‘This Is a Pre-9/11 Moment’
U.S. Defense Chief Warns of Digital 9/11
Panetta: Cyber intruders have already infiltrated US systems
Cyber terrorists are ‘plotting attack on US infrastructure’
By Sandra I. Erwin
The Pentagon is mobilizing its cyberwarfare arsenal in preparation for a massive assault on U.S. networks that could “paralyze the nation,” said Defense Secretary Leon E. Panetta.
“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” Panetta said Oct. 11 in a speech to corporate leaders of Business Executives for National Security, a nonpartisan group.
Panetta, along with Frank J. Bisignano, chief operating officer of JP Morgan Chase & Co., received the BENS Eisenhower Award, following a black-tie dinner at the Intrepid Sea, Air and Space Museum, in New York City.
Hostile network penetrations are nothing new at the Department of Defense, whose 15,000 computer systems are routinely targeted by hackers and industrial spies. But Panetta is now warning that even more destructive cyber weapons are being aimed at the United States. He is directing the Pentagon to begin ramping up network-security efforts, and he is calling on the private sector to help by sharing intelligence about suspected or actual attacks.
A string of breaches over the past several months marks a “significant escalation of the cyber threat,” said Panetta. “And they have renewed concerns about still more destructive scenarios that could unfold.”
Foreign hackers, he noted, are “probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout the country.”
The nation today faces the cyber equivalent of a “pre-9/11 moment,” he said somberly.
Without citing specific evidence of what might be coming, Panetta said he fears that, in the not too distant future, more severe cyber attacks will cause “physical destruction and loss of life, paralyze and shock the nation, and create a profound new sense of vulnerability.”
The stakes are high for the Defense Department, Panetta said, as “attackers could also seek to disable or degrade critical military systems and communications networks.”
The Pentagon requested $3.4 billion in fiscal year 2013 for cybersecurity technologies and contractor services.
Panetta noted that in recent weeks, some large U.S. financial institutions were hit by so-called “distributed denial of service” attacks. The tactic is not new, but the scale and speed was unprecedented, Panetta said.
Two months ago, a sophisticated virus called “Shamoon” infected computers at the Saudi Arabian state oil company, ARAMCO. More than 30,000 computers were infected were rendered useless. Days after this incident, there was a similar attack on Ras Gas of Qatar — a major energy company, Panetta said. “The Shamoon virus was probably the most destructive attack that the private sector has seen to date.”
A Pentagon spokesman told reporters Oct. 11 during a conference call that Panetta decided to focus his BENS speech on cybersecurity because he wants Americans to better understand the Defense Department’s role in protecting U.S. networks. Panetta wants to dispel misunderstandings about what the Pentagon is able or legally allowed to do in the cybersecurity arena.
The Defense Department, Panetta insisted, is not in the business of bugging citizens’ computers or intercepting their email. “We are doing this as part of a broad ‘whole of government’ effort to confront cyber threats,” Panetta said. The Department of Homeland Security is the lead agency for domestic cybersecurity. The FBI is involved in criminal investigations. The State Department is working with allied governments to help forge international protocols for activities in cyberspace.
The Pentagon’s U.S. Cyber Command and the National Security Agency are in charge of monitoring and defending military networks.
But Panetta acknowledged that even seasoned cyber warriors often have difficulties identifying the perpetrators of an attack. Over the last two years, he said, the Pentagon has sought to improve its forensic capabilities.
The Pentagon also is drafting new policies for conducting cyberwarfare, said Panetta. He described these measures as the “most comprehensive change to our rules of engagement in cyberspace in seven years.”
The new rules would expand the Defense Department’s authority to respond to attacks to civilian networks such as intrusions that would compromise the nation’s critical infrastructure, he said.
“The private sector, government, military and our allies all share the same global infrastructure — and we all share the responsibility to protect it,” Panetta said.
He also asked Congress to assist the executive branch by passing legislation to increase public-private cooperation in cybersecurity. “Companies should be able to share specific threat information with the government without the prospect of lawsuits hanging over their head,” said Panetta. Businesses should help the government develop “baseline standards for our most critical private-sector infrastructure, including power plants, water treatment facilities and gas pipelines,” he said. “The reality is that too few companies have invested in even basic cybersecurity.”
Comprehensive cyber legislation has been stalled on Capitol Hill. Until Congress takes action, the Obama administration is contemplating issuing an executive order that would provide guidance to the private sector on “best practices and increase information sharing,” Panetta said. “We have no choice because the threat we face is already here.”
Defense officials worry that attacks on private networks could have significant ripple effects on military operations. More than 99 percent of the electricity and 90 percent of the voice and other communication services that the military uses come from civilian suppliers.
