By Sandra I. Erwin
The Pentagon is mobilizing its cyberwarfare arsenal in preparation for a massive assault on U.S. networks that could “paralyze the nation,” said Defense Secretary Leon E. Panetta.
“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” Panetta said Oct. 11 in a speech to corporate leaders of Business Executives for National Security, a nonpartisan group.
Panetta, along with Frank J. Bisignano, chief operating officer of JP Morgan Chase & Co., received the BENS Eisenhower Award, following a black-tie dinner at the Intrepid Sea, Air and Space Museum, in New York City.
Hostile network penetrations are nothing new at the Department of Defense, whose 15,000 computer systems are routinely targeted by hackers and industrial spies. But Panetta is now warning that even more destructive cyber weapons are being aimed at the United States. He is directing the Pentagon to begin ramping up network-security efforts, and he is calling on the private sector to help by sharing intelligence about suspected or actual attacks.
A string of breaches over the past several months marks a “significant escalation of the cyber threat,” said Panetta. “And they have renewed concerns about still more destructive scenarios that could unfold.”
Foreign hackers, he noted, are “probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout the country.”
The nation today faces the cyber equivalent of a “pre-9/11 moment,” he said somberly.
Without citing specific evidence of what might be coming, Panetta said he fears that, in the not too distant future, more severe cyber attacks will cause “physical destruction and loss of life, paralyze and shock the nation, and create a profound new sense of vulnerability.”
The stakes are high for the Defense Department, Panetta said, as “attackers could also seek to disable or degrade critical military systems and communications networks.”
The Pentagon requested $3.4 billion in fiscal year 2013 for cybersecurity technologies and contractor services.
Panetta noted that in recent weeks, some large U.S. financial institutions were hit by so-called “distributed denial of service” attacks. The tactic is not new, but the scale and speed was unprecedented, Panetta said.
Two months ago, a sophisticated virus called “Shamoon” infected computers at the Saudi Arabian state oil company, ARAMCO. More than 30,000 computers were infected were rendered useless. Days after this incident, there was a similar attack on Ras Gas of Qatar — a major energy company, Panetta said. “The Shamoon virus was probably the most destructive attack that the private sector has seen to date.”
A Pentagon spokesman told reporters Oct. 11 during a conference call that Panetta decided to focus his BENS speech on cybersecurity because he wants Americans to better understand the Defense Department’s role in protecting U.S. networks. Panetta wants to dispel misunderstandings about what the Pentagon is able or legally allowed to do in the cybersecurity arena.
The Defense Department, Panetta insisted, is not in the business of bugging citizens’ computers or intercepting their email. “We are doing this as part of a broad ‘whole of government’ effort to confront cyber threats,” Panetta said. The Department of Homeland Security is the lead agency for domestic cybersecurity. The FBI is involved in criminal investigations. The State Department is working with allied governments to help forge international protocols for activities in cyberspace.
The Pentagon’s U.S. Cyber Command and the National Security Agency are in charge of monitoring and defending military networks.
But Panetta acknowledged that even seasoned cyber warriors often have difficulties identifying the perpetrators of an attack. Over the last two years, he said, the Pentagon has sought to improve its forensic capabilities.
The Pentagon also is drafting new policies for conducting cyberwarfare, said Panetta. He described these measures as the “most comprehensive change to our rules of engagement in cyberspace in seven years.”
The new rules would expand the Defense Department’s authority to respond to attacks to civilian networks such as intrusions that would compromise the nation’s critical infrastructure, he said.
“The private sector, government, military and our allies all share the same global infrastructure — and we all share the responsibility to protect it,” Panetta said.
He also asked Congress to assist the executive branch by passing legislation to increase public-private cooperation in cybersecurity. “Companies should be able to share specific threat information with the government without the prospect of lawsuits hanging over their head,” said Panetta. Businesses should help the government develop “baseline standards for our most critical private-sector infrastructure, including power plants, water treatment facilities and gas pipelines,” he said. “The reality is that too few companies have invested in even basic cybersecurity.”
Comprehensive cyber legislation has been stalled on Capitol Hill. Until Congress takes action, the Obama administration is contemplating issuing an executive order that would provide guidance to the private sector on “best practices and increase information sharing,” Panetta said. “We have no choice because the threat we face is already here.”
Defense officials worry that attacks on private networks could have significant ripple effects on military operations. More than 99 percent of the electricity and 90 percent of the voice and other communication services that the military uses come from civilian suppliers.
Photo Credit: Defense Department