Future cyber attacks could rival 9-11, cripple US, warns Panetta

The Secretary of Defense laid out why the military should be involved in defending critical infrastructure

The US is facing a dramatically increasing threat from cyber attacks and a future attack on the country's critical infrastructure could have an effect similar to the September11 terrorist attacks of 2001, the US Secretary of Defense said Thursday evening.

Speaking at a meeting of the Business Executives for National Security (BENS) in New York, Leon Panetta called the Internet "the battlefield of the future" and spelled out what he believes the Department of Defense's role should be in cyberspace.

The military's role in securing the domestic Internet and working against attacks on commercial institutions has been controversial, although Panetta sought to get the assembled business leaders on his side by warning them of the danger a large-scale attack could have on their companies.

"A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack on 9/11," he said in the televised speech. "Such a destructive cyber terrorist attack could virtually paralyze the nation." (See video of Panetta warning against future cyber attacks.)

Panetta acknowledged recent distributed denial of service (DDOS) attacks on U.S. financial institutions that disrupted their websites and expressed concern with the speed at which they hit, but said he was even more alarmed by a recent attack by malware dubbed "Shamoon" that hit oil company Saudi Aramco.

"Shamoon included a routine called a 'wiper,' coded to self-execute," Panetta said. "This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional 'garbage' data that overwrote all the real data on the machine. More than 30,000 computers it infected were rendered useless, and had to be replaced. It virtually destroyed 30,000 computers."

"All told, the Shamoon virus was probably the most destructive attack the private sector has seen to date," he said. "Imagine the impact an attack like that would have on your company."

Panetta told his audience the Department of Defense knows of specific instances where attackers have gained access to critical infrastructure systems and said such attacks could do great harm.

"An aggressor nation or extremist group could use these kinds of cyber tools to gain control of critical switches," he said. "They could for example derail passenger trains, or even more dangerous trains loaded with lethal chemicals," he said. "They could contaminate the water supply in major cities, or shut down the power grid across large parts of the country. The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time in combination with a physical attack on our country."

Such a scenario, said Panetta, would "paralyze and shock the nation" and be equivalent to a "cyber Pearl Harbor." (See video of Panetta setting out the scenario.)

The Department of Defense has an interest in stirring up fear of online attacks -- it wants to remain involved in cyber defense.

Over the last few years, the U.S. has developed the world's most sophisticated system to detect and prevent cyber attacks, Panetta said. He then set out why he believes the Department should be involved in national cyber security.

Panetta first addressed one of the biggest issues surrounding increased military involvement with the Internet: the possibility that the Department of Defense would monitor personal e-mail and communications between U.S. citizens.

"That it not our goal, that is not our job, that is not our mission," he said. "Our mission is to defend the nation. We defend. We defer. And if called upon, we take decisive action to protect our citizens. In the past we have done so through operations on land and at sea, in the sky and in space. In this century, the United States military must help defend the nation in cyberspace as well." (See video of Panetta pledging not to monitor the communications of U.S. citizens.)

To do this, Panetta said the Department of Defense in investing more than US$3 billion per year in developing new capabilities to fight cyber attacks and said the U.S. has the capability to go on the offensive when required.

"If we detect an incoming attack that will cause significant physical destruction in the United States, or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president" Panetta said. "For these kinds of scenarios, the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace."

"Let me be clear, that we will only do so to defend our nation, to defend our interests, to defend our allies. And we will only do so in a manner that is consistent with the policy principles and legal frameworks that the department follows for other domains, including the law of armed conflict," he said. (See video of Panetta's remarks on when the military would get step in to defend the national Internet.)

As a result of the increased focus on cyber security by several government agencies, Panetta said the Department of Defense is in the final stages of revising its rules of engagement in cyberspace. The change is the largest in seven years and will spell out the duty of the military to defend its networks and also the nation should the U.S. come under major cyber attack.

Panetta closed with a call to his audience to share the responsibility to protect cyberspace.

"Ultimately, no one has a greater interest in cyber security than the business that depend on a safe, secure, and resilient global digital infrastructure," he said. "To defend those networks more effectively, we must share information between the government and private sector."

"We've made real progress in sharing information with the private sector, but very frankly, we need Congress to act to ensure that this sharing is timely and comprehensive. Companies should be able to share specific threat information with the government without the prospect of lawsuits hanging over their head. And a key principle must be to protect the fundamental liberties and privacy in cyberspace that we are all duty bound to uphold."

Martyn Williams covers mobile telecoms, Silicon Valley and general technology breaking news for The IDG News Service. Follow Martyn on Twitter at @martyn_williams. Martyn's e-mail address is martyn_williams@idg.com

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Martyn Williams

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts