He is director of Information Assurance Strategic Initiatives for Computer Sciences Corporation's Homeland Security program and the former director of the FBI's National Infrastructure Protection Center. In his interview he talks about some of the events which defined for the government the national security threat of cyberspace, and the scenario which keeps him awake at night. He also discusses key issues the U.S. must address to secure cyberspace and the importance of new government provisions allowing more information sharing between the private sector and government. This interview was conducted on March 18, 2003.
How is the U.S. working, at this point, to protect the governmental and private infrastructure from the threat that we face when it comes to a cyber attack?
It's working on multiple levels. For example, back in 1998 under then-President Clinton, there was Presidential Decision Directive 63, which is a composite of an analysis that was done of our critical infrastructure. A presidential commission recommended the creation of a number of things that would look at better protecting our critical infrastructures, and in particular the cyber environment.
One of the things that the federal government did, and continues to do, is to work very closely with the private sector, particularly with the information technology industry, to identify what vulnerabilities are out there -- how to best protect not only U.S. government systems, but private sector systems. There was a realization even then that because of the interconnectivity and the almost 100 percent dependence on computer technology and cyber technology to conduct business, to provide national security and economic well-being in the United States, the United States government had to become a leader in bringing these people, these various sectors together that are protected.
The infrastructures are 90 percent owned by private sector. How does that complicate issues when it comes to security?
It is a challenge. But it's one of the great things about living in the United States, that most of the critical infrastructures are, as you correctly pointed out, owned by the private sector. So that brings into play the building of this public/private sector partnership to identify, not only the cyber vulnerabilities, but also the physical vulnerabilities, and build a risk management model. [The risk model allows you to] identify what are the threats, which is generally known by the various law enforcement as well as intelligence agencies within the federal government, state and local governments, and the vulnerabilities that are generally known by the private sector, so that you can discern what is your risk, whether it's a physical or a cyber attack.
Once you've discerned what your risks are, then it's up to federal government to secure its system, whether they're physical or cyber, but also to make a business case for the private sector to invest in those kinds of security measures. It's a huge challenge, [in] which the entities, like Dick Clarke's role in the White House to the national cyber security, the role of the FBI and the agency that I headed for a while, the National Infrastructure Protection Center, to work together very cooperatively with the private sector to resolve those issues.
Define the threat for us.
First of all, the threat is real, in my opinion. Having been the director of the National Infrastructure Protection Center for over two and a half years and involved in the center for four years, I've seen numerous cases that support that the threat is real, and it's real on a number of levels. The number one priority for us in law enforcement and in the political community is those foreign nations, foreign states that would use cyberspace to prepare the battle space, if you will, if in the event [of] war, people would look at cyberspace. In particular, since the United States is 100 percent dependent upon information systems and computer systems to run our nation -- from an economic standpoint, as well as national security standpoint -- it's a huge, huge issue for us.
The second priority is the use of cyberspace for foreign intelligence operation or espionage, so as to intrude into whether they're government contractors or U.S. government systems to try and secrete confidential or even classified information out of these systems for which they are maintained.
The third priority from a threat standpoint is criminal activity. We've seen examples of this on numerous occasions in the newspaper, where systems are intruded into, hundreds of thousands of credit card numbers are stolen. There's even a market now on the Internet for the sale and distribution of these stolen credit card numbers.
The fourth priority would be the viruses. Recently we saw with the Slammer virus, which infected I think over 75,000 machines, caused estimates of $950 million to $1.2 billion in damage. The real threat there is the impact on how it slowed the Internet down to almost a crawl, and that was the real concern if it got to the extent where we couldn't communicate. Then you obviously had the national security and economic well-being issues associated with that in the United States.
Last priority, obviously, are those that commit criminal acts, the hacking of young people, if you will, but it's still a criminal act that disrupts communications.
Can you tell us any case dealing with national security issues that, to you, was an important case or event that helps define what the threat is?
