ASPEN, Colo.—Al Qaeda, nation states, and criminals are preparing for major cyber attacks against U.S. infrastructure that could be comparable to the devastating September 11 attacks on New York and Washington, a senior Justice Department official said on Thursday.
“We’re in a pre-9/11 moment, in some respects, with cyber,” said John Carlin, assistant attorney general for national security in the Justice Department.
Carlin also said during remarks at a security conference that China’s government dared the Obama administration to provide court-level evidence of Chinese military hacking against the United States.
The dare resulted in the May 1 indictment of five members of the People’s Liberation Army (PLA) hacking group known as Unit 63198, he said.
On cyber terrorist attacks, Carlin said: “It’s clear that the terrorists want to use cyber-enabled means to cause the maximum amount of destruction to our infrastructure.”
“It’s clear because they have said it,” he told the Aspen Security Forum, an annual gathering at the mountain resort town of senior, current, and former national security and military officials.
Carlin said al Qaeda leader Ayman al Zawahiri recently issued a videotape statement indicating the group is planning cyber attacks against U.S. infrastructure—such as the electrical grids or financial networks.
Terrorists, nation states Carlin did not specify, and sophisticated criminal groups “have the capability now to cause significant damage” through cyber attacks.
One example of the kind of damaging infrastructure attack that can be expected in the future was the recent cyber attack against Saudi Arabia’s state-run oil company Aramco that destroyed some 30,000 computers used to control key elements of that country’s energy infrastructure.
The recent Justice Department takedown of a cyber crime group code-named Game Over Zeus is another example of the kind of cyber attacks that terrorists could conduct in the future.
In Game Over Zeus, cybercriminals used a botnet—a network of hundreds of thousands of hijacked computers—to steal U.S. corporate data and encrypt the information and then extort payments from the companies that owned the data to release it.
“And I think many of the people and the industries that are in in this room would pay because of the important information we keep and sometimes life-saving information if we think of medical records,” Carlin said, noting that the operation was conducted for profit.
“If a terrorist group gets that same type of access or capability, they’re not going to ask for money and they are not going to wait till they try to destroy the data,” Carlin said.
“So there’s a real urgency I think now and it is going to require private and public sector cooperation given how much of the infrastructure is in private hands.”
Carlin said it would be “a shame” if current debates over national security prevent dealing with the cyber threat to infrastructure “before we’re looking backward at what happened and how we got there.”
On Chinese military hacking, Carlin said the case of the five PLA hackers grew out of Chinese government appeals to prove U.S. charges of military hacking into American companies and other organizations.
Carlin said the Justice Department has begun to approach cyber attacks using methods similar to its efforts to counter terrorism and since the early 2000s the government has learned more about intrusive cyber penetrations in the United States.
“We’ve become much much better at observing what is currently going on in terms of the information that as we speak is being taken from hard working Americans who are looking to create and innovate, and it’s being stolen, day in and day out, and used by their competitors to the disadvantage of the American companies,” he said.
“From our perspective we have to apply the same type of approach that we did to terrorism to the national security cyber threat.”
That approach ultimately led to the indictment of the PLA hackers. China’s government denied its military was involved in the hacking and responded by accusing the United States of hacking Chinese companies.
“We heard directly from the Chinese who said, ‘If you have evidence, hard evidence that we’re committing this type of activity that you can prove in court, show us.’ So we did,” Carlin said.
The indictment revealed that PLA Unit 61398 hacking activity was “cutting across the span of different American businesses—nuclear to solar, to steel to labor,” Carlin said.
The indictment, however, is only a first step in what Carlin called a multi-pronged strategic approach that set up a “red line” for the Chinese that was designed to dissuade future attacks.
“We will continue to increase the cost of committing this type of activity on American soil where it is occurring, where they are taking the information, until it stops,” Carlin said. “And we need to maintain that commitment.”