Defense Secretary Leon Panetta late Thursday said outsiders are known to have breached the computers that control U.S. chemical, electricity or water utilities. And he announced the Pentagon is finalizing the most comprehensive changes to its offensive rules of engagement in cyberspace to protect civilian networks, for the first time in seven years.
The comments marked a rare occasion in which government officials have confirmed that adversaries are not just probing critical infrastructure systems but penetrating those machines’ safeguards. Panetta, who was addressing business executives in New York City, also disclosed that the severity of recent disruptions to U.S financial services websites and a Saudi oil company is unparalleled.
“We know that foreign cyber actors are probing America’s critical infrastructure networks. They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation throughout the country. We know of specific instances where intruders have successfully gained access to these control systems,” Panetta said.
U.S. cybersecurity is the responsibility of the Homeland Security Department, with the Pentagon and the FBI playing supporting roles to protect civilian systems. To further that support, “the department has developed the capability to conduct effective operations to counter threats to our national interests in cyberspace,” Panetta said. “Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests.”
He added that the new rules of engagement “will make clear that the department has a responsibility not only to defend DoD’s networks, but also to be prepared to defend the nation and our national interests against an attack in or through cyberspace.”
Panetta sits on the more provocative side of a debate over the ability of aggressors to wage network attacks that could cripple American society. While most experts agree that terrorist groups and enemy states may be trying to buy or build such capabilities, they are divided over the imminent risk of a cyber assault “that could be the equivalent of Pearl Harbor,” to quote Panetta’s oft-used axiom.
Panetta on Thursday again depicted images of simultaneous cyberattacks that derail trains loaded with lethal chemicals, contaminate the water supply in major cities, and degrade critical military systems -- combined with a physical attack -- that could culminate in a “cyber Pearl Harbor.”
It is clear that bad actors currently are able to engineer malicious software that steals substantial monetary funds, intellectual property and national security secrets. Disruptive malware that destroys electronics and software already is emerging.
Panetta pointed to an August strike on internal network services at Saudi Aramco, the Saudi Arabian state oil company, that corrupted 30,000 employee workstations.
The so-called Shamoon virus “replaced crucial system files with an image of a burning U.S. flag. It also put additional garbage data that overwrote all the real data on the machine,” Panetta said. “The Shamoon virus was probably the most destructive attack that the private sector has seen to date.”
Aramco’s computers have since been cleaned of the malware and restored to service, the firm stated in late August. None of the company’s oil and gas operations were affected by the infection, according to Aramco officials.
More recently, a string of computer incidents temporarily disabled customer sites at major U.S. banks, including Capital One and SunTrust Banks. An activist group calling itself “Cyber fighters of Izz ad-din Al qassam” took credit for planning floods of network traffic to paralyze the sites’ servers, known as denial of service attacks.
On Thursday, Panetta said, “While this kind of tactic isn’t new, the scale and speed was unprecedented,” adding that the online bank disturbances and the Saudi Arabia hit “mark a significant escalation of the cyber threat.”
The Pentagon -- with a $3 billion purse -- is continuing to increase key investments in cybersecurity even in times of fiscal constraint. “Our most important investment is in the skilled cyber warriors needed to conduct operations in cyberspace,” Panetta said.