The United States is facing a catastrophic cyber attack by nations or non-state groups that could cripple the country’s economy, a former high-ranking U.S. intelligence official said on Thursday.
Retired Vice Adm. Mike McConnell, who headed both the National Security Agency (NSA) and served as director of national intelligence, said in a speech that one example of a devastating cyber attack would be the crippling of the U.S. economy through cyber attacks on banks and financial institutions.
"We have a national problem and it is significant. The next big issue will be a cyber 9/11," McConnell said during a luncheon speech to a meeting of the American Bar Association standing committee on law and national security.
"I’ve been sounding the alarm, and I’ve been doing this now for 20 years," he said. "We are going to have a cyber event that is catastrophic."
McConnell, a 46-year veteran of the military and intelligence community who still consults for the NSA, also said Chinese and other cyber espionage pose strategic threats to U.S. security. He headed the NSA from 1992 to 1996 and was DNI from 2007 to 2009.
McConnell said both the 1941 Japanese attack on Pearl Harbor and the Sept. 11, 2001, terrorist attacks were major failures and both could have been prevented.
Pearl Harbor could have been stopped with better communications and intelligence, and the 9/11 terror attacks also were preventable through better information sharing.
Similarly, more focus is needed by both government and private industry to head off a major cyber attack.
The coming cyber attack could be either an immediate and devastating cyber strike or a more insidious and longer-term cyber threat like China’s pervasive cyber economic espionage, McConnell said.
An immediate threat is the vulnerability of the United States’ annual $14 trillion economy in which $13 trillion moves through the banking system daily. That data is not backed by gold or physical dollar bills, but only by the banking reconciliation system.
"I am personally acquainted with people who have the physical capability to break into that system and contaminate the data," McConnell said. "If it were contaminated, banks would fail and you would have a cascading effect."
McConnell said he has investigated the problem and spoken to bankers, and the effect of attacking the banking data would be huge for both the country and the world.
Using the military formula that a threat is a combination of both intent and capability, McConnell said, "There are nation states with the capability" to attack the bank network, but doing so would be contrary to their interests.
Then there are terrorists or radical groups that have the interest in such attack but not the capability to carry it out. "How long before those two come together?" he asked.
Financial data is not the only cyber vulnerability. Additional sectors that face catastrophic attack include the electrical power grid, the telecommunication networks, and other so-called critical infrastructure.
A longer-term cyber threat is cyber espionage, an activity carried out very successfully by China, McConnell said.
"We have looked at major computer systems in every industry and every segment of government and we have never not found an advanced persistent threat embedded in a computer under the command and control of someone else, whose purpose is to extract information at a point in time and place and choosing of whoever put the malware in the system," he said.
The dangers thus can be an immediate catastrophic attack or cyber economic espionage that takes place over 10 or 15 years, involving theft of "competitive advantage, source code, business plans, research and development [that] is being taken for free by someone who can turn it into products and services at our competitive disadvantage," he said.
McConnell said what is needed is comprehensive legislation that deals with the new, boundary-less environment of cyber security threats.
Legislation introduced last year failed to pass amid concerns over privacy rights.
McConnell said a group was formed at NSA to try to draft "perfect legislation" that would address needed security enhancements while respecting privacy rights. However, the effort was ordered abandoned by officials McConnell did not identify.
Also, he added, government needs to find a way to provide threat information on cyber attacks and malicious software to private companies.
McConnell said the government is currently hamstrung over divisions and authorities between intelligence-gathering laws, law-enforcement authorities, and military operations.
"Currently, the Department of Homeland Security has primacy, but things very quickly overlap with Title 18 authority of the Department of Justice," he said.
Other legal authority under Title 10 brings the Defense Department into the picture.
"It gets very complex," McConnell said.
The NSA-based U.S. Cyber Command is currently the military’s central point for conducting offensive cyber warfare, which is defined as attacking and degrading or destroying enemy information systems.
"The United States is going to have an offensive capability," McConnell said. "We’ve had one for a long time, but now it is a little more organized and focused and now we’re getting very serious about making it part of our war plan."