Are We Waiting for Everyone to Get Hacked?

It’s been almost a decade since Leon Panetta, then the secretary of defense, warned of an impending “Cyber Pearl Harbor.” He didn’t want to be right.,

Credit…Cayce Clifford for The New York Times

News Analysis

Are We Waiting for Everyone to Get Hacked?

It’s been almost a decade since Leon Panetta, then the secretary of defense, warned of an impending “Cyber Pearl Harbor.” He didn’t want to be right.

Credit…Cayce Clifford for The New York Times

Supported by

Continue reading the main story

MONTEREY, Calif. — Leon Panetta is one of the few American government officials who can look around at the nation’s rolling cyberdisasters and justifiably say, “I told you so.”

The former secretary of defense was among the first senior leaders to warn us, in the most sober of terms, that this would happen in a 2012 speech that many derided as hyperbolic. He didn’t foretell every detail, and some of his graver predictions — a cyberattack that could derail passenger trains loaded with lethal chemicals — have yet to play out. But the stark vision he described, of hackers seizing our critical switches and contaminating our water supply, is veering dangerously close to the reality we are living with now.

In just the past few months, hackers — we still don’t know who — were caught messing with the chemical controls at a water treatment plant in Florida, in what appeared to be an attempt to contaminate the water supply just ahead of Super Bowl weekend in Tampa. Ransomware attacks are striking every eight minutes, crippling hospitals and American mainstays like gas, meat, television, police departments, NBA basketball and minor league baseball teams, even ferries to Martha’s Vineyard. This past week, the targets were one of the world’s largest meatpacking operators and the hospital that serves the Villages in Florida, America’s largest retirement community. The week before it was the pipeline operator that carries half the gas, jet fuel and diesel to the East Coast, in an attack that forced the pipeline to shut down, triggered panic buying and gas shortages and was just days from bringing mass transit and chemical refineries to their knees.

And those are just the attacks we see. Beneath the surface, American businesses are quietly paying off their digital extortionists and burying breaches in hopes that they never see the light of day. China continues to cart off America’s intellectual property, most recently in an aggressive cyberassault on the defense industrial base, and curiously, New York’s Metropolitan Transportation Authority. Russia’s government hackers have shut off the power in Ukraine twice. They’ve reached the control switches at American power plants, and breached nuclear plants too. And Russia’s elite intelligence agency, the S.V.R., slithered its way through hundreds of American companies and government agencies for nine months before it was caught. In the process, it wrecked confidence in the software supply chain. And, officials concede, its agents are quite likely still inside.

ImageTanker trucks stored near a Colonial Pipeline facility in Woodbridge, N.J. Colonial was the target last month of a huge ransomware attack.
Tanker trucks stored near a Colonial Pipeline facility in Woodbridge, N.J. Colonial was the target last month of a huge ransomware attack. Credit…Justin Lane/EPA, via Shutterstock

To anyone who had been paying the slightest bit of attention, none of this comes as a surprise. We are racing toward — in fact have already entered — an era of visceral cyberattacks that threaten Americans’ way of life. And yet, despite the vulnerabilities these attacks reveal, individuals, organizations and policymakers have yet to fundamentally change their behavior.

“If not this, then what?” Mr. Panetta still asks. “What will it take?”

He fears it really will take the “Cyber Pearl Harbor” he predicted nearly a decade ago, when he warned of what would come if Americans didn’t shape up: a coordinated cyberattack on critical infrastructure that “would cause physical destruction and the loss of life, an attack that would paralyze and shock the nation and create a profound new sense of vulnerability.”

In the decade that followed, cybersecurity experts quibbled with his word choice — “Cyber Pearl Harbor” — arguing alternately that it was overly alarmist or infantilizing, that the use of war lingo leaves everyday Americans and mainstream organizations with the impression they are helpless to combat illusive “cyberbombs.”

That, Mr. Panetta says, was never his intention. “I got some complaints about using the word ‘Pearl Harbor,'” Mr. Panetta conceded. “They said you should be very careful about using that word, and my response was, ‘Call it whatever the hell you want.’ It’s a national security threat. Don’t try to fool yourself that somehow, just because you don’t like the words, the threat is not real.”

These days, Mr. Panetta has swapped analogies. Like most Californians, he has fire on his mind. The former secretary of defense resides on his family’s old walnut farm turned vineyard in the parched Carmel Valley, where the surrounding hills are still singed from last year’s fires. The entire state is bracing for another inferno. And Mr. Panetta can’t help but see our digital woes through a ring of fire.

