It was billed as the first major address by an American Secretary of Defense on cybersecurity — complete with newly declassified information about the nature of the network threat.
In the end, it was another helping of heated rhetoric on cybersecurity from a Pentagon that regularly produces panicky pronouncements. And the classified information? Stuff you could’ve read on our sister blog Threat Level or other cybersecurity sites back in August.
Appearing in New York City before the tuxedo-clad Business Executives for National Security, Defense Secretary Leon Panetta issued a familiar warning, that “a cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11. Such a destructive cyber terrorist attack could paralyze the nation.”
It’s an alarm he’s sounded before. But in the following sentences of Thursday’s address aboard the retired aircraft carrier U.S.S. Intrepid , Panetta presented what he called new examples “of the kinds of attacks what we have already experienced” — harbingers, if not perfect examples, of a coming catastrophe.
“In recent weeks, as many of you know, some large U.S. financial institutions were hit by so-called ‘Distributed Denial of Service’ attacks. These attacks delayed or disrupted services on customer websites,” Panetta said. “While this kind of tactic isn’t new, the scale and speed was unprecedented.”
He’s right: DDoS attacks aren’t new at all (even if this particular attack did cause some financial institutions’ online banking operations to flutter). But Panetta is off about these strikes’ unprecedented nature.
“These are big, but we’ve seen this big before,” said Neal Quinn, chief operating officer of Prolexic, a firm that specializes in mitigating DDoS attacks. “We’ve seen events this big in the past.”
Panetta then proceeded to describe what was, in his words, “probably the most destructive attack that the private sector has seen to date.” This was a disclosure that senior defense officials billed as a major public unveiling of previously unclassified information.
Panetta described the Shamoon malware, which infected tens of thousands of computers at the Saudi Arabian state oil company Aramco and at Qatar’s RasGas company. “This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional ‘garbage’ data that overwrote all the real data on the machine,” he said.
30,000 machines eventually had to be disinfected before they could be brought back online, making this an extremely serious attack. And the websites for the two energy companies went down for days. But it’s unclear exactly how destructive the infection really was. Aramco and RasGas both said their “core businesses[es] of oil and gas exploration, production and distribution” were unaffected by the malware. If that’s the case, then Shamoon may not have been quite such an apocalyptic moment Panetta described.
None of this is news, if you’ve been paying attention to the steady stream of public pronouncements from security researchers and from the companies themselves — not to mention the coverage of the attacks by reporters on the cybersecurity beat. But senior defense officials said Panetta’s words on Shamoon were, in fact, secret information — until the Pentagon chief took the step of declassifying them.
“To my knowledge, there’s been no one who’s officially acknowledged these attacks. And we have deemed them to this point classified and our knowledge of them to be classified,” a senior defense official, who spoke under condition of anonymity, told reporters before the speech.
As Foreign Policy recently noted, it’s not easy for Pentagon officials to talk about network defense, much of which the military deems classified. But what often undercuts these officials’ message is that it’s the U.S. — and not some outside adversary — that launched the most damaging cyber attack publicly acknowledged to date. Stuxnet, which helped destroy a thousand Iranian centrifuges, was the work of American and Israeli forces. It’s the fear that a similar sort of strike could be turned on us that keeps many within the Pentagon and intelligence community tossing in their beds. Panetta can keep calling our current state of network security “pre-9/11.” But if you follow the analogy, we’re the ones who are flying planes into buildings.
Recently, the military and the White House have cracked open the once-deadbolted door of secrecy on U.S. offensive cyber operations. In August, the U.S. Air Force announced its interest in finding new methods to “destroy, deny, degrade, disrupt, deceive, corrupt, or usurp the adversaries [sic] ability to use the cyberspace domain for his advantage.” The week before, a former top American commander in Afghanistan bragged to a technology conference about his troops’ ability to hack militant communications. The day before that, the Pentagon’s leading research division announced a new, $110 million program to help warplanners assemble and launch online strikes in a hurry and make cyber attacks a more routine part of U.S. military operations.
Yet these offensive activities were largely left out of Panetta’s talk Thursday night. Instead, the Defense Secretary mentioned simply that “if a crippling cyber attack were launched against our nation, the American people must be protected. And if the Commander-in-Chief orders a response, the Defense Department must be ready to act.”
Compared to his description of the network threat, it was a rather understated assertion.