From a national security standpoint, for which the FBI has worked a number of cases, obviously they're still classified, and I can't go into any details associated with those ongoing investigations or even prior investigations of a classified nature. However, if you look at what has been written by other nation-states, such as China and Russia, where they openly talk about using cyberspace, cyber technology, so as to prepare the battle space. Two Chinese generals not long ago wrote a book about how cyberspace would be an integral part of their nation's planning, as far as conducting a war in the future and today.
Recently, there was in the newspaper here in Washington, D.C. discussion about getting presidential findings as to whether the United States government could, or how the United States government could and should use cyber weapons in the event of any kind of a war.
There are people out there who say that in a world of bioweapons threat, dirty bombs, worries about war with North Korea, this is really low down on the totem pole.
I disagree with "We don't need to deal with that." Now, do I put cyber warfare, cyber espionage, cyber terrorism -- which is a term of art lately -- on the same level as the events that happened on Sept. 11? No, I don't. However, the thing that we have not seen yet, and the thing that keeps me awake at night, is the physical attack on a U.S. infrastructure, combined with a cyber attack which disrupts the ability of first responders to access 911 systems, that disrupts our power grids such that, again, first responders can't respond to an incident. Those are the things that keep me awake, and those are very real possibilities
The significance of the sophisticated probing that we've all seen and that is talked about a lot, very sophisticated probing into control systems, electrical power companies, gas companies, water companies -- what's the significance of these probes?
One of the things that makes cyberspace so unique, particularly from a preparing battlespace standpoint, espionage or even criminal activity, is that you don't know who's doing these particular acts until you actually trace back to find the person that's behind that keyboard.
Until you were able to discern who is behind that keyboard, you didn't really know what the motive was for that kind of probing. Could it be a foreign power that was looking for opportunities to prepare the battlespace? Was it a nation-state that was looking to conduct espionage? Was it a criminal organization that was looking to use those various systems that they found vulnerable to conduct other criminal activities?
Is there a problem, at least with the technology as it is today, that it's almost impossible to trace back to the actual person who is involved with this attack?
Is it a challenge? It absolutely is. And because of the technology and the ability to remain anonymous on the Internet, it is a huge challenge for law enforcement and the military, as well as other nations. However, it is not impossible. There are a number of examples where the FBI and other law enforcement agencies, we have been able to discern who is doing this. ...
How do you folks at the FBI view the fact that our system is being probed in this manner? Some people have said we're already at war.
I think it is absolutely one of the things that we have to address, both from a public/private partnership standpoint. Technology, as we all know, is increasing at an exponential rate. As technology increases, there are vulnerabilities that are built into it.
The thing that has to happen is that we have to make information security a part of our daily lives, just like we've made having seatbelts and airbags in our automobiles -- demanded by the public and consumers of those products. We have to get to the point with our computer systems and software that's provided with those computer systems that security is first in mind, or one of the things that's first in mind, when it begins to be developed.
It's not just a U.S. issue. As I said, the United States is almost 100 percent dependent upon computer systems. But the rest of the world is also dependent on those computer systems, and the reality is we're only as secure as our weakest link. That's kind of a cliche, but it is absolutely true. Unless we can get international cooperation because of the interconnectivity [of] all the systems across the world, we're never going to really solve this problem.
The ability to probe systems, as we saw with the Slammer worm not long ago, and used automated tools to do it -- it proliferated across the world at probably 250 times faster than the Code Red virus proliferated. These are huge, huge vulnerabilities and risk, not only to the private sector, but government agencies.
The Mountain View case. Your opinion?
When I was the director of the National Infrastructure Protection Center, there was an incident that occurred in Mountain View, California. In that incident, there was probing going on regarding certain cities' public utilities out there. The importance of that investigation and the importance of that kind of probing is that it was right after, fairly shortly after Sept. 11.
We issued from the National Infrastructure Protection Center a warning that people needed to look at what they had on their Web sites. The reason that they needed to look at what they had on their Web sites is that we were conveying information to terrorist organizations as to how they could attack -- not only from a cyber standpoint, but from a physical infrastructure standpoint.
