DEFENSE SECRETARY Leon Panetta sounded a klaxon in his recent address on cybersecurity. Beyond hackers and criminals who prowl the Internet, Mr. Panetta declared, there is a “greater danger” that nations or violent extremists could cause a cyberattack “as destructive as the terrorist attack on 9/11” or Pearl Harbor, which could “paralyze and shock the nation and create a new, profound sense of vulnerability.”
Although it is not at all clear whether a cyberattack could kill thousands of people, the threat of physical destruction to electric grids and critical infrastructure is not to be taken lightly. Mr. Panetta noted that two months ago a sophisticated computer virus, known as Shamoon, infected computers in the Saudi Arabian state oil company, Aramco. The virus replaced key system files with an image of a burning U.S. flag and then overwrote all the data in each machine it infected. More than 30,000 computers were rendered useless. Separately, administration officials have blamed Iran for a series of recent cyberattacks, including a massive but relatively crude onslaught against U.S. banks that took down some consumer Web sites.
In an important disclosure, Mr. Panetta said that the military has made “significant advances” in tracking the perpetrators of cyberassaults and that they should know “the United States has the capacity to locate them and to hold them accountable.” This could mark a promising step forward in a difficult area of cybersecurity, but Mr. Panetta did not say whether an attack can be traced in real time, or fast enough to permit certain retaliation.
Most of Mr. Panetta’s speech was devoted to building defenses against cyberattack. He rightly urged Congress to pass cybersecurity legislation, now stalled, that would help the government share information with the private sector. But he also broached, opaquely, the need to go beyond defense. If there is an imminent threat of attack that will cause significant, physical destruction in the United States or kill American citizens, he said, the Pentagon “has developed that capability to conduct effective operations to counter threats to our national interests in cyberspace.”
What is this capability? Is it cyber, or does it rely on more traditional weapons? Mr. Panetta did not say, nor did he use the word “offense.” We know from news reports that the United States carried out a damaging cyberattack on Iran’s nuclear enrichment equipment with a computer worm called Stuxnet in a classified intelligence operation. But officially, the existence of a U.S. offensive cyberstrike capability remains shrouded in secrecy.
It shouldn’t be. If the American people are to be ready for a cataclysmic cyberattack of the kind Mr. Panetta describes and if the U.S. military is building offensive cyberweapons, we need more transparency about this emerging domain of conflict and the risks it entails. We need to engage in a policy discussion like the one we had about nuclear weapons for many years. It is encouraging that Mr. Panetta took up this important topic, but his remarks have just barely cracked open the door.