Panetta Spells Out DOD Roles in Cyberdefense
By Jim Garamone
American Forces Press Service
Defense Secretary Leon E. Panetta spelled out in detail the Defense Department’s responsibility in cybersecurity during a speech to the Business Executives for National Security meeting in New York, today.
Panetta has stressed the importance of cybersecurity since taking office last year. In addition, the secretary has warned about a “cyber Pearl Harbor” many times, including during testimony before Congress.
The speech before BENS aboard the USS Intrepid Museum is the secretary’s clearest discussion to date of DOD’s responsibility in the cyber domain.
“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” he said in prepared remarks. “Such a destructive cyber terrorist attack could paralyze the nation.”
The secretary pointed to denial of service attacks that many large U.S. corporations have suffered in recent weeks, but also cited a more serious attack in Saudi Arabia. In that attack a sophisticated virus called “Shamoon” infected computers at the Saudi Arabian state oil company, ARAMCO.
“Shamoon included a routine called a ‘wiper,’ coded to self-execute,” he said. “This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional ‘garbage’ data that overwrote all the real data on the machine. The more than 30,000 computers it infected were rendered useless, and had to be replaced.”
There was a similar attack later in Qatar. “All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,” Panetta said.
Enemies target computer control systems that operate chemical, electricity and water plants, and guide transportation networks.
“We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life,” he said.
“An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals,” he said. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Cyber attacks could be part of a major attack against the United States, and this could mean the cyber Pearl Harbor the secretary fears. This is “an attack that would cause physical destruction and loss of life, paralyze and shock the nation and create a profound new sense of vulnerability,” he said.
DOD has a supporting role in cyber defense, he said. The Department of Homeland Security is the lead federal agency, with the FBI having lead on law enforcement. Still the overall DOD mission is to defend the United States.
“We defend. We deter. And if called upon, we take decisive action,” the secretary said. “In the past, we have done so through operations on land and at sea, in the skies and in space. In this new century, the United States military must help defend the nation in cyberspace as well.”
DOD has responsibility for defending its own networks, and can also help deter attacks. “Our cyber adversaries will be far less likely to hit us if they know we will be able to link them to the attack, or that their effort will fail against our strong defenses,” he said. “The Department has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of an attack.”
DOD has improved its capability of tracking attacks to point of origin. “Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests,” he said.
But improved defenses will not stop all cyber attacks. “If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President,” Panetta said. “For these kinds of scenarios, the Department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.
“Let me be clear that we will only do so to defend our nation, our interests, or our allies,” he continued. “And we will only do so in a manner consistent with the policy principles and legal frameworks that the Department follows for other domains, including the law of armed conflict.”
DOD is finalizing a comprehensive change to rules of engagement in cyberspace. “The new rules will make clear that the Department has a responsibility not only to defend DOD’s networks, but also to be prepared to defend the nation and our national interests against an attack in or through cyberspace,” he said. “These new rules will make the Department more agile and provide us with the ability to confront major threats quickly.”
The private sector, government, military and international partners operate in cyberspace. “We all share the responsibility to protect it,” he said. “Therefore, we are deepening cooperation with our closest allies with a goal of sharing threat information, maximizing shared capabilities, and deterring malicious activities.”
All U.S. leaders have discussed cyber security with foreign leaders. Panetta raised the issue with Chinese leaders during his recent trip to Beijing. “I underscored the need to increase communication and transparency so that we can avoid misunderstanding or miscalculation in cyberspace,” he said. “That is in the interest of the United States, and it is in the interest of China.”
But businesses have the greatest interest in cybersecurity. Businesses depend on a safe, secure, and resilient global digital infrastructure, and businesses own and run many of the critical networks the nation depends on. “To defend those networks more effectively, we must share information between the government and the private sector about threats in cyberspace,” the secretary said.
While there has been progress in sharing public-private cyber information, “we need Congress to act to ensure this sharing is timely and comprehensive,” he said. “Companies should be able to share specific threat information with the government without the prospect of lawsuits hanging over their head. And a key principle must be to protect the fundamental liberties and privacy in cyberspace that we are all duty-bound to uphold.”
Baseline standards must be set for cyber security and that means Congress must act, Panetta said. He said the bipartisan Cybersecurity Act of 2012 “has fallen victim to legislative and political gridlock. That is unacceptable to me, and it should be unacceptable to anyone concerned with safeguarding our national security.”
One option under consideration, Panetta said, is an executive order to enhance cybersecurity measures. “There is no substitute for comprehensive legislation, but we need to move as far as we can in the meantime,” he said. “We have no choice because the threat we face is already here. Congress has a responsibility to act. The President has a Constitutional responsibility to defend the country.”