Fears the United States could fall victim to a catastrophic cyberattack have reached a new high in the capitals of business and politics.
With just a few strikes on a keyboard, officials warn, hackers could knock out the electric grid of a major city, leaving millions without power or heat.
Cybersecurity has finally reached a “tipping point” according to Sen. John McCain, who said it has “become far more salient” than it used to be relative to other high-profile policy issues. The Arizona Republican suggests the recent report by information security firm Mandiant that more than 100 U.S. companies have been targeted by an elite Chinese hacking unit based in Shanghai has brought new intensity to fixing the problem.
“When they identified the building of the People’s Liberation Army — that’s a tipping point,” he said. “There’s always one of these and that’s it. I think prospects of legislation have been dramatically improved.”
“There are some folks around the world who are developing the capability to wipe out the electric grid,” said Sen. Tom Carper (D-Del.), chairman of the Senate Homeland Security and Governmental Affairs Committee.
Such an advanced attack could wipe out the power for “a couple days, a week, or more.”
“That’s something that gets my attention,” he said.
President Obama planned to address cybersecurity in all of his meetings with the four congressional caucuses last week, highlighting how the issue has leapt to the top of his list. The president also met with a group of 13 CEOs in the Situation Room to discuss the threats companies are observing and how the government and private sector can work together to thwart them.
The nation’s military and intelligence leaders have raised the volume on their alarms, with National Intelligence Director James Clapper on Wednesday saying a cyberattack was the number one threat to the country.
“You don’t hear a gun shoot, you don’t hear a plane fly, you just have this situation where [hackers] are gaining access to our most sensitive information,” said McCain, who added that people are beginning to realize the magnitude of the problem.
The capabilities of hackers are getting stronger and the threat is on the country’s doorstep, according to James Lewis, director of the technology and public policy program of the Center for Strategic and International Studies in Washington.
“It’s like being on the Titanic and seeing this big white thing getting closer and closer,” Lewis said. “We see the threat coming [but] we haven’t taken adequate action to prevent harm, and every week the threat gets a little closer.”
Congress has failed to move legislation in part because of disputes between the White House and congressional Republicans.
The Senate tried twice to pass a sweeping cybersecurity bill last year but GOP senators blocked the measure over concerns that it would saddle critical infrastructure firms with new regulations.
The House passed a set of cybersecurity-focused bills last spring, but the core measure went untouched in the Senate after the White House said it would infringe on Americans’ privacy rights and fail to protect critical infrastructure.
Those efforts are now being revived with reports of hacker attacks on The New York Times, Apple, Microsoft and other major U.S. companies. More than 140 cyberattacks against Wall Street have taken place in the past six months, Gen. Keith Alexander, the head of U.S. Cyber Command and director of the National Security Agency, told lawmakers this month.
Congress has held at least four hearings on cybersecurity just this month, and the leaders of the House Intelligence Committee re-introduced a bill last month aimed at improving information-sharing about cyber threats between government and industry.
Some question whether hackers really have the capability to carry out a “cyber 9-11” and believe the seriousness of the threat is often overstated, largely because a catastrophic cyberattack has not hit the United States yet.
So far the most public attacks have happened in the Middle East. More than 30,000 computers at the Saudi Arabian oil company Aramco were rendered useless after being hit by a deadly virus last August. The New York Times reported last year that the United States and Israel were behind an attack that disrupted Iran’s nuclear program.
Rep. Mike Rogers (R-Mich.), the chairman of the Intelligence Committee, said the rising cyber threat “keeps me up at night.”
“It has the ability to shut down electric grids, to stop manufacturing plants, to actually disrupt the ability for the bank to know how much money you have in your account and the ability to access your money. It is real and can be incredibly catastrophic,” Rogers said.
“This problem is upon us and most people are not really aware of how dangerous it is,” he added.
Amid the congressional gridlock, the president issued a cybersecurity executive order last month that’s aimed at addressing the security gaps in the computer networks of critical infrastructure. The order intends to improve information sharing about cyber threats between government and industry and establish a set of cybersecurity best practices for companies that operate critical infrastructure, such as water systems, power plants and telecommunications networks.
During his State of the Union address, Obama described how hackers are targeting the United States to steal companies’ trade secrets and also inflict harm on critical infrastructure. The president noted that he took executive action to address the threat but said it’s time for Congress to act and pass legislation.
The issue hit home for the president last week after a website claimed it hacked first lady Michelle Obama’s personal and financial information, as well as personal data from Vice President Biden and other prominent government and celebrity figures. The FBI and Secret Service have launched an investigation into the matter.
The president would not confirm whether the website’s claims were true in an interview with ABC News, but called hacker attacks “a big problem.”
Top White House officials have also sharpened their tone when talking about cyberspying campaigns stemming from China and called on the country to take “serious steps” to stop hackers from breaking into the computer networks of American companies.
Treasury Secretary Jack Lew plans to hammer home that message when he meets with Chinese leaders in Beijing this week.
The government cannot solely protect key American infrastructure from cyberattacks because more than half of that infrastructure is owned by private companies.
Administration officials have stressed the importance of collaboration between the public and private sectors during recent speeches and the significance of that relationship was illustrated during the president’s meeting with CEOs last week.
Carper is optimistic this is the year Congress will take action on a cybersecurity bill.
While past efforts were stopped at the 20 yard line, he said: “We can get it into the end zone and God knows we need to.”
Jeremy Herb contributed to this story