When modern life halted for millions in the Northeast last month, people throughout the country asked if a blackout could strike them. Members of Congress have a more frightening question: Could someone cause such havoc on purpose?
The blackout combined with unrelated but crippling computer viruses and worms has lawmakers connecting the dot-coms. They say the blackout provided a vivid example of the chaos that cyber-terrorism could inflict.
There is no evidence that hackers had anything to do with the blackout, or that a bona fide act of cyber-terrorism has ever occurred.
“It is clear, however, that worms of this type or even worse — viruses with a malicious payload to destroy or corrupt data files — could contribute to a domino effect for a crisis such as the blackout in New York City,” Rep. Mac Thornberry, R-Texas, chairman of the House cyber-security subcommittee said at a hearing on the subject last week.
Critics say the government has been slow to prepare for a computer attack that could shut down power, open floodgates or delete financial data. Rep. Adam Putnam, R-Fla., chairman of a House technology subcommittee, said the Department of Homeland Security hasn’t given cyberthreats their due.
“They have overemphasized physical targets to the detriment of the potential for cyber-attacks that can cause a whole lot more havoc than the blackout caused,” said Putnam, who will hold a hearing this week on cyber-security.
A spokesman for the Department of Homeland Security said the proposed budget for a new Cyber Security Division is about $55 million for 2004. By comparison, a division charged with protecting physical infrastructure would get $383 million.
The heightened concern is likely to revive debate about how the federal government should encourage — or force — private companies and states to invest in cyber-security.
These worries are not new. They peaked in the late 1990s as the Internet boom captured imaginations. Some experts, however, said they doubt terrorist groups would turn from methods that produce the death and destruction they want.
Still, federal authorities say the threat is growing, given the proliferation of viruses, worms and hacker attacks and the intelligence that suggests terrorist groups are interested in those tools.
“They see attacking the very bonds that hold us together as one more way to drive us apart,” Cofer Black, the State Department’s counterterrorism coordinator, told a House panel last week.
Companies and state and local governments own much of the nation’s critical infrastructure. This includes dams, nuclear power plants and financial databases that are highly automated and connected to each other by the Internet, power lines and other strings.
Putnam suggested that the federal Securities and Exchange Commission could require publicly owned companies to report on computer security the same way it required them to report progress on fixing the Y2K computer glitch before Jan. 1, 2000.
Rep. Cliff Stearns, a Florida Republican who is chairman of the House Commerce, Trade and Consumer Protection Subcommittee, said he wants to know “what can the market provide in response to these attacks instead of the government legislating it.”
Several experts said the private sector is moving to protect systems. Some are spurred by increasing demands from insurance companies and business partners.
But even e-mail has become dangerous.
Kevin O’Brien, senior policy analyst for RAND, a think tank, said the explosion of unwanted e-mail known as spam is a security threat. E-mail spreads many viruses and worms that can damage systems, spy on users and spread to other computers. Sobig.F, Nachi and Blaster struck in August with worldwide effect, crippling many systems.
“It’s really been in quite recent weeks that people have become more aware that this could potentially be used more than it is right now,” O’Brien said.
Congress is considering legislation designed to reduce spam by making it illegal to put deceptive subject lines on advertisements and by giving recipients an option to refuse future mail. Whether these approaches would help in the war against viruses is unclear, but the new attention could add pressure for Congress to act on spam.
Stearns, co-sponsor of a spam bill that’s considered more pro-business than a rival measure in the House, said he doesn’t think the recent viruses will become a factor. But Sen. Bill Nelson, a Florida Democrat, said e-mail is a security issue that must be addressed. He wrote legislation that would allow prosecutors to apply racketeering laws to spam.
Teenage hackers spreading viruses are one thing. Terrorist groups are another. Federal officials say the most dangerous groups, such as al-Qaida, probably aren’t capable of a serious act of cyber-terrorism — yet.
“It is a concern for us because at some point we are going to have to address that,” said Larry Mefford, executive assistant director of the FBI.
Matthew Devost, president of the private Terrorism Research Center, agreed.
“We think it is definitely on the radar screen and a capability that is being developed by these terrorist organizations,” he said.
Critics say the government isn’t prepared. A new Cyber Security Division in the Department of Homeland Security pulled together previous units from the FBI, the White House and other sources. But President Bush still hasn’t appointed a chief. Critics say that division and other cyber-security projects are under funded.
David Ray, spokesman for the division, said the administration takes cyber-security seriously.
“Our view and our action is based on the understanding that cyber-security and physical infrastructure protection are interwoven,” Ray said. “They cannot be separated.”
By Cory Reiss
Ledger Washington Bureau
reissc@nytimes.com
WASHINGTON —