“You know cyber is a little bit like playing with fire,” he reflected on a recent afternoon. “You’re not quite sure just how something is going to play out. It could blow back on you from a dozen different directions.”

Before Mr. Panetta served as defense secretary, he was director of the Central Intelligence Agency, between 2009 and 2011. And it was during his tenure there that the United States, in partnership with Israel, accelerated the first major act of cyberdestruction against Iran.

That attack, which began under President George W. Bush but ramped up under the Obama administration, used a computer worm called Stuxnet to infiltrate the computers that controlled the rotors that spun Iran’s uranium centrifuges at Natanz nuclear facility. Intermittently, over a period of many months, Stuxnet sped the centrifuges up, while slowing others down, in a series of attacks designed to look like natural accidents.

By the time the worm escaped Natanz in 2010, and the ruse was up, Stuxnet had quietly destroyed roughly 1,000 centrifuges. Short term, it was a resounding success: It set Iran’s nuclear ambitions back years. Long term, it demonstrated the destructive power of code and lit a fire that, very quickly, started blowing back on the United States from a dozen different directions.

Less than two years later, Iran launched its own destructive attacks. The first targeted Saudi Aramco, the world’s largest oil company, where Iranian hackers used malware to destroy data on 30,000 Aramco computers and replace it with an image of a burning American flag.

“That was their way of saying, ‘Hello,'” Mr. Panetta said.

In a matter of months, Iran’s hackers came for the United States. As oil was to the Saudis, so was finance to the American economy, and in the fall of 2012 Iran’s hackers started pounding American banks with unprecedented waves of web traffic in what is known as a denial-of-service attack. One by one, websites belonging to Bank of America, the New York Stock Exchange, and dozens more banks sputtered or collapsed under the load.

It was in the midst of those attacks that October that Mr. Panetta gave his “Pearl Harbor” speech.

“It was like looking behind you and seeing that what you created could very well come back to get you,” Mr. Panetta said. “Once those capabilities fell into the wrong hands, I was witnessing firsthand how they could be used to really hurt us, to damage our country, our national security, and was still frustrated by the failure to have a coordinated approach to dealing with the threat.”

A decade later, he’s still frustrated. “It’s like there’s a fire and you’re ringing a bell, but the fire department doesn’t show,” he said.

With ransomware attacks ramping up, the Biden administration has been racing to establish long overdue cybersecurity measures. President Biden recently signed an executive order that raises the bar for the cybersecurity of federal agencies and contractors. If companies do not meet that bar, they will be blocked from doing business with the federal government, rendering many commercially unviable. And after the ransomware attack on Colonial Pipeline in May, Mr. Biden forced new cybersecurity requirements on the pipeline industry, using the Transportation Safety Administration’s oversight powers.

But with so much of the nation’s critical infrastructure — 85 percent — in private hands, government can only do so much.

Image

“It’s like there’s a fire and you’re ringing a bell, but the fire department doesn’t show,” said Mr. Panetta, at home in Carmel Valley, Calif.Credit…Cayce Clifford for The New York Times

So, what is it going to take to keep Americans safe? It’s a big question.

The answers, though, can be small. The kindling for these digital infernos is buggy and out-of-date software nobody bothers to patch. It’s companies that don’t back up their data or have a security plan for ransomware attacks, despite their ubiquity. It’s the failure to use different passwords and turn on two-factor authentication. The hackers who tried to contaminate Florida’s drinking water exploited the fact that employees shared the same password and ran a decade-old version of Windows software. At the pipeline, it came down to the lack of multi-factor authentication on an old employee account.

It’s “cyberhygiene,” the accumulation of day in, day out investments and inconveniences by government, businesses and individuals that make hackers’ jobs harder. And some are very low tech.

Among the few high-profile organizations that was not actually hacked last year was the Democratic National Committee. Going into 2020, Bob Lord, the D.N.C.’s first chief information security officer, employed a novel approach to help ensure that hackers stayed out of D.N.C. emails this time. He posted signs over the urinals in the men’s room and on the wall in the women’s room reminding everyone to run their phone updates, use the encrypted app Signal for sensitive communications and not click on links.

Mr. Panetta, watching from afar, has his own simple solution for staying safe — and specifically making sure his internet-connected Lexus isn’t hacked. A few years ago, he fixed up his dad’s old 1951 Chevy truck, and that is what he uses to get around.

When he does drive the Lexus, he has careful instructions for his passenger: “I tell my wife, ‘Now be careful what you say.'”

Leave a Reply