Defense Secretary Leon E. Panetta spelled out in detail the Defense Department’s responsibility in cybersecurity during a speech to the Business Executives for National Security meeting in New York, today.
Panetta has stressed the importance of cybersecurity since taking office last year. In addition, the secretary has warned about a “cyber Pearl Harbor” many times, including during testimony before Congress.
The speech before BENS aboard the USS Intrepid Museum is the secretary’s clearest discussion to date of DOD’s responsibility in the cyber domain.
“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” he said in prepared remarks. “Such a destructive cyber terrorist attack could paralyze the nation.”
The secretary pointed to denial of service attacks that many large U.S. corporations have suffered in recent weeks, but also cited a more serious attack in Saudi Arabia. In that attack a sophisticated virus called “Shamoon” infected computers at the Saudi Arabian state oil company, ARAMCO.
“Shamoon included a routine called a ‘wiper,’ coded to self-execute,” he said. “This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional ‘garbage’ data that overwrote all the real data on the machine. The more than 30,000 computers it infected were rendered useless, and had to be replaced.”
There was a similar attack later in Qatar. “All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,” Panetta said.
Enemies target computer control systems that operate chemical, electricity and water plants, and guide transportation networks.
“We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life,” he said.
“An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals,” he said. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
Cyber attacks could be part of a major attack against the United States, and this could mean the cyber Pearl Harbor the secretary fears. This is “an attack that would cause physical destruction and loss of life, paralyze and shock the nation and create a profound new sense of vulnerability,” he said.
DOD has a supporting role in cyber defense, he said. The Department of Homeland Security is the lead federal agency, with the FBI having lead on law enforcement. Still the overall DOD mission is to defend the United States.
“We defend. We deter. And if called upon, we take decisive action,” the secretary said. “In the past, we have done so through operations on land and at sea, in the skies and in space. In this new century, the United States military must help defend the nation in cyberspace as well.”
DOD has responsibility for defending its own networks, and can also help deter attacks. “Our cyber adversaries will be far less likely to hit us if they know we will be able to link them to the attack, or that their effort will fail against our strong defenses,” he said. “The Department has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of an attack.”
DOD has improved its capability of tracking attacks to point of origin. “Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests,” he said.
But improved defenses will not stop all cyber attacks. “If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President,” Panetta said. “For these kinds of scenarios, the Department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.
“Let me be clear that we will only do so to defend our nation, our interests, or our allies,” he continued. “And we will only do so in a manner consistent with the policy principles and legal frameworks that the Department follows for other domains, including the law of armed conflict.”
DOD is finalizing a comprehensive change to rules of engagement in cyberspace. “The new rules will make clear that the Department has a responsibility not only to defend DOD’s networks, but also to be prepared to defend the nation and our national interests against an attack in or through cyberspace,” he said. “These new rules will make the Department more agile and provide us with the ability to confront major threats quickly.”
The private sector, government, military and international partners operate in cyberspace. “We all share the responsibility to protect it,” he said. “Therefore, we are deepening cooperation with our closest allies with a goal of sharing threat information, maximizing shared capabilities, and deterring malicious activities.”
All U.S. leaders have discussed cyber security with foreign leaders. Panetta raised the issue with Chinese leaders during his recent trip to Beijing. “I underscored the need to increase communication and transparency so that we can avoid misunderstanding or miscalculation in cyberspace,” he said. “That is in the interest of the United States, and it is in the interest of China.”
But businesses have the greatest interest in cybersecurity. Businesses depend on a safe, secure, and resilient global digital infrastructure, and businesses own and run many of the critical networks the nation depends on. “To defend those networks more effectively, we must share information between the government and the private sector about threats in cyberspace,” the secretary said.
While there has been progress in sharing public-private cyber information, “we need Congress to act to ensure this sharing is timely and comprehensive,” he said. “Companies should be able to share specific threat information with the government without the prospect of lawsuits hanging over their head. And a key principle must be to protect the fundamental liberties and privacy in cyberspace that we are all duty-bound to uphold.”
Baseline standards must be set for cyber security and that means Congress must act, Panetta said. He said the bipartisan Cybersecurity Act of 2012 “has fallen victim to legislative and political gridlock. That is unacceptable to me, and it should be unacceptable to anyone concerned with safeguarding our national security.”
One option under consideration, Panetta said, is an executive order to enhance cybersecurity measures. “There is no substitute for comprehensive legislation, but we need to move as far as we can in the meantime,” he said. “We have no choice because the threat we face is already here. Congress has a responsibility to act. The President has a Constitutional responsibility to defend the country.”