The Defense Department’s worst cyber fears are coming true.
The Pentagon revealed yesterday for the first time the recent attacks against oil and gas companies in the Middle East were more than just disruptive. They were destructive.
Defense Secretary Leon Panetta said America’s critical infrastructure is at risk from the same types of attacks.
“These attacks mark a significant escalation of the cyber threat. And they have renewed concerns about still more destructive scenarios that could unfold,” Panetta said. “For example, we know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout the country.”
Panetta’s speech Thursday night in New York at a dinner hosted by Business Executives for National Security was the first major policy speech about cybersecurity by the Secretary of Defense, according to a senior Defense official, speaking to reporters earlier in the day and who requested anonymity so as not to get out in front of Panetta’s speech.
DoD has been worried about the new types of attacks for some time. Gen. Keith Alexander, commander of the U.S. Cyber Command and director of the National Security Agency, has been highlighting for the better part of the year the change in the nature of cyber attacks from disruptive, such as a denial of service attack, to destructive, where the attacks render a system permanently useless.
Alexander told the House Armed Services Committee in March that destructive attacks are quickly becoming the preferred type of cyber attack by nation states, extremist organizations, organized crime and others.
Examples of destructive attacks
About two months ago, those fears came full circle.
Panetta said a virus called “Shamoon” attacked the computers of the Saudi Arabian state oil company, ARAMCO, in August.
“Shamoon included a routine called a ‘wiper,’ coded to self-execute. This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional garbage data that overwrote all the real data on the machine,” Panetta said. “The more than 30,000 computers it infected were rendered useless, and had to be replaced. Then just days after this incident, there was a similar attack on Ras Gas of Qatar, a major energy company in the region. All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date.”
He said U.S. companies are in no better shape and face a similar danger.
“We know of specific instances where intruders have successfully gained access to these control systems,” Panetta said. “We also know they are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life.”
Alexander and other senior cyber leaders have known these destructive attacks were more than just possible but inevitable. Panetta said that is why the Senate’s comprehensive cybersecurity bill sponsored by Sens. Joseph Lieberman (I-Conn.), Susan Collins (R-Maine) and Jay Rockefeller (D-W.Va.) is desperately needed.
“Working with the business community, we need to develop baseline standards for our most critical private-sector infrastructure, including power plants, water treatment facilities and gas pipelines,” he said. “This would help ensure that companies take proactive measures to secure themselves against sophisticated threats, but also take common sense steps against basic threats. Although awareness is growing, the reality is that too few companies have invested in even basic cybersecurity. The fact is that to fully provide the necessary protection, in our democracy, cybersecurity legislation must be passed by Congress. Without it, we are vulnerable.”
The Senate is at a stalemate over the bill and there is minimal hope it will pass a bill during the lame duck session in November.
Andy Ozment, a senior director in the White House’s cybersecurity coordinator’s office, said earlier in the day at the Information Security and Privacy Advisory Board meeting in Washington the administration hasn’t given up hope and he knows people are working hard to get an agreement.
“Whether this turns into action, I’m not sure,” he said. “Congress has a lot to do in November so finding the time will be a challenge.”
In the meantime, DoD is taking a variety of steps to counter this real attack vector. The military soon will finalize its rules of engagement detailing when and how it will respond to cyber attacks.
“The new rules will make clear that the department has a responsibility not only to defend DoD’s networks, but also to be prepared to defend the nation and our national interests against an attack in or through cyberspace,” he said. “These new rules will make the department more agile and provide us with the ability to confront major threats quickly.”
“We are recruiting, training, and retaining the best and brightest in order to stay ahead of other nations. It’s no secret that Russia and China have advanced cyber capabilities. Iran has also undertaken a concerted effort to use cyberspace to its advantage,” he said. “Moreover, DoD is already in an intense daily struggle against thousands of cyber actors who probe the Defense Department’s networks millions of times per day. Through the innovative efforts of our cyber operators, we are enhancing the Department’s cyber defense programs. These systems rely on sensors and software to hunt down malicious code before it harms our systems. We actively share our own experience defending our systems with those running the nation’s critical private sector networks.”
He said the Pentagon also has made significant progress in identifying the specific nation state or criminal organization that is attacking their networks.
“Over the last two years, the department has made significant investments in forensics to address this problem of attribution, and we are seeing returns on those investments,” Panetta said. “Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests.”
Countering threats to the nation
If DoD positively identifies the attackers or detects a possible destructive attack, Panetta said he would respond as directed by the President.
“[T]he department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace,” he said. “Let me be clear that we will only do so to defend our nation, our interests or our allies. And we will only do so in a manner consistent with the policy principles and legal frameworks that the department follows for other domains, including the law of armed conflict.”
A second Defense official said Panetta wanted to clarify DoD’s role in cyber defense, which is part of a whole of government approach and focused on defending the nation.