Utilities on at least three continents have been "penetrated or shut down" by hackers and insiders, according to a formerly classified 2008 presidential directive on cybersecurity that was obtained through the Freedom of Information Act and released today by privacy advocates.
The Electronic Privacy Information Center disclosed a redacted 16-page copy of National Security Presidential Directive 54, which former President George W. Bush used to set U.S. "policy, strategy, guidelines, and implementation actions to secure cyberspace" and to launch the Comprehensive National Cybersecurity Initiative.
A clear statement on successful major attacks against critical infrastructure worldwide – contained in a paragraph that had been classified secret and not releasable to foreign nationals – is striking and among the few interesting elements of the directive, Jason Healey of the Atlantic Council told Inside Cybersecurity.
"Hackers and insiders have penetrated or shut down utilities in countries on at least three continents," the directive states. "Some terrorist groups have established sophisticated online presences and may be developing cyber attacks against the United States."
Healey said the initial decision to classify much of the information in the document – including a definition of computer network exploitation – now appears inane. It also makes no sense, he said, that officials classified that definition while using the less restrictive label "for official use only" on a paragraph about developing offensive cyber capabilities.
Federal officials have in recent years repeatedly underscored the risk that cyber attacks pose to critical infrastructure. Gen. Martin Dempsey, chairman of the Joint Chiefs of Staff, recently voiced concerns at the Atlantic Council about the nation's lack of preparedness for a cyber attack, cited strategic shortcomings and assigned blame to Congress.
"There are some big issues involved with achieving that kind of coherence -- issues related to privacy and cost, information sharing and all of the liabilities that come in the absence of legislation to incentivize information sharing," Dempsey said.
A White House spokeswoman said that current U.S. cyber strategy is coherent. "Given that cyberspace permeates every aspect of the economy and national security, no single document can meaningfully capture our strategic direction. Instead, our efforts are informed by specific strategy and policy documents," she said. Earlier this year, the administration released a federal framework of cybersecurity standards as directed in President Obama's cybersecurity executive order.
The Obama administration is "working to close out the 2008 Comprehensive National Cybersecurity Initiative and transition ongoing programs to steady state management," the White House spokeswoman said, noting officials are "continuing to review existing policy and develop new policy as warranted."