Warning that “the next Pearl Harbor, the next 9/11 will be cyber,” U.S. Sen. Angus King urged government and private-sector officials to do more to be prepared.
The two-term Maine independent said Wednesday at a hearing in Washington that the nation faces “an extremely dangerous situation” because so much of its critical infrastructure can be targeted by hackers and intruders.
“We are facing a vulnerability in all of our systems, but water is one of the most critical and I think one of the most vulnerable,” King said at the start of a hearing before the Senate’s Environment and Public Works Committee focused on the cybersecurity of U.S. water systems.
The committee’s chairman, U.S. Sen. Tom Carper, a Delaware Democrat, said Wednesday that “we face threats from unscrupulous individuals, criminal enterprises, and antagonistic state actors 24 hours a day and seven days a week.”
“It’s clear that many of our nation’s vital transportation and water systems face especially serious challenges in dealing with cybersecurity vulnerabilities,” Carper said.
Water systems pose an especially tempting target for cyberattacks, officials said.
“We have seen a growing number of these systems fall victim to these attacks, which can have significant implications on public health and safety,” U.S. Sen. Shelley Moore Capito, a West Virginia Republican and vice chairwoman of the committee, said.
“These attacks are very scary for the public when they occur and can leave us questioning the safety of our water systems,” she said.
Carper pointed out that a 2019 report by the American Water Works Association called the cyber risk the top threat facing the U.S. water sector after hearing the year before from the Department of Homeland Security and the FBI warning operators “that the Russian government was specifically targeting the water sector and other critical infrastructure as part of a multi-stage intrusion campaign,” Carper said.
Carper warned that “a major breach in our water infrastructure system could jeopardize the safety of our drinking water and impair communities’ ability to safely dispose of harmful waste, threatening human health.”
King has been pushing for more attention to cybersecurity for years and remains unsatisfied with the nation’s progress toward beefing up its defenses.
Last month, during a Washington Post Live event, the state’s junior senator said that “for the past 15 years or so, we haven’t had much in the way of a deterrent” to keep bad actors from targeting systems that are crucial to the functioning of the country’s economy.
“We’ve been a cheap date in cyber where we’ve been attacked repeatedly in a variety of ways and no real serious response,” King said, merely “sanctions here and there” that haven’t done enough to make foes back off.
“Cyber is cheap,” King said, adding that Russian President Vladimir Putin “can hire 8,000 hackers for the cost of one jet fighter. Think of that for a second, and that means cost is not really any kind of deterrent or disincentive.”
“They’ve got to feel that they’re at risk,” King said. “I want somebody in the Kremlin, in the Politburo, to say, ‘Gee, boss, I’m not sure we ought to do this because we’re liable to get whacked in some way by those Americans if we follow through.’”
King said Wednesday that he appeared once before some middle school students alongside author Stephen King, whom he referred to as “the other King from Maine,” a girl asked them, “Do you ever have nightmares?
The writer told her, “No, I give them to you.”
“That’s my job today,” King told the committee Wednesday, “to give you a nightmare about the vulnerability of our water systems.”
“We have to re-imagine conflict. For a thousand years, we thought of conflict and wars as army against army, navy against navy battles out in some other place,” said King, a member of the Senate Armed Services and Intelligence committees who has access to highly classified information
Now, though, the conflict between nations “is almost entirely in the cyberspace area, focused on the private sector, on noncombatants, if you will,” the senator said. “And that’s why we’re in a different way of thinking about this kind of issue.”
“We have to think about a new relationship between the government, particularly the federal government and the private sector,” he said, because 85% of cyber-related targets in the U.S. are in the private sector.
“There is an incipient nightmare here and it involves all sectors of our critical infrastructure,” King said, “but water, I think, is probably the most vulnerable because of the dispersed nature of water systems in the country.”
King said the nation needs “to have our game at the level of our adversaries” if it is to remain safe.
“This is a potential nightmare, but it’s one that we can wake up from, if indeed we wake up,” King said.
In his talk with the Washington Post, King argued that “there should be a relationship where incident reporting is mandatory” for private sector entities along with the commitment “that the federal government will use its assets to assist the attacked entity, whether it’s transportation, pipeline, grid, telecommunications, whatever.”
In addition, he said, “there should be some liability protection if the critical infrastructure entity is following the rules, following the standards, and reports” incidents that occur.
“I think it’s a burden and benefit relationship that we have to establish because when the attack comes, it’s likely to be on critical infrastructure, not on the Department of Agriculture,” King said.