In His Own Words: Panetta on CyberthreatsDefense Secretary Warns of Dangers Facing U.S. from Cyberspace
The following article is adapted from a speech U.S. Defense Secretary Leon Panetta delivered Oct. 11 to the Business Executives for National Security.
See Also: HIPAA Audits: A Revised Game Plan
By Leon Panetta
When people think of cybersecurity today, they worry about hackers and criminals who prowl the Internet, steal people's identities, steal sensitive business information, steal even national security secrets. Those threats are real and they exist today.
But the even greater danger - the greater danger facing us in cyberspace goes beyond crime and it goes beyond harassment. A cyberattack perpetrated by nation states or violent extremists' groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation.
In recent weeks, some large U.S. financial institutions were hit by so-called distributed denial of service attacks. These attacks delayed or disrupted services on customer websites. While this kind of tactic isn't new, the scale and speed with which it happened was unprecedented.
But even more alarming is an attack that happened two months ago when a very sophisticated virus called Shamoon infected computers in the Saudi Arabian state oil company Aramco. Shamoon included a routine called a "wiper" coded to self-execute. This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put in additional garbage data that overwrote all the real data on the machine. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.
Then just days after this incident, there was a similar attack on RasGas of Qatar, a major energy company in the region. All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date.
Escalation of the Cyberthreaet
Imagine the impact an attack like that would have on your company or your business. These attacks mark a significant escalation of the cyberthreat and they have renewed concerns about still more destructive scenarios that could unfold.
For example, we know that foreign cyber actors are probing America's critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country. We know of specific instances where intruders have successfully gained access to these control systems. We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life.
An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches. They could, for example, derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals. They could contaminate the water supply in major cities or shutdown the power grid across large parts of the country.
The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country. Attackers could also seek to disable or degrade critical military systems and communication networks. The collective result of these kinds of attacks could be a "cyber Pearl Harbor," an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.
Eyes Wide Open
As director of the CIA and now secretary of defense, I have understood that cyberattacks are every bit as real as the more well-known threats like terrorism, nuclear weapons proliferation and the turmoil that we see in the Middle East. And the cyberthreats facing this country are growing. With dramatic advances, this is an area of dramatic developments in cyber technology. With that happening, potential aggressors are exploiting vulnerabilities in our security. But the good news is this: We are aware of this potential. Our eyes are wide open to these kinds of threats and we are a nation that, thank God, is on the cutting edge of this new technology. We are the best and we have to stay there.
The Department of Defense, in large part through the capabilities of the National Security Agency, NSA, has develop the world's most sophisticated system to detect cyber intruders and attackers. We are acting aggressively to get ahead of this problem, putting in place measures to stop cyberattacks dead in their tracks. We are doing this as part of a broad whole of government effort to confront cyberthreats.
The Department of Homeland Security has the lead for domestic cybersecurity, the FBI also has a key part to play and investigating and preventing cyberattacks. And our intelligence agencies, of course, are focused on this potential threat as well. The State Department is trying to forge international consensus on the roles and responsibilities of nations to help secure cyberspace.
The Department of Defense also has a role. It is a supporting role but it is an essential role. But first let me make clear what it does not mean. It does not mean that the Department of Defense will monitor citizens' personal computers. We're not interested in personal communication or in e-mails or in providing the day to day security of private and commercial networks. That is not our goal. That is not our job. That is not our mission.
Defend, Deter, Act
Our mission is to defend the nation. We defend. We deter, and if called upon, we take decisive action to protect our citizens. In the past, we have done so thorough operations on land and at sea, in the skies and in space. In this century, the United States military must help defend the nation in cyberspace as well. If a foreign adversary attacked U.S. soil, the American people have every right to expect their national defense forces to respond. If a crippling cyberattack were launched against our nation, the American people must be protected. And if the Commander in Chief orders a response, the Defense Department must be ready to obey that order and to act.
To ensure that we fulfill our role to defend the nation in cyberspace, the department is focusing on three main tracks.
- Developing new capabilities.
- Putting in place the policies and organizations we need to execute our mission.
- Building much more effective cooperation with industry and with our international partners.
First, developing new capabilities: DoD is investing more than $3 billion annually in cybersecurity because we have to retain that cutting-edge capability in the field. Following our new defense strategy, the department is continuing to increase key investments in cybersecurity even in an era of fiscal restraint.
Our most important investment is in skilled cyber warriors needed to conduct operations in cyberspace. Just as DoD developed the world's finest counterterrorism force over the past decade, we need to build and maintain the finest cyber force and operations. We're recruiting, we're training, we're retaining the best and the brightest in order to stay ahead of other nations.
It's no secret that Russia and China have advanced cyber capabilities. Iran has also undertaken a concerted effort to use cyberspace to its advantage. Moreover, DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department's networks, millions of time a day. Throughout the innovative efforts of our cyber operators, we've been trying to enhance the department's cyber-defense programs. These systems rely on sensors; they rely on software to hunt down the malicious code before it harms our systems. We actively share our own experience defending our systems with those running the nation's critical private sector networks.
In addition to defending the department's networks, we also help deter attacks. Our cyber adversaries will be far less likely to hit us if they know that we will be able to link to the attack or that their effort will fail against our strong defenses. The department has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of that attack.
Over the last two years, DoD has made significant investments in forensics to address this problem of attribution, and we're seeing the returns on that investment. Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.