So one of the things that we wanted to highlight in our warnings was [to] look at what's out there -- while the public has a right to know certain things, they don't necessarily have a right to know where your vulnerabilities are or how you can be attacked -- that you needed to look at those things on your Web sites, [and] to only put out there what is necessary for the public to do business with [local governments and the] federal government.
That kind of probing is the kinds of things that nation-states and terrorist organizations are looking for in an open society like the United States.
Was the fact significant that they were looking at electrical and water systems?
Sure. Under Presidential Decision Directive 63, one of the infrastructures or critical infrastructures that were identified was electrical power systems and water supply systems. Obviously, if you can disrupt the flow of electricity or water to the general public in an area or nationally, that's going to have a dramatic impact on their ability to do business in that area, as well as the national security.
What was the conclusion of the Mountain View case?
The conclusion of the Mountain View case is that it's still pending, at least when I left the NIPC, or the National Infrastructure Protection Center. We never were necessarily able to tie it back into any terrorist organizations. However, again, until you are able to find out who is behind the keyboard and what the motive is for that kind of program, you're never really clear as to what the intent was.
People say it was the first time that we got it, I suppose, that this was a vulnerable area, and so therefore the story is important, because it was a red flag that taught us something. So define, from your point of view, the importance of this case. Was it the first? Was it something that sort of raised the flag?
The Mountain View case and the concern by the federal government and the National Infrastructure Protection Center about what information was on certain Web sites is not a particularly new issue. We had a number of discussions prior to Sept. 11, for example, regarding the Environmental Protection Agency putting out certain information about chemical plants and so forth. We were discussing with them, from a Department of Justice and FBI standpoint, how much information do you really need to put out there now.
After the events of Sept. 11, that kind of information took on a whole new significance. The Mountain View case was one of the first examples after Sept. 11 where we, as a community -- meaning the federal government, state and local government and the private sector -- realized, "Wait a minute. Perhaps we have too much information out there, so that we're playing into the hands of the terrorist organizations. We need to take a look at that."
We also needed to look at what other probing is going on and what are they looking for. ...
With a war in Iraq, your cohorts or people that are still in government, what would they be looking for? Are there warning signs? What might we be sort of very wary of at this point?
Within the Department of Defense, which is one of the systems that is talked about quite often, about attempted intrusions into it -- but if you look at the number of intrusions or attempted intrusions and their actual success rate, it's relatively low. ... One of the things that they are most concerned with is monitoring their network to see when and if they come under attack, so that they can then respond appropriately. ...
Now, the biggest thing that we have done in the last four years is to build a very responsive public/private partnership, because frankly, if there is an attack or cyber attack, we are more likely to learn about it from the private sector than we are from U.S. government agencies. ...
There are a number of things that we have done together, and I think quite successfully. One is the creation of information sharing and analysis centers for electrical power, oil and gas, water supply systems. When I left the NIPC, the National Infrastructure Protection Center, I think they had about 14, 15 information sharing agreements with these various information sharing and analysis centers.
A great example is the recent Slammer virus that occurred. The Information Technology Information Sharing and Analysis Center was one of the first ones that picked up on the Slammer virus, shared the information with the federal government through the Department of Homeland Security, for which advisories and alerts were put out. That's a great example from this public/private partnership.
Code Red was a precursor to that one, where we identified what the vulnerability was in a particular vendor software. We worked cooperatively with that vendor as well as the router manufacturers for it. We went out publicly to gather and tell the public what the vulnerability was and what the solutions were for it.
So that's the kind of things that are going to occur. If there's a cyber attack during any war, the first notifications are going to come from the private sector.
Are we prepared at this point to stop a real attack, a malicious attack, that had more of a payload that just sort of irritating control of systems or shutting down a few systems here and there?
