Continued from page 1

Hackers also have demonstrated that they could take over computer control systems that operate chemical, electrical and water and sewage treatment plants. They also can hack into transportation networks.

“An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals,” Leon E. Panetta, then CIA director, warned in a speech in New York last year.

“They could contaminate the water supply in major cities or shut down the power grid across large parts of the country.”

Specialists doubt that the Syrian Electronic Army has that kind of advanced capability, but it is always hard to tell, said Timothy Sample, who is a vice president at technology contractor Battelle Inc., which does cybersecurity work for U.S. intelligence and defense agencies and civilian clients.

“The barriers to entry for these kinds of capabilities are very low,” he said, adding that it is easy to buy cyberattack tools and hire hackers on the black market.

“It would be dangerous to rely on the proposition that any given attacker lacks a particular skill,” Mr. Sample added.

Cyberforensic specialists have documented the Syrian Electronic Army’s historic links to a computer society founded years ago by Syrian President Bashar Assad. The British Guardian newspaper has reported that the group is funded by Rami Makhlouf, a cousin of Mr. Assad’s and the owner of SyriaTel, a telecommunications and Internet service provider.

Front groups such as the Syrian Electronic Army still provide states with so-called plausible deniability, Mr. Chertoff said.

“Even if it is evident that Syria is behind an attack, they can deny it. We saw that in Estonia,” he said.

In 2007, in the midst of a bitter diplomatic dispute between Estonia and Russia, the small Baltic nation suffered a series of huge cyberattacks that knocked banks, government websites and other vital infrastructure offline. The attacks came from Internet addresses in Russia and were coordinated on public bulletin boards run by hackers and nationalist groups, but the Russian government denied any involvement.

Mr. Chertoff said U.S. policymakers were used to such dilemmas.

“There are often times we know [who has attacked us], but we can’t publicly prove it without revealing intelligence sources and methods. You have to decide whether to act on the basis of evidence you cannot reveal,” he said.

Any U.S. response to a Syrian attack might well not be visible, said Adam M. Segal, a cybersecurity scholar with the Council on Foreign Relations.

U.S. Cyber Command has said it has the ability reach back into attackers’ networks and “prevent these [kinds of] attacks from their source,” said Mr. Segal, “essentially doing defense through offense.”

Cyberattacks are now “an integral part of modern warfare,” said Mr. Langevin, who has led efforts in Congress to pass legislation designed to shore up the nation’s cyberdefenses.

Story Continues →