ASPEN, Colo. — The top American military official responsible for defending the United States against cyberattacks said Thursday that there had been a 17-fold increase in computer attacks on American infrastructure between 2009 and 2011, initiated by criminal gangs, hackers and other nations.
The assessment by Gen. Keith B. Alexander, who heads the National Security Agency
and also the newly created United States Cyber Command, appears to be the government’s first official acknowledgment of the pace at which America’s electricity grids, water supplies, computer and cellphone networks and other infrastructure are coming under attack. Those attacks are considered potentially far more serious than computer espionage or financial crimes.
General Alexander, who rarely speaks publicly, did not say how many attacks had occurred in that period. But he said that he thought the increase was unrelated to the release two years ago of a computer worm known asStuxnet, which was aimed at taking down Iran’s uranium enrichment plant at Natanz.
When the worm inadvertently became public, many United States officials and outside experts expressed concern that it could be reverse-engineered and used against American targets. General Alexander said he saw no evidence of that.
General Alexander, as head of the N.S.A., was a crucial player in a covert American program called Olympic Games that targeted the Iranian program. But under questioning from Pete Williams of NBC News at a security conference here, he declined to say whether Stuxnet was American in origin; the Obama administration has never acknowledged using cyberweapons.
General Alexander said that what concerned him about the increase in foreign cyberattacks on the United States was that a growing number were aimed at “critical infrastructure,” and that the United States remained unprepared to ward off a major attack. On a scale of 1 to 10, he said, American preparedness for a large-scale cyberattack is “around a 3.” He urged passage of legislation, which may come to a vote in the next week, that would give the government new powers to defend private computer networks in the United States. The legislation has prompted a struggle as American companies try to avoid costly regulation on their networks, and some civil liberties groups express concern about the effect on privacy.
General Alexander said that the administration was still working out rules of engagement for responding to cyberattacks. Because an attack can take place in milliseconds, he said that some automatic defenses were necessary, as was the president’s involvement in any decisions about broader retaliation.
He confirmed that under existing authorities, only the president had the power to authorize an American-directed cyberattack. The first such attacks occurred under President George W. Bush.
The Pentagon has said previously that if the United States retaliated for an attack on its soil, the response could come in the form of a countercyberattack, or a traditional military response.
General Alexander spoke in a 75-minute interview at the Aspen Security Forum at the Aspen Institute here. The New York Times is a media sponsor of the four-day conference. Another conference speaker, Matthew Olsen, the director of the National Counterterrorism Center, addressed the escalating “hot war” between Israel and Iran and Iranian-backed groups like Hezbollah.
Iran has blamed Israel for assassinations of several of its nuclear scientists. Israel has accused Hezbollah operatives backed by Iran of carrying out the suicide bombing last week that killed five Israeli tourists and a local bus driver in Bulgaria.
The United States has said Iran was behind a thwarted plot last fall to kill Saudi Arabia’s ambassador to the United States.
“Both with respect to Iran and Hezbollah, we’re seeing a general uptick in the level of activity around the world in a number of places,” Mr. Olsen said.
Mr. Olsen did not address the Bulgaria attack, but he said the plot to kill the Saudi envoy in Washington “demonstrated that Iran absolutely had the intent to carry out a terrorist attack inside the United States.