Are we prepared to the extent that we need to be as a nation or as a world? No. There are tremendous amounts of vulnerabilities that are still out there. The company I work for now, Computer Sciences Corporation, has a team of people that do what we call red teaming, where we actually go out and have a look at what are the vulnerabilities in the systems, attack those vulnerabilities and see if we can intrude. Even though these companies that have hired us know that we're coming, we have always been successful. ...
Is the private sector secure enough? No. Can we respond in a fashion that minimizes the impact of that? Yes, I believe we can. We've had a number of incidents, in Code Red and Slammer and a number of these, where the Internet was slowed and the response times were dramatically reduced, but we've never had it shut down. Was that a concern for Dick Clarke and myself and other people in the department? It absolutely was. But the technology is such and robust enough that, so far, the Internet has been able to sustain this kind of attack. Does that mean it will always happen? I don't know. Hasn't happened yet. But it's one of the things we're very concerned about.
Why hasn't it happened?
Some of the technology is very hard to use and utilize. If you look from a nation-state standpoint, if you're conducting warfare, obviously you're going to use those kind of tools. However, we have not been in a war or been in a war with an adversary that has those kinds of capabilities, in the United States or anyone else. So is it particularly surprising that we haven't seen it used in a war? Probably not. ...
Is law enforcement, the FBI, the CIA involvement in this ready for this threat?
I think we're as ready as we can be for this kind of threat. The FBI, the Secret Service, the investigative agencies for the Department of Defense have spent a lot of time and energy to train and bring investigators up to speed as to what the current technologies are, and how to be able to use that technology and to discern who is behind the keyboard.
We've also been able to develop a really good partnership with the private sector insofar as sharing information with law enforcement and the intelligence community as to what the vulnerabilities are, and who they believe may lead us to who is behind that keyboard.
One of the things that has happened with the recent Homeland Security Act is the ability for the private sector now to share information with the government, so that they won't be used for any detrimental purposes for that private sector company. That's a huge step. It was a big issue when I was the director of the NIPC for sharing of information. The key to this is two things: one, the private sector and the government agencies taking information security seriously, and two, being able to share those vulnerabilities and threats amongst each other to better protect ourselves.
Al Qaeda's expertise in using the Net for communication -- which seemed to be pretty sophisticated, when one breaks apart what they report that they were doing -- does that translate into an expertise to use cyber as a weapon?
It certainly translates into a knowledge of the capability. I mean, there had to be some research done on the part of various terrorist organizations that use a command and control communications purposes as to how they use it. I don't know that I'd call this sophisticated techniques, but obviously techniques that were more than just what the home user would normally know. In doing that kind of research or having that kind of knowledge, you also would be able to discern that you can use it for malicious purposes.
Why haven't terrorist organizations used it in that fashion? I don't know. I mean, that's the $64 million question. The response, though, is that we have to be as prepared as we can be for any kind of eventuality, which is what President Bush has talked about after the events of Sept. 11 and in the waging of a war against terrorism. We have known for some time that terrorist organizations have been looking at those things and trying to acquire the skills to utilize those kinds of tools or weapons.
My opinion is that it doesn't have the impact that they're looking for. Most terrorist organizations want to have visuals, if you will, for the media, of loss of life and destruction of various buildings and so forth. If you have an attack in cyberspace, you're not going to have those kind of visuals that terrorist organizations are looking for.
That's why what keeps me awake at night -- that if they use visuals in conjunction with a cyber attack, it can dramatically compound the impact of that.
We've been told by hackers and SCADA experts and scientists that sophisticated hackers could bring down the electrical grid and that they'd all get different scenarios. Some people say, "Give me six guys, a couple million dollars and a couple months, and we can bring down the entire system and we can keep it down." We had an engineer say that it's not only that you can keep it down for a minute; you can actually keep it down for months. Is this a reality?
We've worked very closely with the North American Electric Reliability Council, which is the information sharing and analysis center for the electrical power industry. Is it possible from a cyber standpoint to attack electrical power systems and their Supervisory Control and Data Acquisition systems? Yes, it's possible. Is it possible to bring them down for substantial periods of time? I don't think anybody knows the answer to that.
