The Complex

U.S. energy companies victims of potentially destructive cyber intrusions

Foreign actors are probing the networks of key American companies in an attempt to gain control of industrial facilities and transportation systems, Defense Secretary Leon Panetta revealed tonight.

"We know that foreign cyber actors are probing America's critical infrastructure networks," said Panetta, disclosing previously classified information during a speech in New York laying out the Pentagon's role in protecting the U.S. from cyber attacks. "They are targeting the computer control systems that operate chemical, electricity and water plants, and those that guide transportation thorough the country."

He went on to say that the U.S. government knows of "specific instances where intruders have gained access" to these systems -- frequently known as Supervisory Control and Data Acquisition (or SCADA) systems -- and that "they are seeking to create advanced tools to attack these systems and cause panic, destruction and even the loss of life," according to an advance copy of his prepared remarks.

The secretary said that a coordinated attack on enough critical infrastructure could be a "cyber Pearl Harbor" that would "cause physical destruction and loss of life, paralyze and shock the nation, and create a profound new sense of vulnerability."

While there have been reports of criminals using 'spear phishing' email attacks aimed at stealing information about American utilties, Panetta's remarks seemed to suggest more sophisticated, nation-state backed attempts to actually gain control of and damage power-generating equipment.  

Panetta's comments regarding the penetration of American utilities echo those of a private sector cyber security expert Killer Apps spoke with last week who said that the networks of American electric companies were penetrated, perhaps in preparation for a Stuxnet-style attack.

Stuxnet is the famous cyber weapon that infected Iran's uranium-enrichment centrifuges in 2009 and 2010. Stuxnet is believed to have caused some of the machines to spin erratically, thereby destroying them.

"There is hard evidence that there has been penetration of our power companies, and given Stuxnet, that is a staging step before destruction" of electricity-generating equipment, the expert told Killer Apps. Because uranium centrifuges and power turbines are both spinning machines, "the attack is identical -- the one to take out the centrifuges and the one to take out our power systems is the same attack."

"If a centrifuge running at the wrong speed can blow apart" so can a power generator, said the expert. "If you do, in fact, spin them at the wrong speeds, you can blow up any rotating device."

Cyber security expert Eugene Kaspersky said two weeks ago that one of his greatest fears is someone reverse-engineering a sophisticated cyber weapon like Stuxnet -- a relatively easy task -- and he noted that Stuxnet itself passed through power plants on its way to Iran. "Stuxnet infected thousands of computer systems all around the globe, I know there were power plants infected by Stuxnet very far away from Iran," Kaspersky said.

While the utilities have been penetrated, Panetta said that the Defense Department, largely via the National Security Agency, is "acting aggressively to get ahead of this problem -- putting in place measures to stop cyber attacks dead in their tracks" under a whole-of-government effort.

The Department of Homeland Security, working with the Department of Energy, has the lead in responding to the attacks that Panetta disclosed tonight, senior defense officials told reporters during a background briefing about Panetta's speech. The Pentagon officials believe they know who was behind the attack but would not reveal who that may be. They did note however, that Russia, China, and increasingly, Iran have developed worrisome cyber capabilities. DHS officials were not available for comment.

Panetta added that the Pentagon stands ready to "counter" cyber threats to U.S. national interests. He did not, however, use the word "offensive" to describe any of DoD's operations in cyberspace.

"If we detect an imminent threat of attack that will cause significant physical destruction or kill American citizens, we need to have the option to take action to defend the nation when directed by the President," said Panetta. "For these kinds of scenarios, the [Defense Department] has developed that capability to conduct effective operations to counter threats to our national interests in cyberspace."

He went on to insist, though, that the Pentagon has only a supporting role to civil agencies in defending U.S. civilian infrastructure from cyber attack and that DoD will not monitor citizens personal computers.

"That is not our mission," said Panetta.

The Defense Department will only have the lead in responding to cyber attacks when deemed appropriate under the rule of armed conflict, said one of the defense department officials.

