DNI Clapper’s threat assessment: Something sensible, something exaggerated

I read DNI Clappert’s assessment of the cyber threat, as briefed to the Senate Armed Services Committee.


I was pleased to see this statement (on page 1):

Overall, the unclassified informs istion and communication technology (ICT) networks that support US Government, military, commercial, and social activities remain vulnerable to espionage and/or disruption. However, the likelihood of a catastrophic attack from any particular actor is remote at this time. Rather than a “Cyber Armageddon” scenario that debilitates the entire US infrastructure, we envision something different. We foresee an ongoing series of low-to-moderate level cyber attacks from a variety of sources over time, which will impose cumulative costs on US economic competitiveness and national security.


Wow, I thought a U.S. military leader would never learn to temper the cyber alarmism.

But then I read this (on page 7):

Computer security studies assert that unspecified Russian cyber actors are developing means to access industrial control systems (ICS) remotely. These systems manage critical infrastructures such as electric power grids, urban mass-transit systems, air-traffic control, and oil and gas distribution networks. These unspecified Russian actors have successfully compromised the product supply chains of three ICS vendors so that customers download exploitative malware directly from the vendors’ websites along with routine software updates, according to private sector cyber security experts.


That sounds like a direct reference to the Havex/Crouching Yeti/ Dragonfly malware. Several phrases in there seem overblown:

  • “These systems manage critical infrastructure…”

Yes, ICS manages critical infrastructure, but the placement of the statement makes it seem like actual “electric power grids, urban mass-transit systems, air-traffic control and oil and gas distribution networks” were infiltrated in this case.

Now there is some open source evidence that an electric utility and an ONG firm in Norway had Havex on their networks. But it is not clear that it was on their ICS networks. There are probably HAVEX infections in the USA, but were those infections on ICS for all those sectors?

  • “have successfully compromised the product supply chains of three ICS vendors…”

Yes, ICS provider supply chains have been compromised in the past. But in the case of Havex/Crouching/Dragonfly, the “supply chain” happened to be “Web pages” — not nearly as exciting as it sounds, but clever move by the attackers none-the-less.

The attackers wrapped the original installers with their own installers. If you 1) are downloading files from the public Interwebs to use in “critical infrastructure”, 2) aren’t verifying file integrity, and 3) and aren’t forcing “run only signed code”, then who knows what could happen to your ICS networks, even from run-of-the-mill malware.

Moreover, the ICS vendors whose Web sites were compromised were relatively small players. Joel Langill said the attacks could be targeted at the pharmaceutical sector, I wondered about manufacturing that relied on robots, Reid Wightman thought maybe data centers. None of which are an obvious fit for “critical infrastructure”.

So, good job on the early self-restraint, but let’s use more precision on the examples!