Defense Secretary Warns of ‘Cyber 9/11,’ Urges Lawmakers to Pass S-3414

Panetta endorsed the Cybersecurity Act (S-3414) and said Congress “must act now” to pass a comprehensive cybersecurity bill that includes baseline cybersecurity standards for businesses. “This legislation has bipartisan support, but is victim to legislative and political gridlock like so much else in Washington. That frankly is unacceptable.” This summer, lawmakers failed to compromise on the provisions of S-3414 primarily due to opposition from the U.S. Chamber of Commerce, which said the legislation would create new and costly mandates for businesses (CD Aug 3 p3).

Panetta said it’s crucial for Congress to pass legislation that provides U.S. businesses with liability exemptions that allow them to share cyberthreat information with the government “without the prospect of lawsuits hanging over their head.” Panetta said information sharing alone is “not sufficient” and Congress must also empower the government to develop “baseline” cybersecurity standards in partnership with the private sector to protect critical infrastructure systems from attack. “This would help ensure that companies take proactive measures to secure themselves against sophisticated threats, but also take common sense steps against basic threats,” he said.

Senate Commerce Committee Chairman Jay Rockefeller, D-W.Va., lauded Panetta’s speech and urged opponents of S-3414 to stop obstructing the bill’s passage. “In August, Senate Republicans and beltway lobbyists chose a filibuster over these ... urgent requests,” he said in a news release. “Now the Secretary of Defense is urging us again to do what we all know we must do to protect our country from cyber terrorists. This is a time for action, not more political obstruction.”

The U.S. Chamber of Commerce said it is not a question of whether Congress should pass legislation to address cybersecurity, but how Congress can best craft legislation to achieve this goal. “We will continue to support legislation that will spur the sharing of cyber threat information between government and the business community,” said Ann Beauchesne, the Chamber’s vice president of national security and emergency preparedness. “The optimal way forward will not be found in layering additional regulations on the business community,” she said.

Panetta’s comments did not sway Sen. John McCain, R-Ariz. The Ranking Member of the Senate Armed Services Committee remains “unchanged” in his opposition to S-3414, his spokesman told us Friday. This summer McCain passionately railed against the development of voluntary cybersecurity standards because he said they would harm the economy and expand the size and reach of the government (CD July 27 p9). McCain specifically slammed a provision in Section 103 of the bill that would permit federal regulatory agencies to adopt voluntary cybersecurity practices as mandatory requirements. He said such a provision reveals the “true regulatory intent” of the proponents of this bill.

A spokeswoman for Senate Energy Committee Ranking Member Lisa Murkowski, R-Alaska, continued to blame Majority Leader Harry Reid, D-Nev., for the failure of S-3414 to pass. “By filling the amendment tree and refusing to allow votes, the Majority Leader ensured that no cyber legislation would pass the Senate,” Murkowski’s spokeswoman said in an email. “Hopefully Senator Reid will rethink his position and allow a full and robust floor debate on cybersecurity, complete with votes on amendments and alternatives.” The spokeswoman added that Murkowski continues to support an alternative cybersecurity bill, the SECURE IT Act (S-2151) which would not create new cybersecurity standards for U.S. businesses. “Regarding the electricity sector, we do already have mandatory cyber standards for both the grid ... and nuclear plants,” the spokeswoman said.

A spokeswoman for Sen. Dan Coats, R-Ind., said the senator does not support S-3414, but there is “an appetite” on both sides of the aisle to continue bipartisan discussions and work to reach a consensus on cybersecurity legislation. Coats voted for a procedural measure “to keep alive the ongoing bipartisan negotiations in hopes of improving the bill,” his spokeswoman said in an email. Requests for comment went unanswered from the remaining sponsors of the SECURE IT Act, GOP Sens. Kay Bailey Hutchison of Texas, Chuck Grassley of Iowa, Saxby Chambliss of Georgia, and Richard Burr of North Carolina. A spokesman for Sen. Ron Johnson of Wisconsin declined to comment.

Because Congress has failed to pass cybersecurity legislation the President has a constitutional responsibility to consider an order that will “enhance cybersecurity measures under existing authorities,” Panetta said. The order will be developed in partnership with the private sector in order to promote best practices and increase information sharing with the government, he said. Even so, “there is no substitute for comprehensive legislation,” said Panetta, and Congress has a responsibility to act. White House spokeswoman Caitlin Hayden said the draft order under consideration would only affect “a small subset of the companies in the U.S,” and the administration is actively soliciting input from private sector stakeholders and lawmakers. Former Homeland Security Secretary Tom Ridge who is now chairman of the U.S. Chamber Commerce’s national security task force, recently said he plans to lobby Congress for legislative fixes if President Barack Obama introduces an order (CD Oct 5 p10) .

Panetta said many private companies are vulnerable to cyberthreats and the business community must independently act to increase the security of their systems. The scale and speed of the recent distributed denial of service attacks on several U.S. banks was “unprecedented,” he said. Panetta also detailed how a recent attack infected and rendered useless 30,000 computer systems used by the Saudi Arabian State Oil company Aramco. The August cyberattack, called “Shamoon” included a “wiper” that replaced critical computer files with an image of a burning U.S. flag and overwrote the remaining data on each of the computers, Panetta said. “All told, the Shamoon virus was probably the most destructive attack that the private sector has seen to date,” he said.

Panetta said U.S. enemies are seeking to create more powerful tools to attack the computer systems that control domestic chemical, electrical and water plants in order to cause panic, destruction and the loss of life. “The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country,” he said. “Attackers could also seek to disable or degrade critical military systems and communication networks. The collective result of these kinds of attacks could be a cyber Pearl Harbor; an attack that would cause physical destruction and the loss of life. In fact, it would paralyze and shock the nation and create a new, profound sense of vulnerability.”

Panetta reassured audience members that Defense has the capability to counter cyberattacks that could cause significant, physical destruction to domestic assets or kill U.S. citizens, he said. Though Panetta acknowledged that this capacity extends beyond defense networks he said the department’s cyberoperations will not monitor citizens’ personal computers. “We're not interested in personal communication or in emails or in providing the day to day security of private and commercial networks,” he said.