U.S. rattles preemptive cyberattack saber

It is not as though warnings of a “digital Pearl Harbor” are new. The concept goes back at least to 1991, when author and cyber terrorism expert Winn Schwartau called it “electronic Pearl Harbor.” Former counter-terrorism czar Richard A. Clarke mentioned it a dozen years ago.

Since then, the image has been invoked hundreds of times by political leaders, government officials and security experts. It even made its way into the Republican Party platform this year.

But, it tends to get a bit more mainstream notice when the U.S. Secretary of Defense says it, as Leon Panetta did last week in a speech in New York to the Business Executives for National Security (BENS).

The results of cyberttacks by a hostile nation-state on critical infrastructure like transportation, water supply or the electric grid “could be a cyber Pearl Harbor — an attack that would cause physical destruction and the loss of life,” Panetta said. “In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.”

Panetta also invoked the image of a cyberattack on the level of 9/11. “Before September 11, 2001, the warning signs were there. We weren’t organized. We weren’t ready and we suffered terribly for that lack of attention. We cannot let that happen again. This is a pre-9/11 moment,” he said.

[Bill Brenner in Salted Hash: Who better for cybersecurity – Obama or Romney?]

Joel Harding, a retired military intelligence officer and information operations expert, welcomed the speech, but said, “The problem is both government and industry have been saying exactly the same thing for years and it took the Secretary of Defense to speak on the matter for many to notice.”

Panetta has used that image before. What was new this time was that, while he urged both the private and public sector to cooperate in blocking and defending against such attacks, he went beyond that.

He used some of the most aggressive language yet in the four years of the Obama administration to declare that if threatened by a catastrophic cyberattack, the U.S. would not only strike back hard, but might strike first, both for protection and deterrence.

“We won’t succeed in preventing a cyberattack through improved defenses alone,” he said. “If we detect an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us to defend this nation when directed by the president.”

For an administration generally critical of saber rattling, this was some serious cyber rattling. Jack Goldsmith, writing at the Lawfare blog, “[Panetta] makes plain that the [Department of Defense] has the capabilities and desire to engage in a preemptive attacks against imminent cyber threats.”

The Secretary said that is partially because Defense now believes it can do so accurately. One of the greatest dangers of retaliation after a cyberattack is that it has been so easy for the perpetrators to cover their tracks. They can make it look like it came from a country or organization that had nothing to do with it.

Panetta said, however: “The department has made significant advances in solving a problem that makes deterring cyber adversaries more complex: the difficulty of identifying the origins of that attack. Over the last two years, [Defense] has made significant investments in forensics to address this problem of attribution and we’re seeing the returns on that investment.”

The threats are increasingly serious, Panetta said. He noted the Shamoon virus attack in August against the Saudi Arabian oil company Aramco that essentially destroyed 30,000 computers, and then a similar attack on RasGas, a liquefied natural gas producer in Qatar.

Panetta called the Shamoon attack “probably the most destructive attack that the private sector has seen to date,” and added that U.S. intelligence knows that “foreign cyber actors are probing America’s critical infrastructure networks.”

“They are targeting the computer control systems that operate chemical, electricity and water plants and those that guide transportation throughout this country,” he warned. “We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life.”

The security community’s response to Panetta’s warnings are mostly positive. Goldsmith noted that Panetta did not say how good or fast the the Defense Department is at attribution — only that it has improved, writing, “and he may to some unknown degree be puffing. Nonetheless, this is a potentially big deal for cyber deterrence.”

C. Robert Kline, founder and president of Kline Technical Consulting, welcomed the comments. “Our work has been focused on cyber offense — studying and tracking the large attackers, working with others to define, design, build, and field better ‘sentries’ on the one hand and better counterattack forces to destroy the attack,” he wrote in blog post.

A cyber Pearl Harbor “is a real threat,” Kline wrote. “Even small groups, backed by a government bent on destruction or disruption (economic, property, spirit) of an enemy can do extraordinary damage.”

Harding said that “ascertaining attribution has improved significantly in the classified world.”

And Harding believes forensics abilities should be put to use. “The US needs to take offensive actions in cyberspace to stop pending cyber attacks, but more importantly, to send a statement,” he said. “Attack the U.S. economy and we will defend ourselves.”

“If we have good indications before the attack that you are about to attack our economy, steal our intellectual property, attack our military, attack any part of our nation, we will not only stop you but we will also make you pay a price,” Harding said. “The days of the United States of America enduring withering attacks without striking back is over.”

There is general agreement that Panetta may have been sending a veiled warning to Iran, seen as eager to attack the U.S., since it blames both the U.S. and Israel for the Stuxnet worm that destroyed an estimated 1,000 centrifuges in Iran’s nuclear program.

But another perceived problem with confronting and even preempting an Iranian attack is public perception. “Even if our attribution skills are fast and accurate (which they won’t always be), any responsive cyberattack that has public effects must be accompanied by public evidence that the attack was warranted — something very hard to do when attribution is based on sophisticated and fragile intelligence tools,” Jack Goldsmith wrote. “To the extent [the U.S. government) cannot prove attribution publicly, its threats of a cyberattack are diminished.”

Harding has fewer reservations. “Every now and then we need to say ‘we just attacked you in cyberspace because you did this or are about to do that’. It’s using the carrot and stick, every now and then we need to use the stick and let them know we will use it when necessary,” he said.