Defense Secretary Leon Panetta detailed the ultimate national i-nightmare in New York on Thursday, explaining how “foreign cyber actors” have probed critical national infrastructure networks with the intent of unleashing an electronic Pearl Harbor or 9/11.
“They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout the country,” he said. “We know of specific instances where intruders have successfully gained access to these control systems. We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction, and even the loss of life.”
Panetta’s policy speech on cyberwarfare was the first by a defense secretary, according to two senior Pentagon officials who briefed reporters on it in advance. Panetta believes that cyberspace must be considered an important battlefield now and in the future, the officials explained.
He likened the current situation to the days leading up to 9/11, when warnings existed but weaknesses in the system left the country vulnerable. Hackers launch thousands of probes each day to gain entry to military computer systems.
The Pentagon chief used the forum to officially acknowledge several recent and significant cyber attacks. These included so-called “distributed denial of service” assaults on American financial institutions that disrupted services to online customers, and the insertion of a virus into the computer systems of the Saudi Arabian state oil company, ARAMCO, in August.
Panetta said the cyber attack on the banks was significant for its speed and scope -- much larger than previous attacks. The virus infection of ARAMCO’s computers included a so-called “wiper” routine that replaced critical system files with an image of a burning American flag, and over-wrote real data with “garbage” data. The result was 30,000 computers rendered useless, he said.
A foreign military or an extremist group with the right skills and tools could potentially wreak havoc on U.S. passenger- and cargo-rail systems, contaminate water supplies in major cities and shut down power grids. A worst-case scenario would be several attacks simultaneously, including some attempting to cripple military and communications systems, Panetta said.
“The collective result of these kinds of attacks could be ‘cyber Pearl Harbor,’ an attack that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation, and create a profound new sense of vulnerability,” he said.
Missing from Panetta’s speech was any description of how the U.S. would respond to a cyber attack of the scope he laid out, and what it would respond with. While he noted that “the good news is that we are aware of this potential [for attacks] our eyes are wide open to these threats, and we are a nation, thank God, that is on the cutting edge of this new technology.”
However, he did declare that the U.S. has the ability to trace an attack on a computer network back to its source and mount pre-emptive operations when an impending assault is detected.
Pentagon officials speaking with reporters before the speech declined to get into a discussion of U.S. offensive capabilities and how the Defense Department would respond to attacks on the nation’s infrastructure or major computer systems.
“It does no good to talk about hypotheticals,” one official said.
Though Panetta’s forum was New York City, and his audience a group of business executives, the target of his policy speech was Congress, as he made clear in a call for the executives to push lawmakers into passing legislation strengthening U.S. cyber security.
The legislation, sponsored by Sens. Joe Lieberman, I-Conn., and Susan Collins, R-Maine, had bipartisan support but fell victim, Panetta said, “to legislative and political gridlock.”
“That is unacceptable to me, and it should be unacceptable to anyone concerned with safeguarding our national security,” he said.
Panetta said President Obama has considered enhancing existing cyber security measures via executive order. He wants the government to work better with the private sector to promote cyber security best practices and increase information sharing.
He said Defense Department is focused on three areas: developing new capabilities; getting policies and organizations in place to carry out the mission; and building more effective cooperation with industry and international partners.
The Pentagon is spending $3 billion on new capabilities -- newer sensors and software for detecting possible threats -- and training the “skilled cyber warriors” needed for cyberspace combat.
It is also finalizing comprehensive changes to rules on cyber engagement. He said the rules will make clear that the Defense Department has a responsibility not only to defend its own networks, but other systems critical to the national interests.
The U.S. military has formed partnership information-sharing agreements with the FBI and the Department of Homeland Security, among other agencies.
Panetta said there is the need for cooperation with the private sector and allies.
“The private sector, government, military, and our allies all share the same global infrastructure, and we all share the responsibility to protect it,” he said. “Therefore, we are deepening cooperation with our closest allies with a goal of sharing threat information, maximizing shared capabilities, and deterring malicious activities.”
Panetta said he, Vice President Joe Biden and Secretary of State Hillary Clinton have discussed cyber security issues in talks with foreign leaders and militaries, including China’s. Panetta said he underscored to China the need to improve communications and transparency between the two countries to avoid misunderstandings and miscalculations in cyberspace.
The Defense Department has been doing its part, he told the executives, and exhorted them to become involved.
“Help us innovate. Help us increase the nation’s cyber security by securing your own networks. Help us remain ahead of the threats that we confront,” he said. “By doing so, you will help ensure that cyberspace continues to bring prosperity to your companies and to people across the world.”