U.S. rattles preemptive cyberattack saber

It is not as though warnings of a "digital Pearl Harbor" are new. The concept goes back at least to 1991, when author and cyber terrorism expert Winn Schwartau called it "electronic Pearl Harbor." Former counter-terrorism czar Richard A. Clarke mentioned it a dozen years ago.

Since then, the image has been invoked hundreds of times by political leaders, government officials and security experts. It even made its way into the Republican Party platform this year.

But, it tends to get a bit more mainstream notice when the U.S. Secretary of Defense says it, as Leon Panetta did last week in a speech in New York to the Business Executives for National Security (BENS).

The results of cyberttacks by a hostile nation-state on critical infrastructure like transportation, water supply or the electric grid "could be a cyber Pearl Harbor -- an attack that would cause physical destruction and the loss of life," Panetta said. "In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability."

Panetta also invoked the image of a cyberattack on the level of 9/11. "Before September 11, 2001, the warning signs were there. We weren't organized. We weren't ready and we suffered terribly for that lack of attention. We cannot let that happen again. This is a pre-9/11 moment," he said.

[Bill Brenner in Salted Hash: Who better for cybersecurity - Obama or Romney?]

Joel Harding, a retired military intelligence officer and information operations expert, welcomed the speech, but said, "The problem is both government and industry have been saying exactly the same thing for years and it took the Secretary of Defense to speak on the matter for many to notice."

Panetta has used that image before. What was new this time was that, while he urged both the private and public sector to cooperate in blocking and defending against such attacks, he went beyond that.

He used some of the most aggressive language yet in the four years of the Obama administration to declare that if threatened by a catastrophic cyberattack, the U.S. would not only strike back hard, but might strike first, both for protection and deterrence.

"We won't succeed in preventing a cyberattack through improved defenses alone," he said. "If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president."

For an administration generally critical of saber rattling, this was some serious cyber rattling. Jack Goldsmith, writing at the Lawfare blog, "[Panetta] makes plain that the [Department of Defense] has the capabilities and desire to engage in a preemptive attacks against imminent cyber threats."

The Secretary said that is partially because Defense now believes it can do so accurately. One of the greatest dangers of retaliation after a cyberattack is that it has been so easy for the perpetrators to cover their tracks. They can make it look like it came from a country or organization that had nothing to do with it.

Panetta said, however: "The department has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of that attack. Over the last two years, [Defense] has made significant investments in forensics to address this problem of attribution and we're seeing the returns on that investment."

The threats are increasingly serious, Panetta said. He noted the Shamoon virus attack in August against the Saudi Arabian oil company Aramco that essentially destroyed 30,000 computers, and then a similar attack on RasGas, a liquefied natural gas producer in Qatar.

Panetta called the Shamoon attack "probably the most destructive attack that the private sector has seen to date," and added that U.S. intelligence knows that "foreign cyber actors are probing America's critical infrastructure networks."

"They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country," he warned. "We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life."

The security community's response to Panetta's warnings are mostly positive. Goldsmith noted that Panetta did not say how good or fast the Defense Department is at attribution -- only that it has improved, writing, "and he may to some unknown degree be puffing. Nonetheless, this is a potentially big deal for cyber deterrence."

C. Robert Kline, founder and president of Kline Technical Consulting, welcomed the comments. "Our work has been focused on cyber offense -- studying and tracking the large attackers, working with others to define, design, build, and field better 'sentries' on the one hand and better counterattack forces to destroy the attack," he wrote in blog post.

A cyber Pearl Harbor "is a real threat," Kline wrote. "Even small groups, backed by a government bent on destruction or disruption (economic, property, spirit) of an enemy can do extraordinary damage."

Harding said that "ascertaining attribution has improved significantly in the classified world."

And Harding believes forensics abilities should be put to use. "The US needs to take offensive actions in cyberspace to stop pending cyber attacks, but more importantly, to send a statement," he said. "Attack the U.S. economy and we will defend ourselves."

"If we have good indications before the attack that you are about to attack our economy, steal our intellectual property, attack our military, attack any part of our nation, we will not only stop you but we will also make you pay a price," Harding said. "The days of the United States of America enduring withering attacks without striking back is over."

There is general agreement that Panetta may have been sending a veiled warning to Iran, seen as eager to attack the U.S., since it blames both the U.S. and Israel for the Stuxnet worm that destroyed an estimated 1,000 centrifuges in Iran's nuclear program.

But another perceived problem with confronting and even preempting an Iranian attack is public perception. "Even if our attribution skills are fast and accurate (which they won't always be), any responsive cyberattack that has public effects must be accompanied by public evidence that the attack was warranted -- something very hard to do when attribution is based on sophisticated and fragile intelligence tools," Jack Goldsmith wrote. "To the extent [the U.S. government) cannot prove attribution publicly, its threats of a cyberattack are diminished."

Harding has fewer reservations. "Every now and then we need to say 'we just attacked you in cyberspace because you did this or are about to do that'. It's using the carrot and stick, every now and then we need to use the stick and let them know we will use it when necessary," he said.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts