US defense chief says pre-emptive action possible over cyber threat


* Panetta says executive order being considered

* Says too few companies have invested in cybersecurity

By Phil Stewart

WASHINGTON, Oct 11 (Reuters) - The U.S. military could actpre-emptively if it detects an imminent threat of cyber attack,U.S. Defense Secretary Leon Panetta said on Thursday, urgingstronger action to bolster America's defenses against suchplots.

In what was described by U.S. officials as the first majorpolicy speech on cybersecurity by a defense secretary, Panettalamented under-investment by America's private sector andpolitical gridlock in Washington that he said stymiedcybersecurity legislation. He said a presidential executiveorder was being considered "while we wait for Congress to act."

Addressing a gathering of business leaders in New York,Panetta warned that unnamed foreign actors were targetingcomputer control systems that operate chemical, electricity andwater plants and those that guide transportation.

"We know of specific instances where intruders havesuccessfully gained access to these control systems. We alsoknow that they are seeking to create advanced tools to attackthese systems and cause panic, and destruction, and even theloss of life," Panetta said.

Aggressors could derail passenger trains, contaminate thewater supply or shut down the power grid in much of the country,he said.

Still, he cautioned the gathering of the Business Executivesfor National Security that although awareness of the threat inAmerica's private sector had grown, "the reality is that too fewcompanies have invested in even basic cybersecurity."

To underscore the degree of concern, Panetta pointed to theAugust cyber attack on Saudi Arabian state oil company, ARAMCO,blamed on the "Shamoon" virus, and a similar one days later thatstruck Qatar's natural gas firm, Rasgas.

"All told, the Shamoon virus was probably the mostdestructive attack that the private sector has seen to date," hesaid.

Panetta called the "Shamoon" virus sophisticated and notedthat in Saudi Arabia it replaced crucial system files with animage of a burning U.S. flag.

"More than 30,000 computers that it infected (at ARAMCO)were rendered useless, and had to be replaced," he said.

He also pointed to recent denial-of-service attacks on majorU.S. banks, which delayed or disrupted services on customerwebsites.

One U.S. official, briefing reporters before the speech oncondition of anonymity, said the United States knew who carriedout the attacks cited in Panetta's speech, but declined todisclose that information.


The United States has long been concerned about cyberwarfare capabilities in China, Russia and increasingly fromIran. But one problem has been the difficulty in knowing withcertainty where a cyber attack hails from - making potentialretaliation difficult.

Panetta said the United States had made significantinvestments in cyber forensics to address that problem "and weare seeing returns on those investments."

"Potential aggressors should be aware that the United Stateshas the capacity to locate them and to hold them accountable foractions that may try to harm America," Panetta said, adding thePentagon was finalizing the most comprehensive change to therules of engagement in cyberspace in seven years.

He said that the Department of Defense had a mission todefend the country and would be ready to respond to attacks - or

even the emergence of a concrete threat. Such pre-emptiveaction would occur only under certain, dire scenarios, he said.

"If we detect an imminent threat of attack that will causesignificant physical destruction in the United States or killAmerican citizens, we need to have the option to take actionagainst those who would attack us," he said.

(Additional reporting by Andrea Shalal-Esa; Editing by PeterCooney)


Messaging: phillip.stewart.thomsonreuters.com@reuters.net))