We've worked really closely with them. The power grids are very redundant across the United States, to include Canada, such that the ability to do that nationally or even regionally is really hard to do, based upon the work that we've done in the industry. Does it mean that it's impossible? No. Does it mean that if you give it enough money, millions of dollars, and the right kind of people, it can't be accomplished? No. But is it something that is easy? No.
Moonlight Maze. Define the FBI's involvement in Moonlight Maze. How involved is the FBI?
I can't comment on that.
What did this event teach us?
Dr. Hamre, who was formerly with the Department of Defense, commented several years ago regarding a series of events that was known as Moonlight Maze. What he characterized is that there were a series of intrusions into various DOD systems, wherein the intruders were looking for certain classified information or information that, if you took it in its whole, would be very sensitive and absolutely classified.
That investigation and that series of events is a great example of how espionage can be conducted through the use of cyber technology against the United States. The dependency of doing research and collecting the kind of information that you need from a military standpoint are most of the time on a computer system; such that the FBI did work very closely with the other departments of the Department of Defense, or agencies of the Department of Defense, to try and resolve it.
Operation Eligible Receiver. The NSA said that they were able, along with taking over or completely messing up communications or command and control, they also were able to take down the electrical grid. Can one believe organizations like NSA when they say they could have taken down the electrical grid? Is that real?
The vulnerabilities are so numerous out there in various systems that if you had the right talent, the right amount of money, the right access to various systems, then I can't exclude anything from the realm of possibility. I mean, [it's] one of the biggest concerns for the private sector, as well as the public sector is the insider.
The insider knows the system as well as you do, because he works for you. The insider knows where those vulnerabilities are and how to attack them. The insider can place certain back doors or tools on your systems, such that if they want to come back into it later on, that they can.
A great example of that I saw recently happened in Australia. A disgruntled employee for the sewage company in Australia left a back door in there when he left the company, came back in, and was able to spew sewage onto the streets of Sydney, I believe it was. That's an example of where we, as an industry with these supervisory SCADA systems, need to be concerned about who has access to them -- not only from the standpoint from the outsider, which has been a lot written about it, but who has access to it from the insider standpoint, who can later on come back in.
When you hire someone, background checks need to be done on who these people are. There has been a recent terrorist that was come into custody who had an engineering background, technical background, was looking at water systems, such that with that kind of knowledge from an insider standpoint, could place in the cyber realm tools by which to cause some [damage].
The Code Red hit. Where were you at that point?
When Code Red occurred, I was director of the National Infrastructure Protection Center. I was here in Washington, D.C. We began to get reports of that worm or virus from the private sector initially, saying that they were seeing huge spikes on the Internet, to the point that the concern was the Internet was beginning to rattle. There was great concern that it might fail.
To this day, we don't know who wrote that particular virus. However, what we did know is how to prepare for it. It is a great example where this was a known vulnerability for which the vendor had publicly provided a patch, for which many systems administrators and others in the industry had not applied the patch. Whoever the individual was that was taking advantage of this knew it, and would begin scanning the Internet to find out who was vulnerable.
With this system of patching, in the end, is it that it just doesn't do it? Do we have a fix here that is not being used because it's just too hard?
Is there a fix? Yes. Is it today too hard? In my opinion, it is. That's why we have so many vulnerabilities out there, even though there are known patches to various systems. It becomes, from a systems administrator standpoint, "How many of these have I got to apply? How much cost am I going to incur to do that?" It becomes a risk assessment, insofar as doing business is concerned.
What has to happen is that security has to become a part of our everyday life, wherein consumers demand that security is already built into the products that are delivered to them. I think Microsoft is changing its stance that it had a few years ago. They're putting a huge effort into building security into their systems, such that it makes it easier for the consumer to set the various switches, and prepare, or to apply the patches.
