‘Playing with fire’
These days, Mr. Panetta has swapped analogies. Like most Californians, he has fire on his mind. The former secretary of defense resides on his family’s old walnut farm turned vineyard in the parched Carmel Valley, where the surrounding hills are still singed from last year’s fires. The entire state is bracing for another inferno. And Mr. Panetta can’t help but see our digital woes through a ring of fire.
“You know cyber is a little bit like playing with fire,” he reflected on a recent afternoon. “You’re not quite sure just how something is going to play out. It could blow back on you from a dozen different directions.”
Before Mr. Panetta served as defense secretary, he was director of the Central Intelligence Agency, between 2009 and 2011. And it was during his tenure there that the United States, in partnership with Israel, accelerated the first major act of cyberdestruction against Iran.
That attack, which began under President George W. Bush but ramped up under the Obama administration, used a computer worm called Stuxnet to infiltrate the computers that controlled the rotors that spun Iran’s uranium centrifuges at Natanz nuclear facility. Intermittently, over a period of many months, Stuxnet sped the centrifuges up, while slowing others down, in a series of attacks designed to look like natural accidents.
Today in Business
June 3, 2021, 8:18 p.m. ET
By the time the worm escaped Natanz in 2010, and the ruse was up, Stuxnet had quietly destroyed roughly 1,000 centrifuges. Short term, it was a resounding success: It set Iran’s nuclear ambitions back years. Long term, it demonstrated the destructive power of code and lit a fire that, very quickly, started blowing back on the United States from a dozen different directions.
Less than two years later, Iran launched its own destructive attacks. The first targeted Saudi Aramco, the world’s largest oil company, where Iranian hackers used malware to destroy data on 30,000 Aramco computers and replace it with an image of a burning American flag.
“That was their way of saying, ‘Hello,’” Mr. Panetta said.
In a matter of months, Iran’s hackers came for the United States. As oil was to the Saudis, so was finance to the American economy, and in the fall of 2012 Iran’s hackers started pounding American banks with unprecedented waves of web traffic in what is known as a denial-of-service attack. One by one, websites belonging to Bank of America, the New York Stock Exchange, and dozens more banks sputtered or collapsed under the load.