In a wide-ranging speech on cybersecurity, U.S. Secretary of Defense Leon Panetta on Thursday warned about a cyber Pearl Harbor, indicated the Department of Defense would respond in such a situation, called for greater public-private cooperation in cybersecurity, and talked about the need for a presidential executive order on cybersecurity.
A cyberattack perpetrated by nation-states or violent extremist groups could be as destructive as the one launched on Sept. 11 and could paralyze the nation, Panetta warned.
The Defense Department has the responsibility to defend the U.S., including in cyberspace, he said, indicating that a military response against cyberattacks is an option.
Of Course, You Know, This Means War
Panetta has repeatedly spoken publicly about the possibility of a cyber Pearl Harbor. He indicated the U.S. might launch a military strike in response to a cyberattack. That possibility is provided for under the Defense Department’s strategy for operating in cyberspace.
“The idea is that there isn’t a loophole that can be exploited [by cyberterrorists or other attackers] without consequence,” Vik Phatak, CEO of NSS Labs, told the E-Commerce Times.
Cyberdefense “is important just like any defense,” Yasha Heidari, managing partner, Heidari Power Law Group, told the E-Commerce Times.
However, “I believe the U.S. will take military action whenever it deems [it] is in the U.S.’s best interest, irrespective of the veracity of any allegations of cyberattacks. Consider the Gulf of Tonkin incident,” he said.
“A number of us have been arguing the administration isn’t taking this threat seriously enough,” Rob Enderle, principal analyst at the Enderle Group, said. “The likelihood of a cyber 9/11, given how connected and poorly protected our infrastructure systems are, is almost certain this decade. It really isn’t even a question of if, just when and where.”
The threat of cyberattacks “make superior political fodder to rationales such as weapons of mass destruction and other alleged provocations that are far easier to disprove,” Randy Abrams, a research director at NSS Labs, told the E-Commerce Times.
Sharing and Caring
Panetta called for more information sharing between the private and public sectors, and urged Congress to act to ensure the sharing is timely and comprehensive.
“I think the effort here is to avoid a situation where we might be fooled into attacking the wrong people because the damage was extreme and the intelligence unreliable,” Enderle suggested. “If the government can better identify and mitigate threats, the need for military response is reduced, and the chance we would get that response wrong is reduced as well.”
Companies should be able to share specific threat information with the government without the prospect of lawsuits hanging over their head, Panetta said.
That doesn’t mean he’s offering companies breaking the law a free ride, but it “alludes to the fact that many businesses are reluctant to give information to the government for fear of being sued — especially if it turns out to be a false allegation,” Heidari suggested.
Hail to the Chief?
Panetta portrayed the death of the bipartisan Cybersecurity Act of 2012 as unacceptable. The legislation had evoked strong opposition among Republican legislators and a wide spectrum of the public, ranging from civil liberties groups like the Electronic Frontier Foundation to conservative groups.
The Obama administration’s response to that has been to work on an executive order, a move that’s been criticized as an end run around Congress and public opinion.
“Secretary Panetta is using hyperbolic scare tactics in order to promote dubious legislation,” Heidari said. “If infrastructure such as chemical, electricity and water plants are prone to foreign cyberattack and this could cause loss of life, then these plants have no business with online connectivity and should only be accessed locally.”
The Obama administration is between a rock and a hard place, Enderle pointed out. “[Defending the U.S.] does require a massive level of access to provide the early warning … needed to stop a threat before it shuts down the nation. On the other hand, the belief that agencies will use this access to breach privacy is also very real and is lawful under the Patriot Act.”