Is it hard right now? Yes, it is hard for systems administrators to manage that. Do we need to make it easier? Yes, we do. ...
The Nimda attack. How did you hear about it, what was it about? What is the significance?
Nimda was actually more significant, but Nimda frankly didn't get media attention, mainly because Nimda occurred right after Sept. 11. It was another example of the public/private sector cooperation. I was the director of the National Infrastructure Protection Center. I was up to my neck in responding to the events of Sept. 11 through the command post there at the headquarters. Then right on top of that, the Nimda virus struck.
Fortunately, we had built the kind of communication with the private sector that we were sharing information, pushing information out to the NIPC as to what the corrective actions were. Even with all of that, it proliferated across the world at a far greater rate than Code Red did. It rattled the Internet. But again, demonstrated the flexibility of the Internet -- it didn't come down, but it rattled significantly. It caused billions of dollars of damage, and we still don't know who proliferated that virus.
How should we view Slammer, Code Red, Nimda? Are these attacks precursors to--
They are warnings. Someone can attack or scan the Internet for vulnerabilities, be able to identify systems that can be intruded into, tools placed on them such that they can then continue to scan the Internet for other vulnerabilities, and then turn those tools on a particular enterprise or a particular network, such that you can even begin to rattle the Internet and bring it down. We need to significantly concerned about that, because our nation, as well as others, is so dependent on the Internet for our commerce and national security that we can't afford for it to come down.
They are warning signs. Even though no one has actually taken it to the point where they've used it for necessarily for malicious activities, other than the millions and billions of dollars to clean it up, it does not mean that it can't be turned for substantial attacks on the United States or others.
There are two sort of schools of thought here. There are the Pearl Harbor scenarios, where we're going to be hit all at once with a big attack. Then there's the side that thinks the way we would be vulnerable is death by a thousand cuts. A sophisticated attacker comes at us and hits us in various ways. One day you take the electrical system out in the Southeast. Then, the next day, you cause another trouble with the financial situation and close down NASDAQ. You slowly erode confidence, hurt systems, and slowly psychologically do us harm.
Whether it's the scenario of the cyber Pearl Harbor or it's a death by a thousand cuts, when I was the director of the National Infrastructure Protection Center, I didn't really care, because the end result was the same. It was the degrading in confidence in the United States' ability to do business. It would dramatically impact our economy. It would dramatically impact our national security.
The reality is that the solution for the protection of our national interests is the same. It's the building of a partnership with the private sector, making security a requirement for the products that are produced, whether they're in the United States [or abroad], and deploying those security measures across the board. If you have a death by a thousand cuts or a Pearl Harbor attack, but your systems are secure, they're redundant enough that you can sustain it, it really doesn't matter, because you've been able to sustain whichever one it is, because the method is the same, the end result is the same.
Create for me, if you could, sort of the potential sophistication and abilities of the following to use this against us. China?
Where do you see the biggest threat coming from for this type of warfare to be waged against us?
The biggest threat, I mean, in the context of warfare would be nation-states. ...
Software. How big a problem is it that 80 percent of code is written offshore, and the fact that the trend is more and more systems are using the same software?
Most of the vulnerabilities that have been identified, attacked, are vulnerabilities in particular pieces of software. We went through a period of time of the Y2K wherein that was a very well-known vulnerability that we spent millions, if not billions of dollars to repair. One of the things I was always curious about is, a lot of the repairs done to these systems in the Y2K were done offshore.
One of the things I used to bring up to the private sector is, "Do you know who is doing those repairs, and do you know what they're putting into the systems? Is there a review process, quality control process, to ensure that what you specifically wanted done is being done, and nothing else is added to it?"
The same kind of thing needs to be done in any kind of software that's being developed, whether for Y2K or into the future. There has to be a quality control process. One of the things I think is probably not too far on the horizon, wherein federal government will want some sort of accreditation, if you will, of how particular pieces of software are developed and the security [of who] built them. ...
