The big cybersecurity news of the week is Defense Secretary Leon Panetta's high-profile clarion call for the Congress to pass a cybersecurity bill because the U.S.otherwise faces a possible "cyber-Pearl Harbor." During his speech at an award dinner hosted by a group of security-focused business executives, Panetta also hinted that the government's interest isn't merely in defending against critical cyber threats but could extend to something more proactive. "If we detect an imminent threat of attack that will cause significant physical destruction in the United States or kill American citizens, we need to have the option to take action against those who would attack us, to defend this nation when directed by the president," Panetta said.
The speech is notable for three things. First, it's the most comprehensive statement by the Defense Secretary on the issue. Secondly, it's clearly timed to either push the Congress into immediate action on passing a cybersecurity bill during the lame duck Congress or provide the President with enough rhetorical cover if he does issue an executive order on cybersecurity. Finally, although the spin by administration flacks was that Panetta was disclosing new previously classified threats in his speech, the examples he offered -- DDoS attacks on U.S. financial institutions and the Shamoon malware that plagued Aramco and RasGas late this summer -- are all old news in cybersecurity terms, as Wired's Noah Schachtman points out.
But why amp up the rhetoric regarding threats that are, by now, extensively known? And for that matter, why is the Administration turning up the heat on the issue in general? There is no question that cyberthreats are the 21st century version of nuclear warfare and should be much feared. But, Republicans and business lobbies oppose anything beyond simple information sharing, and the relatively arcane issue of cybersecurity won't interest or sway many voters, so the Obama Administration stands to gain very little politically by continuing to push the issue.
The clues to the puzzle of why Obama is pressing cybersecurity so hard are shrouded by the nature of the subject matter itself. If there were a new threat on the horizon that could derail trains or "contaminate the water supply in major cities, or shut down the power grid across large parts of the country," as Panetta said in his speech, only a handful of people are allowed to know that, just as only a handful of people are allowed to know the launch codes for nuclear weapons. Panetta isn't going to trot out the latest intelligence on a potentially catastrophic cyber weapon during a black tie dinner and we are likely never going to hear what's really going on, or at least not for years.
It's also possible that the Administration plans to ramp up its own military capabilities in the cyber realm and the strong language used by Panetta (and others) helps to provide cover for stepped-up military action. The U.S., after all, is the creator of the most potent cyber weapon the world has known so far (Stuxnet) and the Administration could be beefing up its military muscles not necessarily to defend against threats but to take the offense against enemies.
Whatever the case may be, the Administration is getting more serious every day about cybersecurity. And we may never know why.
Shamoon image via SecureList