As Hacking Against U.S. Rises, Experts Try to Pin Down Motive

By, Nicole Perlroth, David E. Sanger and Michael S. Schmidt
Photographer | Collection | Getty Images

San Francisco—When Telvent [Telvent is now Schneider Electric], a company that monitors more than half the oil and gas pipelines in North America, discovered last September that the Chinese had hacked into its computer systems, it immediately shut down remote access to its clients' systems.

Company officials and American intelligence agencies then grappled with a fundamental question: Why had the Chinese done it?

Was the People's Liberation Army, which is suspected of being behind the hacking group, trying to plant bugs into the system so they could cut off energy supplies and shut down the power grid if the United States and China ever confronted each other in the Pacific? Or were the Chinese hackers just trolling for industrial secrets, trying to rip off the technology and pass it along to China's own energy companies?

"We are still trying to figure it out," a senior American intelligence official said last week. "They could have been doing both."

Telvent, which also watches utilities and water treatment plants, ultimately managed to keep the hackers from breaking into its clients' computers.

At a moment when corporate America is caught between what it sees as two different nightmares—preventing a crippling attack that brings down America's most critical systems, and preventing Congress from mandating that the private sector spend billions of dollars protecting against that risk—the Telvent experience resonates as a study in ambiguity.

(Read More: Hacking America, CNBC's On-Going Coverage)

To some it is prime evidence of the threat that President Obama highlighted in his State of the Union address, when he warned that "our enemies are also seeking the ability to sabotage our power grid, our financial institutions, our air traffic control systems," perhaps causing mass casualties. Mr. Obama called anew for legislation to protect critical infrastructure, which was killed last year by a Republican filibuster after intensive lobbying by the Chamber of Commerce and other business groups.

But the security breach of Telvent, which the Chinese government has denied, also raises questions of whether those fears—the subject of weekly research group reports, testimony and Congressional studies—may be somewhat overblown, or whether the precise nature of the threat has been misunderstood.

American intelligence officials believe that the greater danger to the nation's infrastructure may not even be China, but Iran, because of its avowal to retaliate for the Stuxnet virus created by the United States and Israel and unleashed on one of its nuclear sites. But for now, these officials say, that threat is limited by gaps in Iranian technical skills.

There is no doubt that attacks of all kinds are on the rise. The Department of Homeland Security has been responding to intrusions on oil pipelines and electric power organizations at "an alarming rate," according to an agency report last December. Some 198 attacks on the nation's critical infrastructure systems were reported to the agency last year, a 52 percent increase from the number of attacks in 2011.

Researchers at McAfee, a security firm, discovered in 2011 that five multinational oil and gas companies had been attacked by Chinese hackers. The researchers suspected that the Chinese hacking campaign, which they called Night Dragon, had affected more than a dozen companies in the energy industry. More recently, the Department of Energy confirmed in January that its network had been infiltrated, though it has said little about what damage, if any, was done.

But security researchers say that the majority of those attacks were as ambiguous as the Telvent case. They appeared to be more about cyberespionage, intended to bolster the Chinese economy. If the goal was to blow up a pipeline or take down the United States power grid, the attacks would likely have been of a different nature.

(Read More: The Dirty Email Trick Favored by Hackers)

In a recent report, Critical Intelligence, an Idaho Falls security company, said that several cyberattacks by "Chinese adversaries" against North American energy firms seemed intended to steal fracking technologies, reflecting fears by the Chinese government that the shale energy revolution will tip the global energy balance back in America's favor. "These facts are likely a significant motivation behind the wave of sophisticated attacks affecting firms that operate in natural gas, as well as industries that rely on natural gas as an input, including petrochemicals and steelmaking," the Critical Intelligence report said, adding that the attack on Telvent, and "numerous" North American pipeline operators may be related.

American intelligence experts believe that the primary reason China is deterred from conducting an attack on infrastructure in the United States is the simple economic fact that anything that hurts America's financial markets or transportation systems would also have consequences for its own economy. It could interrupt exports to Walmart and threaten the value of China's investments in the United States—which now include a new, big investment in oil and gas.

