U.S. Defense Secretary Leon E. Panetta speaks Oct. 11 during the Business Executives for National Security meeting in New York. (Erin A. Kirk-Cuomo / U.S. Defense Department)
NEW YORK — Delivering what Defense Department officials termed a major policy speech outlining an aggressive new agenda to prevent cyber attacks, Defense Secretary Leon Panetta described the U.S. as in a “pre-9/11 moment” in need of immediate action as he spoke to an audience of veterans and business executives here at the Intrepid Sea, Air and Space Museum.
The U.S. was sending a clear message to cyber attackers that it would not only find them, but respond with action as needed, Panetta said, outlining advances in cyber forensics and capabilities at an awards dinner hosted by Business Executives for National Security.
“Our cyber adversaries will be far less likely to hit us if they know that we will be able to link them to the attack,” he said.
Panetta described several recent attacks against energy companies in Qatar and Saudi Arabia, Ras Gas and Saudi Aramco, respectively. Both attacks were based on a variant of the “Shamoon” virus, and the attack on Saudi Aramco disabled 30,000 computers. Although the attacks have been reported in the media, the DoD had not formally acknowledged them. Senior defense officials said the agency has determined the source of the attacks but would not disclose the details.
“These attacks mark a significant escalation of the cyber threat, and they have renewed concerns about still more destructive scenarios that could unfold,” Panetta said. “For example, we know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout this country.”
Panetta said DoD efforts in cyberspace do not include excessive snooping into U.S. citizen email and data, a concern that has been frequently raised in Congress. Instead, he said the DoD must focus on protecting the country and deterring potential enemies.
“Our mission is to defend the nation,” he said. “We defend. We deter. And if called upon, we take decisive action to defend our citizens. In the past, we have done so through operations on land and at sea, in the skies and in space. In this century, the United States military must help defend the nation in cyberspace as well.”
The notion of deterrence was a critical theme of the speech, as Panetta mentioned the concept repeatedly. He emphasized that two critical lapses had previously limited the U.S.’s ability to deter attackers: an inability to target attackers by attributing attacks, and the need to possess tools to respond aggressively.
Panetta said that DoD has largely addressed both problems.
“The department has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of that attack,” he said. “Over the last two years, DoD has made significant investments in forensics to address this problem of attribution, and we’re seeing the returns on that investment. Potential aggressors should be aware that the United States has the capacity to locate them and to hold them accountable for their actions that may try to harm America.”
Once targets are identified, the U.S. must be able to respond, and will, he said. Panetta referenced both offensive capabilities as well as a willingness to act not only against attacks, but also against threats of attacks.
“We won’t succeed in preventing a cyber attack through improved defenses alone,” he said. “If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president. For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace.”
Panetta’s speech emphasized the need for cooperation and urged Congress to take up the work started in a bill requiring new levels of cyber protection in the private sector that was co-sponsored by Sens. Joseph Liberman, I-Conn., and Susan Collins, R-Maine. The bill, deemed by opponents as too costly for business interests, failed a key legislative hurdle in the Senate earlier this summer. The bill would have provided protection against lawsuits stemming from disclosure of information about cyber attacks in exchange for sharing details about the attacks.
Obama administration officials have said the administration would act through an executive order to do as much as possible to improve security efforts, a move that Panetta has supported and that has been fought by Republican opponents who have described it as an abuse of executive power.
Panetta also said that new standing rules of engagement, in the works for years and promised as “imminent” by administration officials several times during that span, are being finalized. The new rules, paired with policy adjustments and the investment of roughly $3 billion per year in cybersecurity, have resulted in real operational capability, he said.
“These new rules make the department more agile and provide us with the ability to confront major threats quickly,” he said.