To protect the United States from crippling cyber attacks by "foreign adversaries," Panetta said the Pentagon will focus on the following:

  • Developing new cyber capabilities via the more than $3 billion spent on cyber issues annually;
  • Establishing policies and organizations that DoD needs to execute its mission in near real-time with other federal agencies, such as the Department of Homeland Security and the FBI;
  • Improving DoD's cooperation with private industry and international partners via better information-sharing about cyber threats and the establishment of basic cyber security standards for critical infrastructure providers.

Panetta also urged Congress to pass the Cyber Security Act of 2012, which would allow real-time information-sharing between businesses and the government, restrict the type of information government can collect on private citizens and how that information may be used, as well as set minimal cyber security standards that critical infrastructure providers should meet.

A copy of Panetta's speech is below.



SD BENS Cybersecurity Speech as PREPARED[3]

Getty Images

National Security

The challenge of talking openly about cyber

Defense Secretary Leon Panetta is set to make a major speech on cyber security on Thursday night, but U.S. officials acknowledge that thus far they have fallen short in publicly explaining the nature of cyber threats and the government's efforts to respond to them.

"Protecting ourselves in cyberspace is an important issue we need to talk about, but it's exceptionally difficult to be forthcoming and reassuring when so much of our effort is classified or sensitive," a senior White House official told Killer Apps on Oct. 10.

"The truth is that we are actively working with all the tools at the government's disposal, day in and day out, to protect the American people from some very serious cyber threats. But the last thing we'd want to do is harm our ability to protect ourselves by putting all of our tactics, techniques, and procedures out in the open for our adversaries to see," the official said. "So, we end up speaking in broad strokes about the principles of our policies as a substitute for providing the details."

The result has been a lot of vague public discussion with little public action (and plenty of classified action, we're told).

Just this past month, there have been numerous Washington forums on cyber security with the intent of ‘framing the debate' and to ‘better inform the public about the grave risk posed by a 'cyber Pearl Harbor.' And experts say that massive amounts of intellectual property -- equivalent to trillions of dollars or a Library of Congress worth of data -- is being stolen from American firms by hackers in far off lands.

Still, government officials lament that the public -- especially banks, airlines, utilities, and Internet service providers -- isn't doing enough to protect its networks from cyber attack. Some of the same government officials also complain about Congress's failure to establish laws dealing with minimum cyber security standards, information-sharing practices about cyber threats, and a clear picture of who is responsible for defending the country against different types of cyber threats.

The high degree of classification surrounding the government's work is a big hindrance.

"Because the capabilities are so sophisticated, they're rapidly evolving, and they are on the edge of where our intelligence capabilities meet our military capabilities, there is a hesitancy to speak openly about what the American government is doing to protect the nation from cyber attack," a Pentagon official told Killer Apps on Oct. 10.

"But, the reality is, we need to do a better job at being more clear about the challenges that we're facing and to the best of our ability the capabilities we're bringing to bear to meet those challenges," the official said.

One of the most basic reasons that the government needs to improve its communications about cyber is the fact that "only the best" cyber operators are able to see when they are being attacked and then do something about it, added the official. "It takes a significant level of capability to be aware of an intrusion and an even higher level of capability to be aware of what's" been stolen.

As the government struggles to establish a cohesive national approach to cyber security, it is becoming better at sharing information.

While "we'll never be fully open" because of the heavy involvement of intelligence-related activities in cyberspace, the trend is slowly "but steadily [moving] towards being more open," added the official. "We must move that forward."

Panetta's speech is one attempt to move toward openness, and over the last year Pentagon officials have begun to reveal a trickle of information about the military's offensive operations in cyberspace  -- something that was never discussed previously.

And the government, via something called the DIB CS/IA program, has even become better at sharing information about cyber threats collected by intelligence agencies with private companies in a way that doesn't compromise sources or methods.

Department of Defense