WASHINGTON (AP) — China and "one or two" other countries are capable of mounting cyberattacks that would shut down the electric grid and other critical systems in parts of the United States, according to Adm. Michael Rogers, director of the National Security Agency and head of U.S. Cyber Command.
The possibility of such cyberattacks by U.S. adversaries has been widely known, but never confirmed publicly by the nation's top cyber official.
At a hearing of the House intelligence committee, Rogers said U.S. adversaries are performing electronic "reconnaissance" on a regular basis so that they can be in a position to disrupt the industrial control systems that run everything from chemical facilities to water treatment plants.
"All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic," he said.
Outside experts say the U.S. Cyber Command also has the capability to hack into and damage critical infrastructure, which in theory should amount to mutual deterrence. But Rogers, who did not address his offensive cyber tools, said the nuclear deterrence model did not necessarily apply to cyberattacks.
Only a handful of countries had nuclear capability during the Cold War, he said, and nuclear attacks could be detected and attributed in time to retaliate.
By contrast, the source of a cyberattack can easily be disguised, and the capability do significant damage is possessed not only by nation states but by criminal groups and individuals, Rogers noted.
In cyberspace, "You can literally do almost anything you want, and there is not a price to pay for it," the NSA director said.
Roger's remarks about critical infrastructure attacks came in response to questioning from Republican Mike Rogers of Michigan, who chairs the intelligence committee. He asked the NSA director about a private report detailing China-based intrusions into the power grid and other critical systems that appeared to be precursors to attack. What other countries, the chairman wanted to know, have the capability?
"One or two others," the NSA director said, but he declined to name them, saying the information is classified. "We're watching multiple nation states invest in this capability."
Rogers said the Obama administration is seeking to establish a set of international principles governing military cyber operations, such as banning attacks on hospitals.
"We need to define what would be offensive, what's an act of war," he said.
The NSA's Rogers also talked about the national security damage from the ongoing theft of intellectual property through cyberattacks.
Michigan's Rogers opened the hearing by saying that "China's economic cyber espionage ... has grown exponentially in terms of volume and damage done to our nation's economic future. The Chinese intelligence services that conduct these attacks have little to fear because we have no practical deterrents to that theft. This problem is not going away until that changes."
China formally denies stealing Western intellectual property through government sponsored hacking.
U.S. networks would be better protected, the NSA's Rogers said, if Congress would pass a long-pending bill to allow companies to share malware signatures and other threat information with one another and with the government and be protected from liability by doing so. But the disclosures of NSA spying by former agency contractor Edward Snowden have made passage of such a bill extremely difficult, lawmakers say.