Are we waiting for everyone to get hacked?
By Nicole Perlroth
Leon Panetta is one of the few U.S. government officials who can look around at the nation’s rolling cyber disasters and justifiably say, “I told you so.”
In a 2012 speech that many derided as hyperbolic, the former secretary of defense was among the first senior leaders to warn us, in the most sober of terms, that this would happen.
He didn’t foretell every detail, and some of his graver predictions have yet to play out. But the stark vision he described is veering dangerously close to the reality we are living with now.
In the past few months, hackers were caught messing with the chemical controls at a water treatment plant in Florida, in what appeared to be an attempt to contaminate the water supply just before Super Bowl weekend in Tampa. Ransomware attacks are striking every eight minutes, crippling hospitals, police departments, NBA basketball and minor league baseball teams, even ferries to Martha’s Vineyard. This past week, the targets were one of the world’s largest meatpacking operators and the hospital that serves The Villages in Florida, America’s largest retirement community. The week before that, it was the pipeline operator that carries half the gas, jet fuel and diesel to the East Coast, in an attack that forced the pipeline to shut down, triggered panic buying and gas shortages and was just days from bringing mass transit and chemical refineries to their knees.
And those are just the attacks we see. Beneath the surface, U.S. businesses are quietly paying off their digital extortionists and burying breaches in hopes that they never see the light of day. China continues to cart off America’s intellectual property, most recently in an aggressive cyber assault on the defense industrial base and, curiously, New York City’s Metropolitan Transportation Authority. Russia’s government hackers have shut off the power in Ukraine twice. They’ve reached the control switches at American power plants, and breached nuclear plants, too. And Russia’s elite intelligence agency, the SVR, slithered its way through hundreds of U.S. companies and government agencies for nine months before it was caught. In the process, it wrecked confidence in the software supply chain. And, officials concede, its agents are quite likely still inside.
To anyone who has been paying the slightest bit of attention, none of this comes as a surprise. We are racing toward — in fact have already entered — an era of visceral cyberattacks that threaten Americans’ way of life. And yet, despite the vulnerabilities these attacks reveal, individuals, organizations and policymakers have yet to fundamentally change their behavior.
“If not this, then what?” Panetta asked. “What will it take?”
He fears it really will take the “cyber Pearl Harbor” he predicted nearly a decade ago, when he warned of what would come if Americans didn’t shape up: a coordinated cyberattack on critical infrastructure that “would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”
In the decade that followed, cybersecurity experts quibbled with his word choice — “cyber Pearl Harbor” — arguing alternately that it was overly alarmist or infantilizing, that the use of war lingo leaves everyday Americans and mainstream organizations with the impression they are helpless to combat illusive “cyber bombs.”
These days, Panetta has swapped analogies. Like most Californians, he has fire on his mind.
The former secretary of defense resides on his family’s old walnut farm turned vineyard in the parched Carmel Valley, where the surrounding hills are still singed from last year’s fires. The entire state is bracing for another inferno. And Panetta can’t help seeing our digital woes through a ring of fire.
“You know cyber is a little bit like playing with fire,” he reflected on a recent afternoon. “You’re not quite sure just how something is going to play out. It could blow back on you from a dozen different directions.”
Before Panetta served as defense secretary, he was director of the CIA. During his tenure there, in 2009 and 2011, the United States, in partnership with Israel, set in motion the first major act of cyber destruction against Iran.
That attack, which began under President George W. Bush but accelerated under the Obama administration, used a computer worm called Stuxnet to infiltrate the computers that controlled the rotors that spun Iran’s uranium centrifuges at Natanz nuclear facility. Over a period of many months, Stuxnet sped the centrifuges up, while slowing others down, in a series of attacks designed to look like natural accidents.
By the time the worm escaped Natanz in 2010, and the ruse was up, Stuxnet had quietly destroyed roughly 1,000 centrifuges. Short term, it was a resounding success: It set Iran’s nuclear ambitions back years. Long term, it demonstrated the destructive power of code and lit a fire that, very quickly, started blowing back on the United States from a dozen different directions.
Less than two years later, Iran launched its own destructive attacks. The first targeted Saudi Aramco, the world’s largest oil company, where Iranian hackers used malware to destroy data on 30,000 Aramco computers and replace it with an image of a burning American flag.
“That was their way of saying, ‘Hello,’” Panetta said.
In a matter of months, Iran’s hackers came for the United States. As oil was to the Saudis, so was finance to the U.S. economy, and in the fall of 2012, Iran’s hackers started pounding U.S. banks with unprecedented waves of web traffic in what is known as a denial-of-service attack. One by one, websites belonging to Bank of America, the New York Stock Exchange and dozens more banks sputtered or collapsed under the load.
It was in the midst of those attacks that October that Panetta gave his “Pearl Harbor” speech.
“It was like looking behind you and seeing that what you created could very well come back to get you,” Panetta said. “Once those capabilities fell into the wrong hands, I was witnessing firsthand how they could be used to really hurt us, to damage our country, our national security, and was still frustrated by the failure to have a coordinated approach to dealing with the threat.”
A decade later, he’s still frustrated. “It’s like there’s a fire and you’re ringing a bell, but the fire department doesn’t show,” he said.