National security experts aren't arguing against better security -- they are just noting that while the United States faces many cyberthreats, terrorism may not yet be one of them.
Terrorist groups' use of the Web has proliferated in the past decade and, former CIA Director Gen. Michael Hayden says, they are "cybersmart."
But Hayden said the organizations, perhaps surprisingly, haven't exhibited evidence that terrorists use cyberspace for anything beyond support activities.
"I don't know why. I really don't," he said last week in testimony before the U.S. House of Representatives Intelligence Committee.
Cybersecurity expert James Lewis, of the Center for Strategic and International Studies, said in a telephone interview that causing physical damage and devastation using the Web is far more complicated than the minor attacks terrorist groups may be able to launch.
"They are looking for a splashier event," Lewis said. "They want explosions and things that will play well on the nightly news. Making the traffic lights blink on and off might not do that for them."
A key example of physical destruction caused by a cyberattack is the June 2010 Stuxnet virus, which infected computers at a nuclear reactor in Iran, causing it to malfunction and ultimately break down. The undetected virus caused the closure of the plant and setbacks in Iran's uranium enrichment program.
Experts said that U.S. infrastructure is no better protected than the reactor in Iran was but that terrorist groups aren't likely to have the resources to gain the internal knowledge they would need to infiltrate U.S. systems.
"It's actually a lot harder not because of the technical component, but because of the amount of intelligence required to do it properly," said Allan Friedman of the Center for Technology Innovation at the Brookings Institution, a nonpartisan Washington think tank.
Liam O Murchu, of Symantec Corp., a California software security company, said, Stuxnet "has shown us that you can write a piece of software that will be able to change how a factory works."
To replicate a similar attack -- one focused on a particular target -- would require precise insider intelligence and millions of dollars.
Terrorist organizations could look at Stuxnet as a blueprint, Murchu said in a telephone interview, and they could also look at it to learn certain techniques. However, "the sophistication of the threats would depend on how skilled the attackers were and how much insider information they had," he said.
Lewis, whose research at CSIS focuses on Internet policy and cybersecurity, said the only organizations with the capability to do this -- at the moment -- are nation states.
The U.S. Department of Defense argues that the cyberdomain breaks down the traditional concept that large-scale attacks require equally large-scale operations, which might give attackers a way to exploit U.S. vulnerabilities.
Since much of U.S. critical infrastructure -- a likely target of cyberattacks -- is operated by the private sector, the private sector needs to be involved in security enhancements.
Lewis said he's spoken with companies that see defending against terrorism as a responsibility of the government, not the private sector.
"That's a perfectly reasonable line," he said. "(The Department of Defense) needs to do something. The U.S. government needs to do something."
The Obama administration is pushing Congress to strengthen private sector cybersecurity, which Lewis sees as a positive move. But he added that the Defense Department should also be protecting national security-related interests.
The Department of Defense said it is.
The Defense Department "seeks to mitigate the risks posed to U.S. and allied cyberspace capabilities," a department spokesman said via e-mail, "while protecting and respecting the principles of privacy and civil liberties, free expression and innovation that have made cyberspace an integral part of U.S. prosperity and security."
While Hayden dismissed concerns of cyberterrorism attacks at the moment, he was quick to acknowledge the potential problems, calling U.S. infrastructure vulnerable.
"Eventually they'll get this capability and then they'll use it," Lewis said.