But we won't succeed in preventing a cyberattack through improved defenses alone. If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president. For these kinds of scenarios, the department has developed that capability to conduct effective operations to counter threats to our national interests in cyberspace.
Let me clear that we will only do so to defend our nation, to defend our interests, to defend our allies and we will only do so in a manner that is consistent with the policy principles and legal frameworks that the department follows for other domains including the law of armed conflict.
Which brings me to the second area of focus, policies and organization: Responding to the cyberthreat requires the right policies and organizations across the federal government.
Establishing Responsibilities for Cyber Defense
For the past year, the Department of Defense has been working very closely with other agencies to understand where are the lines of responsibility when it comes to cyber defense. Where do we draw those lines? And how do those responsibilities get executed?
As part of that effort, the department is finalizing the most comprehensive change to our rules of engagement in cyberspace in seven years. The new rules will make clear that the department has a responsibility, not only to defend DoD's networks, but also to be prepared to defend the nation and our national interests against an attack in or through cyberspace. These new rules make the department more agile and provide us with the ability to confront major threats quickly.
To execute these responsibilities, we must have strong organization structures in place. Three years ago, the department took a major step forward by establishing the United States Cyber Command. Under the leadership of Gen. Keith Alexander, a four-star officer who also serves as the director of the National Security Agency. Cyber Command has matured into what I believe is a world-class organization. It has the capacity to conduct a full range of missions inside cyberspace. And it's also working to develop a common, real-time understanding of the threats in cyberspace. The threat picture could be quickly shared with DoD's geographic and functional combatant commanders, with DHS, with FBI and with other agencies in government. After all, we need to see an attack coming in order to defend against that attack.
And we're looking at ways to strengthen Cyber Command as well. We must ensure that hit has the resources, that it has the authorities, that it has the capabilities required to perform this growing mission. And it must also be able to react quickly to events unfolding in cyberspace and help fully integrate cyber into all of the department's plans and activities.
And finally, the third area is to build stronger partnerships. Securing cyberspace is not the sole responsibility of the United States military or even the sole responsibility of the United States government. The private sector, government, military, our allies - all share the same global infrastructure and we all share the responsibility to protect it. Therefore, we are deepening cooperation with our closest allies with the goal of sharing threat information, maximizing shared capabilities and determining malicious activities. The president, the vice president, secretary of state and I have made cyber a major topic of discussion in nearly all of our bilateral meetings with foreign counterparts.
I recently met with our Chinese military counterparts just a few weeks ago. In my visit to Beijing, I underscored the need to increase communication and transparency with each other so that we could avoid a misunderstanding or a miscalculation in cyberspace. This is in the interest of the United States, but it's also in the interest of China.
Ultimately, no one has a greater interest in cybersecurity than the businesses that depend on a safe, secure and resilient global, digital infrastructure. Particularly those who operate the critical networks that we must help defend. To defend those networks more effectively, we must share information between the government and the private sector about threats in cyberspace.
We've made real progress in sharing information with the private sector. But very frankly, we need Congress to act to ensure that this sharing is timely and comprehensive. Companies should be able to share specific threat information with the government, without the prospect of lawsuits hanging over their head. And a key principle must be to protect the fundamental liberties and privacy in cyberspace that we are all duty bound to uphold.
Information sharing alone is not sufficient. We've got to work with the business community to develop baseline standards for our most critical private-sector infrastructure, our power plants, our water treatment facilities, our gas pipelines. This would help ensure that companies take proactive measures to secure themselves against sophisticated threats, but also take common sense steps against basic threats. Although awareness is growing, the reality is that too few companies have invested in even basic cybersecurity.
Seeking Congressional Cooperation
The fact is that to fully provide the necessary protection in our democracy, cybersecurity legislation must be passed by the Congress. Without it, we are and we will be vulnerable. Congress must act and it must act now on a comprehensive bill such as the bipartisan Cybersecurity Act of 2012 co-sponsored by Sens. Lieberman, Collins, Rockefeller and Feinstein. This legislation has bipartisan support, but is victim to legislative and political gridlock like so much else in Washington [see Senate Votes to Block Cybersecurity Act Action]. That frankly is unacceptable and it should be unacceptable not just to me, but to anyone concerned with safeguarding our national security.
While we wait for Congress to act, the administration is looking to enhance cybersecurity measures under existing authorities, by working with the private sector to promote best practices, increase information sharing. They are considering issuing an executive order as one option to try to deal with the situation, but very frankly there is no substitute for comprehensive legislation and we need to move as far as we can in the meantime [see White House: No Rush on Executive Order]. We have no choice because the threat that we face, as I've said, is already here. Congress has a responsibility to act and the president of the United States has constitutional responsibility to defend our country.
Before Sept. 11, 2001, the warning signs were there. We weren't organized. We weren't ready and we suffered terribly for that lack of attention. We cannot let that happen again. This is a pre-9/11 moment. The attackers are plotting. Our systems will never be impenetrable just like our physical defenses are not perfect, but more can be done to improve them. We need Congress and we need all of you to help in that effort.
The Department of Defense is doing our part. And I'm asking you to do yours as citizens and as business leaders. Help us innovate. Help us increase the nation's cybersecurity by securing your own networks. Help us remain ahead of the threats that we confront. By doing so, you will help ensure that cyberspace continues to bring prosperity to your companies and to people across the world.