Iran, however, may be a different threat. While acknowledging that "China is stealing our intellectual property at a rate that qualifies as an epidemic," Representative Mike Rogers, the Michigan Republican who chairs the House Intelligence Committee, added a caveat in an interview on Friday. "China is a rational actor," he said. "Iran is not a rational actor."

A new National Intelligence Estimate—a classified document that has not yet been published within the government, but copies of which are circulating for final comments—identifies Iran as one of the other actors besides China who would benefit from the ability to shut down parts of the American economy. Unlike the Chinese, the Iranians have no investments in the United States. As a senior American military official put it, "There's nothing but upside for them to go after American infrastructure."

(Read More: Cybersecurity: Are You Protected From Your Own Employees?)

While the skills of Iran's newly created "cybercorps" are in doubt, Iranian hackers gained some respect in the technology community when they brought down 30,000 computers belonging to Saudi Aramco, the world's largest oil producer, last August, replacing their contents with an image of a burning American flag.

The attack did not affect production facilities or refineries, but it made its point.

"The main target in this attack was to stop the flow of oil and gas to local and international markets and thank God they were not able to achieve their goals," Abdullah al-Saadan, Aramco's vice president for corporate planning, told Al Ekhbariya television.

More From The New York Times:

President Obama has been vague about how the United States would respond to such an attack. No one in the administration argues that the United States should respond with cyber- or physical retaliation for the theft of secrets. Attorney General Eric H. Holder Jr. has made clear that would be dealt with in criminal courts, though the prosecutions of cybertheft by foreign sources have been few.

But the question of whether the president could, or should, order military retaliation for major attacks that threaten the American public is a roiling debate.

"Some have called for authorizing the military to defend private corporate networks and critical infrastructure sectors, like gas pipelines and water systems," Candace Yu, who studies the issue for the Truman National Security Project, wrote recently. "This is unrealistic. The military has neither the specialized expertise nor the capacity to do this; it needs to address only the most urgent threats."

(Read More: Cybersecurity: How CEOs Are Fighting Back)

But the administration has failed to convince Congress that the first line of defense to avert catastrophic cyberattack is to require private industry—which controls the cellphone networks and financial and power systems that are the primary target of infrastructure attacks—that it must build robust defenses.

A bill containing such requirements was defeated last year amid intense lobbying from the United States Chamber of Commerce and others, which argued that the costs would be prohibitive. Leading members of Congress say they expect the issue will come up again in the next few months.

"We are in a race against time," Michael Chertoff, the former secretary of homeland security, said last week. "Most of the infrastructure is in private hands. The government is not going to be able to manage this like the air traffic control system. We're going to have to enlist a large number of independent actors."

The administration's cybersecurity legislation last year failed despite closed-door simulations for lawmakers about what a catastrophic attack would look like.

During one such simulation that the Department of Homeland Security allowed a New York Times reporter to view at a department facility in Virginia, a woman played the role of an "evil hacker" who successfully broke into a power plant's network. To get in, the hacker used a method called "spearphishing," in which she sent a message to a power plant employee that induced the employee to click on a link to see pictures of "cute puppies."

When the employee clicked on the link, it surreptitiously allowed the hacker to gain access to the employee's computer, enabling her to easily turn the switches to the plant's breakers on and off.

(Read More: Why Companies Keep Quiet About Cyberattacks)

Although the officials providing the briefing acknowledged that the simulation was a bit simplistic, their message was clear: with so many vulnerable critical infrastructure systems across the country, such an attack could easily occur, with huge consequences. No one rules out that scenario—whatever the current motivations and abilities of countries like China and Iran.

"There are 12 countries developing offensive cyberweapons; Iran is one of them," James Lewis, a former government official and cybersecurity expert at the Center for Strategic and International Studies in Washington, said at a security conference in San Francisco. Those countries have a long way to go, he said, but added: "Like nuclear weapons, eventually they'll get there."

Nicole Perlroth and Michael S. Schmidt reported from San Francisco, and David E. Sanger from Washington.