Corporate Counsel
ALM Properties, Inc.
Page printed from: Corporate Counsel

Back to Article

Select 'Print' in your browser menu to print this document.

Panetta Aims to Get U.S. Businesses More Involved in Cybersecurity

Catherine Dunn

Corporate Counsel

10-15-2012


As Secretary of Defense Leon Panetta vividly described a potential “cyber Pearl Harbor” during a speech in New York, he included a direct appeal to the nation’s business community to cooperate with the U.S. government on cybersecurity measures.

“Ultimately, no one has a greater interest in cybersecurity than the businesses that depend on a safe, secure, and resilient global digital infrastructure,” Panetta said, according to a transcript of the remarks delivered Thursday evening at a gathering of Business Executives for National Security.

Panetta’s speech marked another high-profile effort by U.S. officials to engage business executives on the topic of cyber defense after contentious cybersecurity legislation failed in Congress over the summer. The Cybersecurity Act of 2012 called for greater information sharing between the government and the private sector about cyber attacks. But the bill’s opponents—including the U.S. Chamber of Commerce—argued that it would create too many burdens on business.

Last month, Democratic Senator Jay Rockefeller of West Virginia sent a letter to Fortune 500 CEOs, asking what concerned them about the bill. The letter also posed a series of additional questions about the cybersecurity practices that each CEO has in place. The senator set a deadline of October 19 to respond.

For his part, Panetta called on both the private sector and Congress to support a cybersecurity measure that would ensure “timely and comprehensive” information sharing.

“Companies should be able to share specific threat information with the government, without the prospects of lawsuits hanging over their head,” he said.

As Foreign Policy’s Killer Apps blog reported in a preview of the speech, one challenge facing U.S. officials has been how to illustrate the problem of cybersecurity when so much is classified. "So, we end up speaking in broad strokes about the principles of our policies as a substitute for providing the details," a White House official told reporter John Reed.

According to Reed, Panetta did end up revealing previously classified information in the speech when he addressed the audience at the Intrepid Sea, Air, and Space Museum, an old aircraft carrier moored in New York City. “We know that foreign cyber actors are probing America’s critical infrastructure,” Panetta said. “They are targeting the computer control systems that operate chemical, electricity, and water plants, and those that guide transportation through the country.” 

The defense secretary referred to cyber threats as being “at the very nexus of business and national security.”

He continued, “Let me give you some examples of the kinds of attacks that we have already experienced,” and went on to describe what was “probably the most destructive attack” on the private sector to date: the Shamoon virus that affected Saudi Arabia’s state oil company Aramco:

Shamoon included a routine called a “wiper,” coded to self-execute. This routine replaced crucial systems files with an image of a burning U.S. flag. But it also put additional garbage data that overwrote all the real data on the machine. More than 30,000 computers that it infected were rendered useless and had to be replaced. It virtually destroyed 30,000 computers.

“Imagine the impact an attack like that would have on your company or your business,” the defense secretary said.

Panetta also referred to the “so-called Distributed Denial of Service attacks” that targeted large U.S. financial institutions in recent weeks. “These attacks delayed or disrupted services on customers websites,” Panetta said. “While this kind of tactic isn’t new, the scale and speed with which it happened was unprecedented.”

Those attacks against the private sector represent a “significant escalation of the cyber threat,” he added.

Panetta said his department is “focusing on three main tracks” when it comes to defending the country. In addition to “developing new capabilities,” and creating the necessary policies and organizations, he said the department’s third area of focus is “building much more effective cooperation with industry and with our international partners.”

Despite Panetta’s emphasis on information sharing, he said that practice alone “is not sufficient.” He said the department also need to work with businesses “to develop baseline standards” to protect critical infrastructure that’s in private hands.

“Although awareness is growing, the reality is that too few companies have invested in even basic cybersecurity,” he said.

See also: "A Long, Hot Summer for Corporate Cybersecurity," CorpCounsel, August 2012.