The United States must beef up its cyber defenses or suffer as it did on September 11, 2001 for failing to see the warning signs ahead of that devastating terrorist attack, the Secretary of Defense told a group of business leaders in New York Thursday night.
Calling it a "pre-9/11 moment," Leon Panetta said he is particularly worried about a significant escalation of attacks.
In a speech aboard a decommissioned aircraft carrier, Panetta reminded the Business Executives for National Security about recent distributed denial of service attacks that hit a number of large U.S. financial institutions with unprecedented speed, disrupting services to customers.
And he pointed to a cyber virus known as Shamoon which infected the computers of major energy firms in Saudi Arabia and Qatar this past summer. More than 30-thousand computers were rendered useless by the attack on the Saudi state oil company ARAMCO. A similar incident occurred with Ras Gas of Qatar. Panetta said the attacks were probably the most devastating to ever hit the private sector.
The secretary did not say who is believed responsible for those attacks, but senior defense officials who briefed reporters on the speech, said the United States knows, however they would not divulge the suspect.
And he warned America's critical infrastructure - its electrical power grid, water plants and transportation systems - are threatened by foreign actors.
"We know of specific instances where intruders have successfully gained access to these control systems," Panetta said. "We also know they are seeking to create advanced tools to attack those systems and cause panic, destruction and even loss of life."
For its part, Panetta said the Defense Department is "aggressively ... putting in place measures to stop cyber attacks dead in their tracks." The steps he outlined included both defensive and offensive responses.
He cited efforts to stop malicious code before it infects systems and investments in forensics to help track down who is responsible.
But defense isn't the only answer. "If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the president," Panetta said.
Panetta also said the Defense Department is in the process of finalizing rules of engagement in cyberspace. In a telephone briefing with reports, a senior defense official would not provide any details about the proposed rules but did stress they involve what the response would be to a cyber attack on the United States "that would rise under international law to the level of armed attack."
Panetta's comments never used the word "offensive" and the senior defense officials who briefed reports about the speech under the condition of anonymity, were also reluctant to use the word. One official said it was important "to keep the maximum number of options on the table." Another official stressed the United States was prepared to take action if threatened, but added the Pentagon has previously acknowledged it has offensive cyber capabilities.
Cyber security is ultimately a team effort, and Panetta said the Defense Department was working closely with the State Department, the Department of Homeland Security, the FBI and others to protect the nation. He called on Congress to pass comprehensive cyber-security legislation now.
Over the summer, the Senate came up short when opponents of the Lieberman-Collins cyber bill blocked it from coming up for a final vote. A group of mostly Republican senators and the Chamber of Commerce opposed the bill because they believed it required too much of the private sector.
Panetta urged the business leaders to work with government to support stronger cyber defenses.
"We must share information between the government and the private sector about threats to cyberspace," Panetta said, adding everything would be done to protect civil liberties and privacy.