The Department of Defense is finalizing the most comprehensive changes to its offensive rules of engagement in cyberspace to better protect civilian networks, Secretary of Defense Leon Panetta said Thursday.
The rules of engagement being assembled by National Security Agency Director Gen. Keith Alexander and his staff will help DOD “understand where the lines of responsibility in cyber defense will be drawn and how those responsibilities will be executed,” Panetta said.
Panetta said that those changes could include increased capacity for the department to become the aggressor in cyberspace as U.S. military forces are able to carry out preemptive or retaliatory acts of cyber warfare.
“Our mission is to defend this nation. We defend. We deter. And if called upon, we take decisive action,” Panetta said during his keynote address to the Business Executives For National Security conference in New York City.
“If a crippling cyber attack were launched against our nation, the American people must be defended,” he said. “And if the commander in chief orders a response, the Defense Department must be ready to act.”
Panetta has stressed the importance of cybersecurity since taking office last year. In addition, the secretary has warned about a “cyber Pearl Harbor” many times, including during testimony before Congress.
“A cyber attack perpetrated by nation states or violent extremist groups could be as destructive as the terrorist attack of 9/11,” he said in prepared remarks. “Such a destructive cyber terrorist attack could paralyze the nation.”
The secretary pointed to denial of service attacks that many large U.S. corporations have suffered in recent weeks, but also cited a more serious attack in Saudi Arabia. In that attack a sophisticated virus called “Shamoon” infected computers at the Saudi Arabian state oil company, ARAMCO.
“Shamoon included a routine called a ‘wiper,’ coded to self-execute,” he said. “This routine replaced crucial system files with an image of a burning U.S. flag. It also put additional ‘garbage’ data that overwrote all the real data on the machine. The more than 30,000 computers it infected were rendered useless, and had to be replaced.”
There was a similar attack later in Qatar. “All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,” Panetta said.
Cyber attacks could be part of a major attack against the United States, and this could mean the cyber Pearl Harbor the secretary fears. This is “an attack that would cause physical destruction and loss of life, paralyze and shock the nation and create a profound new sense of vulnerability,” he said.
DOD has a supporting role in cyber defense, he said. The Department of Homeland Security is the lead federal agency, with the FBI having lead on law enforcement. Still the overall DOD mission is to defend the United States.
“Let me be clear that we will only do so to defend our nation, our interests, or our allies,” he continued. “And we will only do so in a manner consistent with the policy principles and legal frameworks that the Department follows for other domains, including the law of armed conflict.”
Baseline standards must be set for cyber security and that means Congress must act, Panetta said. He said the bipartisan Cybersecurity Act of 2012 “has fallen victim to legislative and political gridlock. That is unacceptable to me, and it should be unacceptable to anyone concerned with safeguarding our national security.”
One option under consideration, Panetta said, is an executive order to enhance cybersecurity measures. “There is no substitute for comprehensive legislation, but we need to move as far as we can in the meantime,” he said. “We have no choice because the threat we face is already here. Congress has a responsibility to act. The President has a Constitutional responsibility to defend the country.”