Do you see that as happening? Is the private sector getting it? Does the private sector understand the need to be connected to organizations like the one you're in now?
Oh, absolutely. The private sector, particularly the major corporations that are involved in information technology, like Computer Science Corporation or IBM, pick any of them, they get it. That's why they're very much involved in working with the federal government insofar as determining what best practices are, working with the federal government and other nations as to what kind of security best practices should be out there.
They certainly do get it. I can't think of any major company here in the United States or abroad in the United States that is not involved in an information sharing and analysis center, because they understand the value of information sharing, not only for their individual companies, but for the United States as well. ...
Everybody understands the significance of this. What is in debate is how to solve it, or what's the best way, the most cost-effective way, to solve it. There's a threat, there's a vulnerability, there's a need to build security into our systems -- there's no debate over that. It's really [about] how.
California, even without the work of terrorists or hackers, can teeter near blackouts on its aging grid. (Mike Blake -- Reuters)
Hackers Target U.S. Power Grid
Government Quietly Warns Utilities To Beef Up Their Computer Security
By Justin Blum
Washington Post Staff Writer
Friday, March 11, 2005; Page E01
Hundreds of times a day, hackers try to slip past cyber-security into the computer network of Constellation Energy Group Inc., a Baltimore power company with customers around the country.
"We have no discernable way of knowing who is trying to hit our system," said John R. Collins, chief risk officer for Constellation, which operates Baltimore Gas and Electric. "We just know it's being hit."
Hackers have caused no serious damage to systems that feed the nation's power grid, but their untiring efforts have heightened concerns that electric companies have failed to adequately fortify defenses against a potential catastrophic strike. The fear: In a worst-case scenario, terrorists or others could engineer an attack that sets off a widespread blackout and damages power plants, prolonging an outage.
Patrick H. Wood III, the chairman of the Federal Energy Regulatory Commission, warned top electric company officials in a private meeting in January that they need to focus more heavily on cyber-security. Wood also has raised the issue at several public appearances. Officials will not say whether new intelligence points to a potential terrorist strike, but Wood stepped up his campaign after officials at the Energy Department's Idaho National Laboratory showed him how a skilled hacker could cause serious problems.
Wood declined to comment on specifics of what he saw. But an official at the lab, Ken Watts, said the simulation showed how someone could hack into a utility's Internet-based business management system, then into a system that controls utility operations. Once inside, lab workers simulated cutting off the supply of oil to a turbine generating electricity and destroying the equipment.
Describing his reaction to the demonstration, Wood said: "I wished I'd had a diaper on."
Many electric industry representatives have said they are concerned about cyber-security and have been taking steps to make sure their systems are protected. But Wood and others in the industry said the companies' computer security is uneven.
"A sophisticated hacker, which is probably a group of hackers . . . could probably get into each of the three U.S. North American power [networks] and could probably bring sections of it down if they knew how to do it," said Richard A. Clarke, a former counterterrorism chief in the Clinton and Bush administrations.
Clarke said government simulations show that electric companies have not done enough to prevent hacking. "Every time they test, they get in," Clarke said. "It's nice that the power companies think that they've done things, and some of them have. But as long as there's a way to get into the grid, the grid is as weak as its weakest company."
Some industry analysts play down the threat of a massive cyber-attack, saying it's more likely that terrorists would target the physical infrastructure such as power plants and transmission lines. James Andrew Lewis, director of technology policy at the Center for Strategic and International Studies in the District, said a coordinated attack on the grid would be technically difficult and would not provide as much "bang for the buck" as high-profile physical attacks. Lewis said the bigger vulnerability may be posed not by outside hackers but by insiders who are familiar with their company's computer networks.
But in recent years, terrorists have expressed interest in a range of computer targets. Al Qaeda documents from 2002 suggest cyber-attacks on various targets, including the electrical grid and financial institutions, according to a translation by the IntelCenter, an Alexandria firm that studies terrorist groups.
