Critical U.S. Infrastructure Vulnerable to Cyber Attack, Congress Fails to Act

Since the internet has become so critical to daily life, systems like the electrical grid and water supply have become vulnerable to cyber attacks. Margaret Warner looks at Congress failed attempt to pass legislation that would beef up cyber security and talks with Joel Brenner, former senior counsel at National Security Agency.

Read the Full Transcript


    Next, another look at some of the work Congress failed to finish before leaving for its August recess.

    Tonight, the subject is cybersecurity.

    Margaret Warner has the story.


    America is increasingly exposed to the threat of cyber-attacks, as hackers go after money, intellectual property and other data from individuals, the financial industry, corporations, government and the defense business.

    Last Thursday, the U.S. Senate took up a bill to address the vulnerability in one key sector: the country's critical infrastructure, including the electrical grid, nuclear power plants, oil and gas lines, water supply, and transit systems.

  • MAN:

    The motion is not agreed to.


    But Republicans filibustered the measure, and it fell well short of the 60 votes needed to cut off debate. With that, lawmakers left for the August recess, leaving the bill's co-sponsors, Joe Lieberman and Susan Collins, frustrated.

  • SEN. JOSEPH LIEBERMAN (I-Connecticut):

    Am I disappointed? You bet I am. Am I angry? Yes, I am, because once again the members of Congress have failed to come together to deal with a serious national problem.


    It just is incomprehensible to me that we would not proceed to this bill.


    In a statement, the White House also denounced the Senate's failure to act.

  • It read:

    "The politics of obstructionism, driven by special interest groups seeking to avoid accountability, prevented Congress from passing legislation to better protect our nation from potentially catastrophic cyber-attacks."

    Senate Minority Leader Mitch McConnell charged, Democrats had tried to ram the bill through without proper consideration.


    This bill was backed up right against a recess, never went through committee. No amendments were allowed. And we decided, appropriately, given the complexity and the number of members who have interest and expertise in this issue — on this issue to not finish it today. So the vote today is not the end of the discussion, but rather the beginning of the discussion.


    In its original form, the Cyber Security Act would have imposed mandatory minimum standards on companies that run the country's vital systems, including businesses involved in energy and electricity, water and transportation.

    Later, to gain more votes, the bill was watered down to make compliance with the standards voluntary. But business groups, led by the U.S. Chamber of Commerce, opposed both versions as regulatory overreach that would be too costly to implement.

    In the Senate, Republican John McCain of Arizona was a leading voice of the opposition.

  • SEN. JOHN MCCAIN (R-Ariz.):

    The people who are directly affected by this — and that is the business community of the United States of America — is unalterably opposed to the legislation in its present form.


    The Obama administration lobbied vigorously for it behind closed doors, and President Obama even wrote an op-ed column in The Wall Street Journal appealing for action.

    Today, at the Council on Foreign Relations in Washington, White House counterterrorism chief John Brennan said he found the Senate's move incomprehensible.

    JOHN BRENNAN, U.S. deputy national security adviser: Right now, I can tell you with great certainty that the vulnerabilities are there, that the capabilities on the threat side are there. And so it's a question of intent, whether or not certain actors are going to operationalize their capability to go against the vulnerabilities that exist in the system. Clearly, the market has not developed in a way that it has developed, on its own, the cybersecurity requirements.


    The Senate may take another look at the bill this fall. Brennan said the White House is looking at actions the president can take on his own under his executive authority.

    For a closer look at the cyber threats to the infrastructure, we turn now to Joel Brenner, former senior counsel at the National Security Agency. Before that, he was with the Office of the Director of National Intelligence, coordinating counterintelligence activities of 17 federal agencies. A lawyer and security consultant, he's the author of "America the Vulnerable: Inside the New Threat Matrix of Digital Espionage, Crime, and Warfare."

    And, Joel Brenner, welcome.

    So how serious are the threats to America's infrastructure? How easy would it be to take down one critical element, water supplies, electricity grid?

    JOEL BRENNER, author, "America the Vulnerable": We have seen a real spike in the attacks on the industrial control systems that run a lot of these — this infrastructure. When DHS began keeping…


    Department of Homeland Security.


    …Department of Homeland Security began keeping figures on this in 2009, there were four such attacks. Last year, there were 198. The numbers are pretty — they really tell the story.


    And how many have actually — how many times have elements been penetrated?


    I'm talking about attacks that really in many cases get in.

    And, you know, there are different levels of penetration, and I'm — but I'm not talking just about pings on — knocks on the door. I'm talking about more significant, concerted attempts to get into infrastructure. And we have seen it in water supply stuff, as well as in electricity.


    And who are the major — major perpetrators?


    We — I can say what has been publicly disclosed is that a number of people in the intelligence business have seen the Iranian, the Chinese and the Russians inside of some of our critical systems, and we know the Iranians are trying.

    There are also, you know, hackers at different levels. But the nation state stuff is what we really worry about.


    Now, the World Wide Web on the Internet was invented just — I think it's 21 years ago this week. How did we become — how did businesses become so dependent on that as really the backbone, and is that part of the way they do business and is that part of the problem?



    The Internet is a little older than that. Its origins go back to the '60s.


    Right, but the World Wide Web…


    Yes, the Web.

    But people would be shocked to know, Margaret, that until 1992 — that's 20 years ago — it was against the law to use the Internet for commercial purposes. And in that period, which is a twinkling of an eye in terms of the development of the country, we have taken what is fundamentally a porous and insecure system designed originally as a research tool and connected to it all of our financial infrastructure, much of our operational and manufacturing infrastructure.

    Everything we do, including the air conditioning in this building and the switches on the subway systems in every major city, are reachable through the Internet. It's very dangerous.


    We did get some emails, email questions from viewers.

    Kathryn Creedy of Melbourne, Florida, said, "Reports are that most companies are ignoring the significant threat of cyber-attacks or at least have it on the back burner, owing to costs." She said, "I find this shocking, since it's their fiduciary responsibility to protect the stakeholders of any organization, employees, customers and shareholders."

    What are companies doing now to protect against cyber-attacks?


    You know, again, it's hard to generalize, but I see in my practice, in my consulting and law practice, many, though not all, companies shockingly indifferent to the threats they face. After there's a breach, then they come and say, gee, what happened?

    Repeated studies show that many of the — most of the data breaches that companies are having to deal with could easily have been prevented with mid-level controls. This is — this is really quite astonishing. And it's not just small companies. It's companies small and large.

    So, yes, I would say that the question really does have a basis, but it's not true of every — every company out there.


    What's the solution?


    I would like to see the electricity sector, in particular, begin to develop and impose up and down the line on itself the kind of standards that it believes would raise its security a great deal.

    You know, you can't talk about a whole industry and paint it with one brush. There are some very sophisticated companies that work really hard on security, and there are others that really don't. And when the grid is all connected and you can get into it through some of the less secure companies, then we have got a problem that could affect large parts of the country at once.


    All right, Joel Brenner, thank you very much, and we will continue this conversation online.