WASHINGTON (AP) -- The CIA cannot predict computer attacks on U.S. systems before they happen, as the agency is expected to do with political and military events, a top CIA official told Congress on Thursday.
Despite a major increase in intelligence efforts dedicated to computer security, attackers still develop new tools and techniques faster than the CIA can keep up, Lawrence K. Gershwin said.
Often, "we end up detecting it after it's happened," said Gershwin, the CIA's top adviser on science and technology issues. "I don't feel very good about our ability to anticipate."
Gershwin told the Joint Economic Committee that foreign governments are the most potent threat to U.S. computers for the next five to 10 years, rather than terrorists or lone troublemakers.
So far, he said, individual hackers don't have the skills or the motive to make a major attack against U.S. infrastructure like the telephone system or financial networks. And since terrorists want immediate and predictable results, they will stick with their current attacks for the foreseeable future.
"Terrorists really like to make sure that what they do works," Gershwin said. "They do very nicely with explosions, so we think largely they're working on that."
Still, Gershwin warned that a terrorist organization could surprise intelligence officers and mount a cyber attack within the next six months.
The committee focused on the vulnerabilities faced because of the separation of the public and private sector. Even though the government uses commercial networks, and vice versa, there still is little information shared and attackers could exploit that split.
"When a commander at the Pentagon tries to call a commander in the field," Sen. Robert Bennett, R-Utah, said, "he's connecting with Verizon."
Gershwin said that this reliance on private networks can mean that a foreign power could install a backdoor into government systems.
"While we may be working with American companies on issues at some point, there are contracts and subcontracts," Gershwin said. "It gets hard to tell who's doing the work for you."
Gershwin and other legislators said they would like to see more cooperation between businesses and government, similar to the programs designed to beat the Y2K bug.
There are some public-private collaborations, such as the FBI's InfraGard program to get closer to tech companies and the federal Information Sharing Analysis Centers. But there is still much distrust, as companies don't want to share their vulnerabilities with other firms or see them reported publicly, and the government holds back its secrets.
"I'd like to think we can work on that collaboration now," said Rep. Adam Putnam, R-Fla., "rather than when there's a crisis."
