"We know of specific instances where intruders have successfully gained access to these control systems," Panetta said in a speech to the Business Executives for National Security in New York City. "We also know that they are seeking to create advanced tools to attack these systems and cause panic and destruction and even the loss of life."
In his remarks, Panetta confirmed several recent cyber attacks against Saudi and Qatari energy companies that used the sophisticated Shamoon virus, calling the attacks "the most destructive that the private sector has seen to date." As Panetta noted, the Shamoon attacks "virtually destroyed" 30,000 computers owned by the Saudi oil company Aramco. "Imagine the impact an attack like that would have on your company or your business," he added.
Warning of more destructive attacks that could cause loss of life if successful, Panetta urged Congress to pass comprehensive legislation in the vein of the Cybersecurity Act of 2012, a bill co-sponsored by Sens. Joe Lieberman, I-Conn., Susan Collins, R-Maine, Jay Rockefeller, D-W.Va., and Dianne Feinstein, D-Calif., that failed to pass in its first attempt earlier this year by losing a cloture vote in the Senate.
[ Among many competing priorities in a tight budget, Cybersecurity Tops Federal IT Priorities List. ]
"Congress must act and it must act now," he said. "This bill is victim to legislative and political gridlock like so much else in Washington. That frankly is unacceptable and it should be unacceptable not just to me, but to you and to anyone concerned with safeguarding our national security."
Specifically, Panetta called for legislation that would make it easier for companies to share "specific threat information without the prospect of lawsuits" but while still respecting civil liberties. He also said that there must be "baseline standards" co-developed by the public and private sector to ensure the cybersecurity of critical infrastructure IT systems. The Cybersecurity Act of 2012 contained provisions that would arguably fit the bill on both of those accounts.
While Panetta said that "there is no substitute" for legislation, he noted that the Obama administration has been working on an executive order on cybersecurity as an end-around on Congress. "We need to move as far as we can" even in the face of Congressional inaction, he said. "We have no choice because the threat that we face is already here."
He added that the DOD has three priorities for improving its own ability to combat cyber attacks: investing more than $3 billion annually in cybersecurity to develop new capabilities, including recruiting and training new cyber warfare soldiers and developing new systems and techniques; pushing forward with new policy, including new cyber rules of engagement that are close to being finalized; and working ever closer with the private sector and other parts of government.
Although Panetta may have urged further action, he was also quick to point out that some gains have been made. For example, he said that the military had developed "the world's most sophisticated system to detect cyber intruders and attackers" and that other agencies had also stepped up to the plate.