Panetta's unusually strong comments Thursday came as former U.S. government officials and cybersecurity experts said the U.S. believes Iranian-based hackers were responsible for cyberattacks that devastated computer systems of Persian Gulf oil and gas companies.
Unencumbered by diplomatic or economic ties that restrain other nations from direct conflict with the U.S., Iran is an unpredictable foe that national security experts contend is not only capable but willing to use a sophisticated computer-based attack.
Panetta made it clear that the military is ready to retaliate—though he didn't say how—if it believes the nation is threatened by a cyberattack, and he made it evident that the U.S. would consider a preemptive strike.
"Iran is a country for whom terror has simply been another tool in their foreign policy toolbox, and they are a country that feels it has less and less to lose by breaking the norms of the rest of the world," said Stewart Baker, former assistant secretary at the Department of Homeland Security and now in private law practice. "If anybody is going to release irresponsible unlimited attacks, you'd expect it to be Iran."
National security experts have long complained that the administration needs to be much more open about what the military could and would do if the U.S. were to be the victim of cyberattacks. They argue that such deterrence worked in the Cold War with Russia and would help convince would-be attackers that an assault on America would have dire results.
Panetta took the first steps toward answering those critics in a speech analysts said was a thinly veiled warning to Iran, and the opening salvo in the campaign to convince Tehran that any cyberattack against America would trigger a swift and deadly response.
"Potential aggressors should be aware that the United States has the capacity to locate them and hold them accountable for actions that harm America or its interests," Panetta said in a speech in New York City to the Business Executives for National Security.
And while he did not directly connect Iran to the Gulf cyberattacks, he warned that Iran's abilities were growing.
Security analysts agree.
The presumed Iranian cyberattacks hit the Saudi Arabian state oil company Aramco and Qatari natural gas producer RasGas using a virus, known as Shamoon, which can spread through networked computers and ultimately wipes out files by overwriting them.
In his speech, Panetta said the Shamoon virus replaced crucial system files at Aramco with the image of a burning U.S. flag, and also overwrote all data, rendering more than 30,000 computers useless and forcing them to be replaced. He said the Qatar attack was similar.
"This one worries me," said Richard Bejtlich, chief security officer for the Virginia-based cybersecurity firm Mandiant. "I'm not an alarmist, but when I saw that 30,000 computers at Saudi Aramco got just deleted, that was a big deal. You don't see the Chinese government, you don't see the Russian government, or even their patriotic hackers go out and delete anything for the most part."
From the Iranians' point of view, however, attacks against the U.S. may be justified because American sanctions leveled on the country for refusing to cooperate with international norms on its nuclear program have hit Iran hard. Tehran also believes that the U.S. and Israel were behind the Stuxnet cyberattack that forced the temporary shutdown of thousands of centrifuges at a nuclear facility there in 2010.
As a result, said Bejtlich, Iran already believes it is at war with the U.S.
Frank Cilluffo, , a former special assistant for homeland security to President George W. Bush, said U.S. authorities have suspected Iran of trying to plot cyberattacks against American targets, including nuclear plants. And he said that Iran's Revolutionary Guard Corps appears to now be trying to bring some of the patriotic hacker groups under its control, so it can draw on their abilities.
"Iran has been doing a lot of cyber saber-rattling," said Cilluffo, now director of George Washington University's Homeland Security Policy Institute. "What they lack in capabilities, they more than make up for in intent."
Tehran has not made any public comment on Panetta's comments, but the Iranians routinely report the discovery of viruses and other malicious programs in government, nuclear, oil and industrial networks, blaming Israel and the United States.
While Panetta's warnings received high marks from security experts, those people also were quick to say that much more needs to be done.
The U.S., said former Homeland Security Secretary Michael Chertoff, must lay out the rules of the road and figure out what kind of proof authorities would need before taking action.
"We still have work to do," said Chertoff, who is now chairman of the Chertoff Group, a global security firm. "Will we take action to preempt something rather than simply retaliate, and how early and how much warning will we need before we take that action?"
He noted that most conflicts arise over misunderstandings, when one side doesn't realize what the other will do if provoked.
The administration has repeatedly warned of the cybersecurity threats, particularly against critical infrastructure such as financial networks, transportation systems and utility companies. More recently, the White House has been considering using the president's executive power to encourage critical industries to better protect their networks because legislation to do so stalled in Congress.
"While the message has been sent over and over again it doesn't seem to have acquired urgency across the board," said Chertoff. "We need to make it clear that this is not just background noise you have to deal with, but that it really strikes at the fundamentals of our national security."