A government advisory panel has concluded that a foreign intelligence service or a well-supported terrorist group "could conduct a structured attack on the electric power grid electronically, with a high degree of anonymity, and without having to set foot in the target nation," according to a report last year by the Government Accountability Office, the investigative arm of Congress.
Cyber-security specialists and government officials said that cyber-attacks are a concern across many industries but that the threat to the country's power supply is among their top fears.
Hackers have gained access to U.S. utilities' electronic control systems and in a few cases have "caused an impact," said Joseph M. Weiss, a Cupertino, Calif.-based computer security specialist with Kema Inc., a consulting firm focused on the energy industry. He said computer viruses and worms also have caused problems.
Weiss, a leading expert in control system security, said officials of the affected companies have described the instances at private conferences that he hosts and in confidential conversations but have not reported the intrusions publicly or to federal authorities. He said he agreed not to publicly disclose additional details and that the companies are fearful that releasing the information would hurt them financially and encourage more hacking.
Weiss said that "many utilities have not addressed control system cyber-security as comprehensively as physical security or cyber-security of business networks."
The vulnerability of the nation's electrical grid to computer attack has grown as power companies have transferred control of their electrical generation and distribution equipment from private, internal networks to supervisory control and data acquisition, or SCADA, systems that can be accessed through the Internet or by phone lines, according to consultants and government reports. That technology has led to greater efficiency because it allows workers to operate equipment remotely.
Other systems that feed information into SCADA or that operate utility equipment are vulnerable and have been largely overlooked by utilities, security consultants said.
Some utilities have made hacking into their SCADA systems relatively easy by continuing to use factory-set passwords that can be found in standard documentation available on the Internet, computer security consultants said.
The North American Electric Reliability Council, an industry-backed organization that sets voluntary standards for power companies, is drafting wide-ranging guidelines to replace more narrow, temporary precautions already on the books for guarding against a cyber-attack. But computer security specialists question whether those standards go far enough.
Officials at several power companies said they had invested heavily in new equipment and software to protect their computers. Many would speak only in general terms, saying divulging specifics could assist hackers.
"We're very concerned about it," said Margaret E. "Lyn" McDermid, senior vice president and chief information officer for Dominion Resources Inc., a Richmond-based company that operates Dominion Virginia Power and supplies electricity and natural gas in other states. "We spend a significant amount of time and effort in making sure we are doing what we ought to do."
Executives at Constellation Energy view the constant hacking attempts -- which have been unsuccessful -- as a threat and monitor their systems closely. They said they assume many of the hackers are the same type seen in other businesses: people who view penetrating corporate systems as fun or a challenge.
"We feel we are in pretty good shape when it comes to this," Collins said. "That doesn't mean we're bulletproof."
The biggest threat to the grid, analysts said, may come from power companies using older equipment that is more susceptible to attack. Those companies many not want to invest large amounts of money in new computer equipment when the machines they are using are adequately performing all their other functions.
Security consulting firms said that they have hacked into power company networks to highlight for their clients the weaknesses in their systems.
"We are able to penetrate real, running, live systems," said Lori Dustin, vice president of marketing for Verano Inc., a Mansfield, Mass., company that sells products to companies to secure SCADA systems. In some cases, Dustin said, power companies lack basic equipment that would even alert them to hacking attempts.
O. Sami Saydjari, chief executive of the Wisconsin Rapids, Wis.-based consulting firm Cyber Defense Agency LLC, said hackers could cause the type of blackout that knocked out electricity to about 50 million people in the Northeast, Midwest and Canada in 2003, an event attributed in part to trees interfering with power lines in Ohio. He said that if hackers destroyed generating equipment in the process, the amount of time to restore electricity could be prolonged.
"I am absolutely confident that by design, someone could do at least as [much damage], if not worse" than what was experienced in 2003, said Saydjari, who was one of 54 prominent scientists and others who warned the Bush administration of the risk of computer attacks following Sept. 11, 2001. "It's just a matter of time before we have a serious event."