U.S. Defense Secretary Leon Panetta said the Pentagon and American intelligence agencies are seeing an increase in cyber threats that could become as devastating as the Sept. 11, 2001, attacks if they aren’t stopped.
“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” Panetta said last week. “Such a destructive cyber terrorist attack could paralyze the nation.”
The Defense Department is drafting new rules that will allow the military to defend U.S. “national interests” in addition to its own computer networks, Panetta said in prepared remarks delivered in New York on board the USS Intrepid, an aircraft carrier that’s now a museum.
Panetta offered the highest-level confirmation to date of recent cyber attacks on U.S. and international computer networks and faulted Congress for failing to pass comprehensive cybersecurity legislation this year. In the absence of such a law, President Barack Obama’s administration may issue an executive order, Panetta said.
Attackers “are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout the country,” he told the annual awards dinner of Business Executives for National Security, a non-profit group that applies business practices to national security.
“We know of specific instances where intruders have successfully gained access to these control systems,” Panetta said. “We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction, and even the loss of life.”
“An aggressor nation or extremist group could gain control of critical switches and derail passenger trains, or trains loaded with lethal chemicals,” Panetta said. “They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country.”
In recent weeks, he said, some large U.S. financial institutions were hit by attacks that delayed or disrupted services on customer websites. While this tactic, called a Distributed Denial of Service attack, isn’t new, the scale and speed of the bank assaults, which continued this week, were unprecedented, he said.
Even more alarming, Panetta said, was an attack two months ago in which a sophisticated virus called Shamoon infected computers at the Saudi Arabian Oil Co., known as Saudi Aramco, and then Ras Gas of Qatar. More than 30,000 Aramco computers were rendered useless, and had to be replaced, he said.
“Shamoon included a routine called a ‘wiper,’ coded to self-execute,” he said. “This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional ‘garbage’ data that overwrote all the real data on the machine.”
Aramco said the attack had no significant impact on its administrative operations and that it had reinforced its network security systems, according to a statement posted on the company’s website last month.
Panetta discussed specific attacks whose details were declassified to allow public disclosure because cyber threats have become as serious as conventional and nuclear threats, a senior defense official said, speaking on the condition of anonymity to discuss internal deliberations.
The Defense Department is working on new rules that will clarify the Pentagon’s role in defending the country from cyber attacks without violating privacy laws and citizens’ rights, the official said.
“We won’t succeed in preventing a cyber attack through improved defense alone,” Panetta said. “If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation.”
In response, he said, the Pentagon is “finalizing the most comprehensive change to our rules of engagement in cyberspace in seven years.” The rules will clarify that the Pentagon “has a responsibility not only to defend the DoD’s networks, but also is prepared to defend the nation and our national interests.”
The rules, which are still being written, will specify what types of attacks are serious enough to be considered hostile action against the U.S. under international law, a Pentagon official said. The official, who briefed reporters prior to the speech, declined to say where the line will be drawn between routine cyber intrusions and attacks.
The Pentagon spends about $3 billion a year to retain “cutting edge capabilities” and is increasing “many key investments” despite budget constraints, Panetta said.
The Pentagon also has made “significant investments in forensics” to identify attackers, Panetta said. “Potential aggressors should be aware that the U.S. has the capacity to locate them and hold them accountable for actions that harm America or its interests.”
The Defense Department has identified thousands of low- level attacks and attributed them to criminal groups, nations, and individuals without taking any action, the defense official told reporters.
Panetta said Russia and China have advanced cyber capabilities, and Iran is undertaking a “concerted effort to use cyberspace to its advantage.”
He said top U.S. officials, including Obama, Vice President Joe Biden, Secretary of State Hillary Clinton, and himself routinely discuss cybersecurity with their foreign counterparts.
Nevertheless, he said,“ securing cyberspace is not the responsibility of the U.S. military, or even the sole responsibility of the U.S. government. The private sector, government, military, and our allies all share the same global infrastructure -- and we all share the responsibility to protect it.”
The Pentagon has made progress in sharing information with private companies, Panetta said. Since May, the Defense Department has expanded a program to share unclassified cybersecurity information with defense contractors to 64 from 34 companies, he said.
The Department of Homeland Security is working on a project to share “highly sensitive” cybersecurity information with commercial Internet service providers, Panetta said.
“Information sharing alone, however, is not sufficient,” he said. “Working with the business community, we need to develop baseline standards for our most critical private-sector infrastructure -- including power plants, water treatment facilities, and gas pipelines.”
“Although awareness is growing, the reality is that too few companies have invested in even basic cybersecurity,” Panetta said.
To provide all the necessary protection, he said, Congress must pass comprehensive cybersecurity legislation, which it failed to do this year. In the meantime, he said, the administration will work to enhance security under existing authorities by working with the private sector and possibly by issuing an executive order.
“This is a pre-9/11 moment,” Panetta said. “The attackers are plotting. Our systems will never be impenetrable, just like our physical defenses are not perfect. But more can be done to improve them.”