Eric Connor, The Greenville News

The language is sobering, the warnings eerily reminiscent.

In a recent speech, the person second only to the president in directing America's national defense invoked memories of the most-devastating attack on American soil to describe a modern-day form of warfare - the cyberattack.

It is a tactic the country is ill-prepared for, a "pre-9/11 moment," U.S. Secretary of Defense Leon Panetta told a group of businessmen recently in New York, following cyber assaults earlier this year that crippled online commerce and on Persian Gulf oil companies of a scale not seen before.

Power grids could be blacked out for weeks, he said. Public water contaminated. Trains derailed.

"The greater danger facing us in cyberspace goes beyond crime and it goes beyond harassment," Panetta said. "A cyber attack perpetrated by nation states or violent extremists groups could be as destructive as the terrorist attack on 9/11. Such a destructive cyber-terrorist attack could virtually paralyze the nation."

The comments come as Congress this year failed to pass new legislation empowering the government to oversee and require the sharing of information from databases of private enterprises that manage "critical infrastructure" such as power plants and hospitals.

Absent new regulations, the Obama administration is currently considering using its executive authority to enforce much of the bill that was proposed.

The opposition comes largely from members of a skeptical business community that worries the government will burden the private sector with costly, overreaching regulations and demands for sensitive information that could lead to frivolous lawsuits.

The pushback isn't a matter of whether cyber defense is necessary but rather to what extent the government's involvement should be, said the U.S. Chamber of Commerce, which represents the interests of 3 million small and large businesses nationwide.

"For the Chamber, it is not a question of whether Congress should pass legislation to address cyber security, but how Congress can best craft legislation to achieve this goal," Chamber lobbyist Bruce Josten wrote in a letter to the U.S. Senate.
Earlier this year, a bipartisan collection of senators advanced the Cybersecurity Act of 2012, but the bill was cast aside when it could not break through a Republican-led filibuster, with only a few crossing party lines on either side.

The Chamber of Commerce supported a bill that Josten said would involve less-active government involvement.

The filibustered bill originally spelled out mandatory minimum security standards to protect online networks at critical infrastructure companies. An attempt at compromise - labeling standards as "voluntary" - failed. The act offered protection from lawsuits that companies might face if a cyberattack compromised their customers' information.

In testimony to the Senate's Homeland Security Committee, former Department of Homeland Security Secretary Tom Ridge told members that the business community already complies with a host of cyber-information regulations, such as the Health Insurance Portability and Accountability Act.

The government should look to how industry and the public sector worked together to stem the outbreak of the H1N1 flu virus in 2009, Ridge said.

"Instead of adding to the regulatory burden, Congress should work to reduce the fragmented and often conflicting burdens that these different rules and bureaucracies place on industry," he said. "A regulatory program would likely become highly rigid in practice and thus counterproductive to effective cybersecurity - due in large part to a shift in businesses' focus from security to compliance."

However, Panetta warned that recent attacks have shown the businesses simply don't have the resources to face the global threat, which manifests in battles "against thousands of cyber actors who probe the Defense Department's networks, millions of times a day."

No cyber attack has been more damaging than that of the so-called Shamoon virus last August that infected 30,000 computers in the Saudi Arabian oil company Aramco, Panetta said.

Vital computer systems were wiped out and replaced with an image of a burning U.S. flag, he said, and days later a similar attack was launched against major Qatar energy company RasGas.

The greater danger, Panetta said, is "cyber Pearl Harbor" that would "cause physical destruction and the loss of life."

"We know of specific instances where intruders have successfully gained access to these control systems," he said. "They could contaminate the water supply in major cities or shutdown the power grid across large parts of the country. The most destructive scenarios involve cyber actors launching several attacks on our critical infrastructure at one time, in combination with a physical attack on our country."

Enacting legislation to govern how information is shared between the public and private sector is necessary, as are "baseline" standards, while "too few companies have invested in even basic cybersecurity," Panetta said. The government is investing $3 billion annually in cyber defenses, he said.

"The private sector, government, military, our allies," he said, "all share the same global infrastructure, and we all share the responsibility to protect it."