LAS VEGAS (CNNMoney) — In April, an obscure U.S. government agency slipped a hair-raising disclosure into its monthly newsletter: Hackers had successfully penetrated the networks of several natural gas pipeline operators.
Here was a rare public acknowledgement that hackers are currently laying the foundation for a critical-infrastructure attack — the nightmare scenario that keeps cybersecurity pros up at night.
The natural gas attackers got in through “convincingly crafted” emails that appeared to be internal and went to a “tightly focused” list of targets, according a Department of Homeland Security cybersecurity team. The campaign lasted three months before it was discovered.
In his opening keynote Wednesday at Black Hat — one of the largest annual gatherings of security researchers — Shawn Henry, the FBI’s longtime top cybercrime official, cited the natural gas intrusion as an example of the escalating stakes of cybersecurity.
“The adversary knows that if you want to harm civilized society — take their water away, do away with their electricity,” Henry said. “There are terrorist groups that are online now calling for the use of cyber as a weapon.”
The attacks that the public finds out about are “the tip of the iceberg,” said Henry, who recently retired after a 24-year career with the Federal Bureau of Investigation. “I’ve seen below that waterline. I’ve been circling below it for the last five years.”
What he’s seen there is a growing army of patient, sophisticated hackers who are siphoning off some of America’s key military and commercial intellectual property. Awareness is increasing, but companies are still in denial about the scale of the problem, he thinks.
The nightmare scenarios get the headlines, but cybercrime is a growing problem for businesses and consumers.
“I still hear from CEOs, ‘Why would I be a target?'” Henry said. “We worked with one company that lost $1 billion worth of IP in the course of a couple of days — a decade of research. That is not an isolated event. … Your data is being held hostage, and the life of your organization is at risk.”
For small businesses, the effects of a breach can be fatal. Henry recalled investigating one company — he wouldn’t name names — that went under after a break-in.
“They were a small company with $5 million in capital that made short-term loans,” he said. “They were hacked, lost their money, and were out of business Monday morning because they didn’t have any capital.”
So what can companies do? Echoing the words of many government officials — including FBI Director Robert Mueller, who predicts that cybercrime will soon eclipse terrorism as his agency’s top priority — Henry called for greater public-private collaboration and information sharing.
“This is probably the first time in history that civilians are on the front lines of the battle every day. That’s you,” Henry told the crowd. This year’s Black Hat, the largest in the event’s 15-year history, drew 6,500 registered attendees.
Federal lawmakers are considering a spate of new cybersecurity bills aimed at encouraging — or mandating — greater disclosure by companies when their systems are breached, and requiring stronger defenses from those who oversee high-risk infrastructure like the electric grid. President Obama recently penned an op-ed in support of the proposal, which he called a necessary response to “an urgent national-security challenge.”
Henry sees progress, but he’s not optimistic that it will happen quickly enough.
“I believe that people will not truly get this until they see the physical implications of a cyber attack,” he said to reporters after his speech.
He drew a parallel to the risk posed by Osama bin Laden — a threat that regional anti-terrorism specialists began flagging many years before top U.S. officials took their concerns seriously.
“We knew about Osama bin Laden in the early ’90s. After 9/11, it was a worldwide name,” Henry said. “I believe that type of thing can and will happen in the cyber environment. And I think that after it does, people will start to pay attention.”