Last night (10/11/12) Defense Secretary Leon Panetta addressed a group of business leaders in NYC on some recently de-classified cyber attacks on critical infrastructure in the Middle East. He described the attacks which placed the Shamoon virus on crucial system and replaced files at Aramco (Saudi Arabia's state-run largest oil company) with the image of a burning U.S. flag. It also overwrote all data on the machine, rendering more than 30,000 computers useless and forcing them to be replaced. Similar attacks occurred at Qatar's natural gas producer RasGas.
Panetta used the attacks on ICS (Industrial Control Systems) as a warning to the US business community that similar attacks are imminent. It is also a calling for US business to embrace stalled cyber security legislation that has been bouncing around the House and Senate over the past 2+ years. The current plan would require companies to meet certain cybersecurity standards. Companies have been reluctant, fearing legal repercussions for non-compliance and/or sharing sensitive information. Companies should be granted immunity for sharing information that may put American citizens and our infrastructure at risk. And for those companies who worry about not complying with what is a pretty low bar of cyber security best practices -- too bad! They should be doing that already. I've long supported this cyber security bill and continue to do so -- now more than ever.
In the absence of ratified legislation, President Barack Obama plans to use his executive powers to put some of those programs (including some cyber security standards) in place until Congress acts. Perhaps this will light a fire under the battling Democratic and Republican factions who want to take claim for a new cyber security bill (and want to prevent the other side from doing so).
Time for Congress to grow up and cooperate. This is serious stuff. I know there's a lot of fear mongering out there which is unfortunate as it then becomes difficult for people to separate the wheat from the chafe. I've been in the IT Security space for enough time to understand how fragile our corporate and government infrastructure is. Let's not remain in denial mode – everyone needs to rally behind this initiaitve and make it happen. Call, write, whatever to support this legislation. As security professionals, it's our duty!
