SAN FRANCISCO — Over the last four years, foreign hackers have stolen source code and blueprints to the oil and water pipelines and power grid of the United States and have infiltrated the Department of Energy’s networks 150 times.
So what’s stopping them from shutting us down?
The phrase “cyber-Pearl Harbor” first appeared in the 1990s. For the last 20 years, policy makers have predicted catastrophic situations in which hackers blow up oil pipelines, contaminate the water supply, open the nation’s floodgates and send airplanes on collision courses by hacking air traffic control systems.
“They could, for example, derail passenger trains or, even more dangerous, derail trains loaded with lethal chemicals,” former Defense Secretary Leon E. Panetta warned in 2012. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
It is getting harder to write off such predictions as fearmongering. The number of attacks against industrial control systems more than doubled to 675,186 in January 2014 from 163,228 in January 2013, according to Dell Security — most of those in the United States, Britain and Finland.
And in many cases, outages at airports and financial exchanges — like a computer outage that took down computers at airports across the country late Wednesday, including Kennedy International Airport in New York and Logan Airport in Boston — are never tied to hacks.
But it’s clear hackers are trying.
The Department of Homeland Security last year announced that it was investigating an attack against 1,000 energy companies across Europe and North America. In 2012, 23 gas pipeline companies were hacked by online spies, according to a Homeland Security report. Private investigators later linked the attack to China.
Last year, in a disclosure overshadowed by the news of the attack on Sony, a German federal agency said that in an attack at an unnamed steel mill, hackers had managed to jump from the company’s corporate network to its production systems, causing significant damage to a blast furnace.
And in an extensive attack at Telvent, an information technology and industrial automation company now owned by Schneider Electric, Chinese hackers made off with its product source code and blueprints to facilities operated by its customers, which include 60 percent of the pipeline operators in North America.
For now, dire predictions of destructive online attacks on American targets ignore the fact that the actors with the ability to cause the gravest harm to America’s critical infrastructure — China and Russia and allies like Israel and Britain — are sufficiently deterred from doing so by fear of retaliation or because of longstanding trade and diplomatic relationships. And attacks by those aggressively trying to get such a capability — Iran, North Korea and Islamic militant groups — are still several years off.
“Despite all the talks of a cyber-Pearl Harbor, I am not really worried about a state competitor like China doing catastrophic damage to infrastructure,” said Michael V. Hayden, former head of the National Security Agency. “It’s the attack from renegade, lower-tier nation-states that have nothing to lose.”
Just how far off are they? That is the question troubling policy makers at the National Security Council and intelligence and law enforcement agencies. Federal officials have repeatedly warned that Islamic State militants have been exploiting social media for recruitment, and are developing tools to break into their enemies’ systems.
Those capabilities were sufficient to prompt the assassination of Junaid Hussain, the chief of the Islamic State’s cyberarmy, who was killed by an airstrike in Syria in August. But for now, federal officials say, the Islamic State does not have a significant ability to cause damage through online attacks.
“It’s not easy to pull off a spectacular attack,” said James A. Lewis, a security expert at the Center for Strategic and International Studies in Washington. “People are always saying in theory they can do something, but it’s not at the level of a Pearl Harbor or a 9/11.”
Mr. Lewis added: “Could someone acquire the ability to cause a blackout? That’s something to worry about, but the only people who could pull it off don’t have any interest in doing so.”
Most security experts point to the attacks last year at Sony — where hackers leaked internal documents and destroyed the company’s servers — as an example of the destruction that is possible now, and a harbinger of what may come.