Admiral Mike Rogers was giving evidence on Thursday to a US House of Representatives Intelligence Committee hearing on cyber-threats.
He told his audience that attackers could force America's utilities, aviation networks and financial companies offline, and that hackers had already infiltrated such systems in "reconnaissance" missions to determine how the networks are put together.
In testimony reported by the Reuters news agency, Rogers said: "What concerns us is that access can be used by nation-states, groups or individuals to take down that capability."
He told the hearing that China was one of the countries with that power, as well as “probably one or two others" whom he declined to name.
Rogers also confirmed to the House Committee that the NSA is still getting metadata from phone companies, but argued that the rules have been tightened since whistleblower Edward Snowden's revelations.
He was testifying in the same week that a bill to curb the NSA's bulk collection of phone records, the USA Freedom Act, failed to get US Senate support – despite the lobbying of tech giants such as Apple, Google and Facebook to protect the privacy of their customers' data.
Rogers also highlighted China's cyber-threat in the same week as security firm CloudFlare said that the largest DDoS attack in history has been mounted against independent media sites in Hong Kong, covering the activity of pro-democracy protestors opposed to Beijing's policies in the territory.
Commenting on Rogers' claims, UK industry expert Andy Settle, chief cyber-security consultant and head of practice at Thales UK, welcomed his honesty about the nation-state threat, but said the US will still struggle to counter it.
Settle told SCMagazineUK.com via email: “We have seen a lot more openness this year around the threats that nation-states pose with regards to cyber-security, in a way that previously has been kept out of the public eye,” adding: “It would be negligent to underestimate the ability that countries have to cause massive disruption to another country's critical national infrastructure (CNI).
“The US power grid, like all CNI, is at threat. We must always remember that if it's connected then it's hackable. What the US and many countries need to consider is whether they are ready to respond to that threat, how they would respond, and if they are doing the most they can to reduce the possibility of this.”
Settle believes: “Where countries such as the US will struggle with attacks on the power grid is the mixture of equipment making up the legacy infrastructure. There is range of legacy equipment, ranging from very old to brand-new technology. This not only increases the number of flaws, but means that they can't secure everything at once.
“Operational security and information security professionals need to work closely together, remembering that neither is more important and they only provide a secure network when their knowledge and forces are combined.
”A thorough contingency plan taking into account all of the above is key to ensuring that grids all over the world are protected if and when such an attacks occurs: whether that's tomorrow, in 2015 or 2050.”
Likewise, UK cyber-expert John Walker, visiting professor at Nottingham-Trent University and director of cyber-security consultancy ISX, agreed the US – and other countries – are vulnerable to the sort of attacks Rogers outlined.
Walker told SCMagazineUK.com: “Do I feel the US have cause for concern? Yes – in fact we all do.
“President Obama has already expressed concern that such an exposure could exist. Consider, no longer does critical infrastructure reside on protected mainframe assets which enjoyed the element of natural firewalling, influenced by complex languages, or anti-pass-back devices – such criticality is now residing in high numbers of what may be considered the cheap-and-cheerful support provisioned by commercial-off-the-shelf (COTS) applications and operating systems.”
Walker pointed out that in September 2011 maintenance work on a single unit caused a power outage in California that hit five million residents and businesses, causing traffic chaos, flight cancellations and the closure of two nuclear reactors.
He explained: “It's not just about the software assets which are in play – consider the hardware components in any average computerised device. Is it possible to fully qualify that not one single component has been compromised, or Trojanised, or does code exist in the background waiting to do the bidding of its masters?
“And don't forget, just because SCADA environments are protected, there are simply no guarantees that some form of illicit action could cause a potential future state of adversity to be placed in waiting.”
A video of Rogers' testimony is available here.