Panetta's dishonest cyber speech
Who's spinning tales of cyber war and uttering the phrase "cyber Pearl Harbor"? Ah, it's Defense Secretary Leon Panetta, who in well-covered remarks made on Oct. 11 warned that aggressors could "contaminate the water supply in major cities or shutdown the power grid" or "derail passenger trains or even more dangerous, derail trains loaded with lethal chemicals."
In this, Panetta is actually late to the table--the American public has been warned about a "cyber Pearl Harbor" by people of Panetta's rank since at least 1996, when then-CIA Director John Deutch warned that hackers "could launch 'electronic Pearl Harbor' cyber attacks on vital U.S. information systems."
As I've argued before, it's difficult to remain in a state of petrified fear for more than a decade and a half of the same warning that our computer systems will be turned against us by a rotating case of nefarious foes--especially since it's apparently the United States that's had the most success in utilizing cyber weapons.
Panetta, in warning of a cyber Pearl Harbor, pulls off a time-honored rhetorical device of shifting from an incomplete representation of facts into wider supposition, the latter being, of course, the declaration that our utilities one day could spew poisonous water through the faucets installed in every American home (does he not know of fluoride?).
His story about the Shamoon virus, a hard-drive wiper that infected more than 30,000 Saudi Arabian State Oil Company Aramco computers earlier this year, is incomplete. The bit he left out is that Kaspersky determined that the virus was likely a Flame virus copycat--a bit of blowback against innocent computers instigated by our own attempts to turn Iranian computers against their owners. I have no sympathy for the Iranian government or their computers, I'll note--but the story of the Shamoon virus looks different when its inspiration is a domestic product.
The shift he makes is to leap from discussing a hard-drive wiper virus into the territory of "still more destructive scenarios" that encompass the standard-issue tales of derailed trains, etc. It's at this point that specificity abandons the defense secretary in favor of hypotheticals and the vague statement that "we know of specific instances where intruders have successfully gained access to these [industrial] control systems."
But after more than 15 years of these kind of speeches, that's not good enough. Is he referring to the reports of a Russian penetration of the Curran-Gardner Public Water District in Illinois? (That turned out to be a contractor who logged onto a system while on vacation…in Russia.) Is he invoking the Aurora Generator Test, which while scary enough, nonetheless was a controlled experiment? We can't know, and that lack of specificity is obviously meant to be filled in listeners' minds with worst-possible scenarios.
Panetta's speech ultimately is another addition to attempts to drive policy by fear, uncertainty and doubt. Unfortunately, good policy rarely develops as a result, just as good security isn't achieved through obscurity. He's correct to note the increasing importance of cyberspace in society and that it can be an attack vector as well as a wealth generator. What's needed is an honest public attempt to grapple with the dimensions of the threat, including our own role in perpetuating it, and the realistic countermeasures that we as a nation can undertake. We don't need another speech about cyber Pearl Harbor. - Dave