national security,” Coats said, adding that attacks on electrical grids and other utilities are a rising concern.
“It doesn’t take much effort to imagine the consequences of an attack that knocks out power in Boston in February or power in Phoenix in July,” Coats said.
Coats said he was about to head over to the White House to offer President Donald Trump his daily presidential brief on intelligence matters.
“Among the many issues that we discuss on an almost daily basis, cyber threats have risen to almost the top,” Coats said, noting that adversaries like China and Russia “are becoming more assertive, more capable and more adept at using cyberspace to threaten our interests.”
Carmakal identified Russia and China as nations with offensive cyber units capable of penetrating operating systems of major utilities. Russia demonstrated its digital heft in attacks on Ukraine’s power grid in December 2015, and again a year later, he said.
The 2015 attack knocked out power for up to six hours in parts of Ukraine.
It was the dead of winter. It was incredibly cold.
Charles Carmakal, Mandiant cybersecurity
“It was the dead of winter. It was incredibly cold,” Carmakal said, adding that the cyberattack on the power grid repeated in December 2016.
“This was yet another offensive operation which we believe to be orchestrated by the Russian government to inflict pain and harm on the Ukraine,” he said.
Cyber forensics specialists now concur that a global cyberattack that began June 27 in Ukraine, dubbed NotPetya, masqueraded as a ransomware attack designed to raise money but was actually a destructive operation, Carmakal said. The attack spread around the world, freezing the hard drives of tens of thousands of computers, disrupting operations of global companies like the U.S. pharmaceutical giant Merck, the British advertising giant WPP and the Danish shipping line AP Moller-Maersk
Carmakal said Chinese state-sponsored hackers had shown their ability to penetrate into sensitive U.S. energy companies.
“I have seen first-hand Chinese military actors and other state-sponsored entities gain access to the operations, technology and environments of oil and gas companies and nuclear power plants,” he said. “Essentially they had the ability to actually cause significant disruption to those organizations. They could shut down the distribution of electricity.”
Such shutdowns could “absolutely” affect regions of the country, though not the whole nation, he said.
Both Iran and North Korea are advancing rapidly in offensive cyber capabilities, he said.
We saw them do a lot of really silly, really sloppy things.
Charles Carmakal, Mandiant cybersecurity
As recently as 2013, Iranian state hackers seemed inept. “We saw them do a lot of really silly, really sloppy things,” Carmakal said. But they improved, and have sought to conduct economic espionage on the United States, he said.
“We saw them break into an organization and essentially taunt the executives and taunt the board members and steal data and release it on the open market just to embarrass the organization,” Carmakal said, without naming the victim.
Much of the crucial systems that keep water and electricity flowing in the United States, and help operate air traffic safely are vulnerable to attack, he said.
“A lot of times they are running very old technology that just can’t be patched,” he said.