In a recent speech to business leaders, U.S. Defense Secretary Leon Panetta revealed for the first time how a virus wiped data from more than 30,000 oil company computers in Saudi Arabia and Qatar.
Panetta said the “Shamoon” virus was probably the most destructive attack the business sector has experienced. All of the computers were rendered useless and had to be replaced. The virus replaced crucial system files with a burning American flag and rewrote all the data on the machines.
The attack is a warning that the United States could be next and signals the need for a stronger cyber-security legislation, Panetta said.
Panetta made his remarks after President Obama began pushing Congress to pass a bill that he says would strengthen America’s infrastructure, including electric power grids and banks, against cyber attacks.
But legislation isn’t likely to pass any time soon, according to Howard Schmidt, who retired in May from his position as Obama’s cyber-security coordinator. Even after the addition of more than 200 amendments, the Senate failed to pass the cyber-security bill in August.
With the bill stuck in Congress, the White House is mulling an executive order to achieve the same goal as outlined in the original legislation, Schmidt said in an interview with the Los Angeles Times.
Schmidt, who was in Anaheim on Friday to give the keynote address at the Information Systems Security Assn. conference, believes the order will clarify three main bones of contention about the nation’s cyber-security policy.
He says it will clarify the relationship between the Department of Homeland Security and agencies that deal with technology, including those that contract with private companies. It will also spell out the level of DHS involvement with infrastructure companies, including banks and credit unions, Internet providers and gas, power and water vendors.
The executive order, Schmidt said, will also tell the government how much intelligence they can share with private companies to warn them of impending cyber attacks. He predicts Obama will tell the government to share intelligence information with private firms if the government believes the information will help prevent an attack or apprehend a suspect.
“Formerly, I was a policeman working undercover,” Schmidt said. “When a burglary ring said, ‘We’re going to break in and crawl through the roof after midnight,’ do you end up telling the credit union to secure their system and set their alarms? Of course.”
Similar comments have attracted criticism from Republicans, who decry too much government involvement and fear an erosion of individual privacy.
Still to be addressed, Schmidt said, is how the government will address security holes at companies that deal with infrastructure – including banking, telecommunications and utilities – without charging consumers more.
Much of that work can occur on a small scale, with small- and medium-sized businesses, Schmidt said, which are just as at-risk as government agencies and large corporations.
“They don’t have the resources, but they need to,” Schmidt said. “They don’t realize that they’re likely to become a victim. They’re the ones developing the cool things.”
With better awareness and employee education, Schmidt said, smaller companies could prevent 80% of cyber attacks. Mostly, he said, those attacks are some kind of virus masquerading as a PDF file or a Word document that could be caught with malware software.
That would leave cyber-security officials free to address the remaining 20%, Schmidt said – the threat of attacks from hostile nations and dedicated hacker groups.