The U.S. attack on Iran's top general has the cybersecurity community bracing for possible retaliation in cyberspace, while also pointing to the security tools that are in place and the ongoing policy needs that are highlighted by the latest -- perhaps most serious -- clash with a known international cyber aggressor.
If the cyber dimensions of the current crisis escalate, said attorney Robert Metzger, a co-author of the influential 2018 MITRE “Deliver Uncompromised” report addressing vulnerabilities in the Defense Department's supply chain, the imposition of mandatory cyber controls on critical infrastructure operators could follow quickly.
“Very soon, we may find that the past scenarios of analysts have become brutal realities in today’s headlines. Should that occur, a 'national reckoning' may follow,” Metzger told Inside Cybersecurity.
“Measures to defend and recover from cyber attacks could move from 'recommended' to 'essential.' The federal government could require rather than just encourage improved cyber security upon a wide range of public sector functions, industries and services -- not just the 'defense industrial base' where most regulatory attention has focused to date,” said Metzger, a partner at law firm Rogers Joseph O'Donnell, who stressed the comments reflect his personal opinions.
Next moves -- from the United States and Iran -- remain to be seen. In response to a question about whether lawmakers would be briefed on strategy going forward, presidential advisor Kellyanne Conway at the White House this morning said, "I know that they’ll be briefed in due course, and probably expeditiously. And they know that, too."
Over the weekend, the Department of Homeland Security issued a National Terrorism Advisory System bulletin that said there was no “specific, credible threat” to the homeland at this point, but that “Iran maintains a robust cyber program and can execute cyberattacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States."
Moves, counter-moves and policy needs
Cybersecurity policymakers say cyberspace must be considered a prime battlefield in the confrontation between the two nations and are noting the kinds of attacks to expect and the response mechanisms that are being activated. They are also pointing to potential shortfalls in cybersecurity policy development.
Melissa Hathaway, a top cyber advisor to Presidents Obama and George W. Bush, said distributed denial of service and ransomware attacks should be expected by critical infrastructure operators.
“Last time we escalated with Iran, we had DDoS against the top five banks in New York. We know that they are behind the ransomware attacks. I would expect more of the same: critical infrastructure disruption, DDoS and possibly some debilitating ransomware against an already mapped target,” said Hathaway.
“I think any time of geo-political unrest is when industry 'girds one's loins' and goes into a state of heightened cyber (and physical) vigilance,” said Kathryn Condello of CenturyLink, who serves as vice chair of the U.S. Communications Sector Coordinating Council.
“I think DHS (and other USG partners) have been keeping us as informed as possible in this incredibly dynamic and amorphous situation,” Condello said in an email. “Our USG partners are providing information they believe is valuable, and we in turn, are requesting the information that we perceive might be valuable. As a result, the Comm Sector (and other Sector partners) are on alert, we are prepared to mitigate if necessary, and we are adding to the portfolio of best practices for information-sharing and situational awareness needs as the situation evolves.”
Ari Schwartz, a former National Security Council cyber director and now executive coordinator of the Cybersecurity Coalition, noted, “We know that the Iranians have retaliated against private sector interests in the past. The intelligence community has publicly reported that the Iranians have focused on oil and gas companies, financial institutions, and companies whose leadership has made negative comments about Iran, but it is not necessarily limited, so all companies should be on the lookout and should contact DHS or the FBI if they have questions.”
Schwartz emphasized, “In particular, companies should make sure that they are utilizing advanced DDoS protection and advanced authentication techniques."
Kiersten Todt, who led President Obama's Commission on Enhancing National Cybersecurity, noted that most immediately, “I do think businesses need to be paying attention to the basics of cyber hygiene and ensuring the cyber education and training of their employees is current.”
But more broadly, she said, “Killing [Iranian Gen.] Soleimani crossed a significant threshold in the US/Iran conflict. Iranians will certainly try to retaliate -- definitely in the region and they will also look at options on our homeland. Of the options available to Iran, cyber is most compelling. Iran has been building cyber capabilities since 2007, after Stuxnet.”
She said, “We should certainly expect an Iranian attempt against our infrastructure; our Industrial Control Systems are particularly vulnerable.”
The national security community “is completely aware of Iranian capabilities and is most certainly preparing for a wide range of responses,” Todt said. “One could assume that U.S. Cyber Command is executing a defending forward plan in preparation for Iran’s response. Cyber Command is likely working in close cooperation with U.S. Central Command, which is focused on physical attacks in the region.”
'Unfortunately, the target array is vast'
Metzger, in his comments to Inside Cybersecurity, noted that the “Deliver Uncompromised” report “warned that adversaries could engage in asymmetric warfare using 'blended operations' that exploit multiple attack vectors, such as networks, industrial systems and infrastructure, supply chain, and social media.”
“In just this kind of scenario, the MITRE Report anticipates that a hostile power, such as Iran, will resort to cyber-enabled attacks against the U.S. or allies. In the worst case, a 'cyber-physical' attack upon control systems can destroy physical assets producing costly damage. Iran has learned this itself -- in the Stuxnet attack in 2010 which savaged uranium enrichment centrifuges at Iran’s Natanz nuclear facility. It is widely reported that the U.S. was an author of the Stuxnet virus.”
He said, “If Iran chooses not to fight in the areas where the U.S. enjoys clear military dominance, and determines to carry the attack outside of its region to the homeland of the United States, it likely will attack using cyber-physical means. It will not go after the well-defended U.S. military systems. It may not go after those civil and commercial systems which are well-protected. Unfortunately, the target array is vast as many systems of both government and industry remain relatively undefended and non-resilient."
Metzger added, “One may wonder whether the national command authority fully considered these risks in ordering the lethal attack upon General Soleimani. Regardless, that attack is fact. Now, a pressing question for U.S. military leaders and policymakers is how to protect our homeland and as well as overseas assets should Iran resort to cyber as its means to retaliate.” -- Charlie Mitchell (firstname.lastname@example.org)