The Associated Press
Published: July 7, 2013
Speaking to The Associated Press ahead of the Global Intelligence Forum starting Monday in Ireland, Freeh said hackers seeking to take control of, or take down, key pieces of U.S. infrastructure could do more damage than the attackers of 9/11. He said computer systems controlling power plants, the navigation of aircraft and ships, and even the switching of street lights could be hijacked to gridlock societies and kill large groups of people.
"People traditionally think of this threat as somebody stealing their identity or their credit card number, or making it inconvenient to go to the ATM (cash machine). That's a very benign view of the potential for what cyber terrorism really is," Freeh said.
"You could manipulate transportation systems, aviation guidance systems, highway safety systems, maritime operations systems. You could shut down an energy system in the northeast U.S. in the middle of winter. The potential for mass destruction in terms of life and property is really only limited by (the attackers') access and success in penetrating and hijacking these networks," he said.
Freeh said people shouldn't be lulled into complacency just because hackers' attacks on government and business targets to date hadn't directly killed anybody.
"There's a lot of technology and a lot of ability out there, particularly with state actors," he said, referring to other governments' cyber-spying operations including in China, which U.S. authorities previously have blamed for stealing American corporate trade secrets. "We went through the Cold War without anybody using a nuclear bomb, but that didn't mean the capability and threat weren't there."
Freeh, 63, directed the Federal Bureau of Investigation from 1993 to 2001, leaving just before the al-Qaida attacks on the World Trade Center and Pentagon. In the years since he's become a top private investigator, most recently publishing the report into the cover-up of child abuse in the Penn State University football program. Last week he was appointed to oversee a probe into alleged corruption and malpractice in the payouts of billions in compensation from BP's 2010 oil spill in the Gulf of Mexico.
He said his keynote speech Monday to an annual seminar organized by Mercyhurst University's Institute for Intelligence Studies would focus on how intelligence and law-enforcement agencies need to use the internet to identify threats - and keep their own secrets secure. The four-day conference brings together intelligence officials worldwide, with a focus this year on combating internet-based crime.
It takes place against the backdrop of continuing revelations from former U.S. National Security Agency analyst Edward Snowden, who is believed still to be holed up in Moscow's airport three weeks after the U.S. Justice Department charged him with espionage and theft of government property.
Freeh questioned Snowden's description as a whistleblower - and why the NSA ever gave Snowden such access to its secrets without effective supervision.
He said Snowden should "come to a forum or an arena where he can raise his whistleblower defense." He said the NSA, like other U.S. government agencies, has an internal reporting process for whistleblowers alleging wrongdoing but Snowden appears not to have used this.
"He's said publicly that he was witnessing and participating at least indirectly in what he thought was a mass violation of U.S. rights, constitutional rights, human rights, and so was forced to publicly disclose this. It's just not accurate. It's Hollywood-esque and may be romantic for somebody to think: My God, this guy had no choice. But the reality is he had plenty of options and choices," Freeh said.
He said the NSA gave Snowden system-wide access with "the ability to extract and copy top-secret documents detailing secured and elaborate programs." He noted that a recent PricewaterhouseCoopers survey found that employee insiders committed around a third of all breaches of sensitive data.
And that, he said, was the biggest issue for government agencies and corporations: What should be accessible on its own internal intranet connections, and who should be cleared to see it?
As things stand now, he said, "too many people have too much access" to sensitive documents in companies and government agencies. He suggested that a group's most confidential information might have to be left without an electronic fingerprint at all and be kept, old school, like the Coca-Cola company's recipe for its soft drinks once was under lock and key in a safe.
But he said, conversely, everyone in the 21st century should assume that every time we click our keyboard, or thumb our smart phone, it's being put blindly into multiple databases ranging from internet aggregators to NSA hard drives.
For law enforcement officials, he said, the challenge was whether this tsunami of information could be mined effectively before an attack. While he described U.S. collection of data as "very robust," its analysis and use in detecting crimes was not.
"In the internet world we live in, all of our data is collected. I'm going to walk around with my cell phone today and my carrier is going to know my location on a minute-by-minute basis," he said. "So it's not really the data. It's how you protect it, how you manage it, and what people's expectations are for its utilization."