It was billed as the first major address by an American Secretary of
Defense on cybersecurity — complete with newly declassified information
about the nature of the network threat.
In the end, it was another helping of heated rhetoric on
cybersecurity from a Pentagon that regularly produces panicky
pronouncements. And the classified information? Stuff you could’ve read
on our sister blog Threat Level or other cybersecurity sites back in August.
Appearing in New York City before the tuxedo-clad Business Executives for National Security,
Defense Secretary Leon Panetta issued a familiar warning, that “a cyber
attack perpetrated by nation states or violent extremist groups could
be as destructive as the terrorist attack of 9/11. Such a destructive
cyber terrorist attack could paralyze the nation.”
It’s an alarm he’s sounded before. But in the following sentences of Thursday’s address aboard the retired aircraft carrier U.S.S. Intrepid ,
Panetta presented what he called new examples “of the kinds of attacks
what we have already experienced” — harbingers, if not perfect examples,
of a coming catastrophe.
“In recent weeks, as many of you know, some large U.S. financial institutions were hit
by so-called ‘Distributed Denial of Service’ attacks. These attacks
delayed or disrupted services on customer websites,” Panetta said.
“While this kind of tactic isn’t new, the scale and speed was
unprecedented.”
He’s right: DDoS attacks aren’t new at all (even if this particular
attack did cause some financial institutions’ online banking operations
to flutter). But Panetta is off about these strikes’ unprecedented nature.
“These are big, but we’ve seen this big before,” said Neal Quinn,
chief operating officer of Prolexic, a firm that specializes in
mitigating DDoS attacks. “We’ve seen events this big in the past.”
Panetta then proceeded to describe what was, in his words, “probably
the most destructive attack that the private sector has seen to date.”
This was a disclosure that senior defense officials billed as a major
public unveiling of previously unclassified information.
Panetta described the Shamoon malware, which infected tens of
thousands of computers at the Saudi Arabian state oil company Aramco and
at Qatar’s RasGas company. “This routine replaced crucial system files
with an image of a burning U.S. flag. It also put additional ‘garbage’
data that overwrote all the real data on the machine,” he said.
30,000 machines
eventually had to be disinfected before they could be brought back
online, making this an extremely serious attack. And the websites for
the two energy companies went down for days. But it’s unclear exactly
how destructive the infection really was. Aramco and RasGas both said
their “core businesses[es] of oil and gas exploration, production and distribution” were unaffected by the malware. If that’s the case, then Shamoon may not have been quite such an apocalyptic moment Panetta described.
None of this is news, if you’ve been paying attention to the steady stream of public pronouncements from security researchers and from the companies themselves — not to mention the coverage
of the attacks by reporters on the cybersecurity beat. But senior
defense officials said Panetta’s words on Shamoon were, in fact, secret
information — until the Pentagon chief took the step of declassifying
them.
“To my knowledge, there’s been no one who’s officially acknowledged
these attacks. And we have deemed them to this point classified and our
knowledge of them to be classified,” a senior defense official, who
spoke under condition of anonymity, told reporters before the speech.
As Foreign Policy recently noted, it’s not easy
for Pentagon officials to talk about network defense, much of which the
military deems classified. But what often undercuts these officials’
message is that it’s the U.S. — and not some outside adversary — that
launched the most damaging cyber attack publicly acknowledged to date. Stuxnet,
which helped destroy a thousand Iranian centrifuges, was the work of
American and Israeli forces. It’s the fear that a similar sort of strike
could be turned on us that keeps many within the Pentagon and
intelligence community tossing in their beds.
Panetta can keep calling our current state of network security
“pre-9/11.” But if you follow the analogy, we’re the ones who are flying
planes into buildings.
Recently, the military and the White House have cracked open the
once-deadbolted door of secrecy on U.S. offensive cyber operations. In
August, the U.S. Air Force announced its interest in finding new methods
to “destroy,
deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries
[sic] ability to use the cyberspace domain for his advantage.” The
week before, a former top American commander in Afghanistan bragged to a
technology conference about his troops’ ability to hack militant
communications. The day before that, the Pentagon’s leading research
division announced a new, $110 million program to help warplanners assemble and launch online strikes in a hurry and make cyber attacks a more routine part of U.S. military operations.
Yet these offensive activities were largely left out of Panetta’s
talk Thursday night. Instead, the Defense Secretary mentioned simply
that “if a crippling cyber attack were launched against our nation,
the American people must be protected. And if the Commander-in-Chief
orders a response, the Defense Department must be ready to act.”
Compared to his description of the network threat, it was a rather understated assertion.