This much is clear: More nations are seeking to acquire cyber attack capabilities as a standard feature in their military planning. But what will that mean to United States' security interests here and abroad? With Congress to consider cyber legislation this week, a House subcommittee investigating that question used the occasion to make a headline.
"There are no shells exploding or foreign militaries on our shores. But make no mistake: America is under attack by digital bombs," said Rep. Michael McCaul (R-TX), during a Tuesday hearing of the House subcommittee on Oversight, Investigations, and Management.
McCaul, who also is the subcommittee chairman, raised the specter of competing nations' Internet capabilities gaining in sophistication to pursue industrial espionage against U.S. targets.
"China's cyber warfare capabilities and the espionage campaigns they have undertaken are the most prevalent of any nation state actor," said McCaul. He said that citizen hacker groups directed by China has engaged in "cyber espionage, established cyber war military units and laced the U.S. infrastructure with logic bombs." He added that Russia now has the intent and the technological prowess to launch cyber attacks around the world.
"We have been fortunate that up until this point, cyber attacks in our country have not caused a cataclysmic event that could bring physical harm to Americans. But that is not for a lack of effort on the part of those who mean to destroy our way of life," he said. "Every day nations and 'hacktivist' groups penetrate our public and private computer networks. The degradation of our national security and intellectual property from cyber theft threatens to weaken us where we have been historically strong: in our ingenuity and creativity."
He found a receptive sounding board in the person of Shawn Henry, the former executive assistant director of the FBI, who said it testimony that it would be "difficult to say with confidence that our critical infrastructure--the backbone of our country's economic prosperity, national security, and public health--will remain unscathed and always be available when needed."
Henry, now the President of security startup CrowdStrike Services, said that most major companies either have already been breached or will be penetrated, "resulting in substantial losses of information, economic competitiveness, and national security."
But gauging the exact magnitude of these cyber probes still remains much of a guessing game dominated by anecdotal evidence. In part, the picture remains incomplete because companies are not required to announce breaches involving intellectual property or critical infrastructure, according to Jamie Lewis, from the Center for Strategic and International Affairs. In fact, he told the panel, "it is in their interest to conceal them. Perhaps the new Security and Exchange Commission ruling that asks companies to report cyber incidents that damage shareholder value will change this, but it is too early to tell."
One other worry that hasn't received as much attention is the prospect of collaboration between nations and non-state actors as attack tools become more widespread within the cybercrime black market. As their capabilites "become "commoditized," the temptation for these politically motivated groups to use them against vulnerable U.S. targets will increase," according to Lewis.