Panetta Aims to Get U.S. Businesses More Involved in Cybersecurity
As Secretary of Defense Leon Panetta vividly described a potential cyber Pearl Harbor during a speech in New York, he included a direct appeal to the nations business community to cooperate with the U.S. government on cybersecurity measures.
Ultimately, no one has a greater interest in cybersecurity than the businesses that depend on a safe, secure, and resilient global digital infrastructure, Panetta said, according to a transcript of the remarks delivered Thursday evening at a gathering of Business Executives for National Security.
Panettas speech marked another high-profile effort by U.S. officials to engage business executives on the topic of cyber defense after contentious cybersecurity legislation failed in Congress over the summer. The Cybersecurity Act of 2012 called for greater information sharing between the government and the private sector about cyber attacks. But the bills opponentsincluding the U.S. Chamber of Commerceargued that it would create too many burdens on business.
Last month, Democratic Senator Jay Rockefeller of West Virginia sent a letter to Fortune 500 CEOs, asking what concerned them about the bill. The letter also posed a series of additional questions about the cybersecurity practices that each CEO has in place. The senator set a deadline of October 19 to respond.
For his part, Panetta called on both the private sector and Congress to support a cybersecurity measure that would ensure timely and comprehensive information sharing.
Companies should be able to share specific threat information with the government, without the prospects of lawsuits hanging over their head, he said.
As Foreign Policys Killer Apps blog reported in a preview of the speech, one challenge facing U.S. officials has been how to illustrate the problem of cybersecurity when so much is classified. "So, we end up speaking in broad strokes about the principles of our policies as a substitute for providing the details," a White House official told reporter John Reed.
According to Reed, Panetta did end up revealing previously classified information in the speech when he addressed the audience at the Intrepid Sea, Air, and Space Museum, an old aircraft carrier moored in New York City. We know that foreign cyber actors are probing Americas critical infrastructure, Panetta said. They are targeting the computer control systems that operate chemical, electricity, and water plants, and those that guide transportation through the country.
The defense secretary referred to cyber threats as being at the very nexus of business and national security.
He continued, Let me give you some examples of the kinds of attacks that we have already experienced, and went on to describe what was probably the most destructive attack on the private sector to date: the Shamoon virus that affected Saudi Arabias state oil company Aramco:
Shamoon included a routine called a wiper, coded to self-execute. This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put additional garbage data that overwrote all the real data on the machine. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.
Imagine the impact an attack like that would have on your company or your business, the defense secretary said.
Panetta also referred to the so-called Distributed Denial of Service attacks that targeted large U.S. financial institutions in recent weeks. These attacks delayed or disrupted services on customers websites, Panetta said. While this kind of tactic isnt new, the scale and speed with which it happened was unprecedented.
Those attacks against the private sector represent a significant escalation of the cyber threat, he added.
Panetta said his department is focusing on three main tracks when it comes to defending the country. In addition to developing new capabilities, and creating the necessary policies and organizations, he said the departments third area of focus is building much more effective cooperation with industry and with our international partners.
Despite Panettas emphasis on information sharing, he said that practice alone is not sufficient. He said the department also need to work with businesses to develop baseline standards to protect critical infrastructure thats in private hands.
Although awareness is growing, the reality is that too few companies have invested in even basic cybersecurity, he said.
See also: "A Long, Hot Summer for Corporate Cybersecurity," CorpCounsel, August 2012.