US-Iran clash enters cyber realm and tests a Trump strategy
Cliff Owen/AP
Seattle
Iran is stepping up cyberattacks targeting the United States amid heightened tension between the two countries, leading U.S. officials to warn businesses and government agencies to shore up their defenses.
The top cybersecurity official at the Department of Homeland Security, Christopher C. Krebs, said Iranian “regime actors and proxies” are increasingly targeting U.S. government agencies and industries with destructive “wiper” attacks that can rapidly eliminate entire networks.
The threat of more widespread and damaging Iranian cyberattacks on the U.S. homeland may be amplified following a strike by U.S. Cyber Command against an Iranian intelligence group tied to the military late last month, according to experts on Iran and cybersecurity.
Why We Wrote This
New powers, new vulnerabilities. As the U.S.-Iran confrontation creates a precedent by moving into the cyber realm, in addition to the physical, it also helps make an argument for restraint, even among the most powerful.
“We opened that up as an avenue, and I would be surprised if they didn’t respond,” says Michael Connell, an Iran analyst at CNA, a research institute in Arlington, Virginia. “I would certainly expect them to conduct attacks on low-hanging fruit economic targets, and also government targets as well,” he says.
The brewing conflict in the cyber realm has potentially far-reaching implications, cybersecurity experts say.
It marks the first time the United States has teetered on the brink of military conflict with another nation that has significant cyber capabilities. “We are seeing two cyber capable powers actually trading attacks,” says Sergio Caltagirone, vice president of Threat Intelligence at the Maryland-based cybersecurity firm Dragos. “There is another line that has been crossed here that has not been crossed before,” he says.
Already, the conflict has become a test case for the U.S. military’s employment of cyber tools in lieu of conventional weapons. For example, the U.S. military’s reported cyberattack in response to Iranian military actions in the Strait of Hormuz “may be unique for the U.S. in terms of a tit for tat in exchange for a physical event,” says Christopher Painter, a top cyber official in the Obama administration. Cyberattacks offer a clear advantage in avoiding the loss of life, Mr. Painter says.
The conflict also signals a more proactive approach to the use of cyberattacks by the U.S. military. A 10-month-old Trump administration order eased restrictions on the U.S. Cyber Command’s employment of cyber weapons. The new policy aims to speed and streamline responses to national-security cyberthreats by lifting requirements for extensive inter-agency consultation, which experts say had pros and cons.
Cyber Command runs the Pentagon’s online military operations, both offensive and defensive. Its commander, Gen. Paul M. Nakasone, is advancing a U.S. strategy to “defend forward” by penetrating adversary networks – whether in Russia, Iran, or elsewhere – to show American resolve, experts say.
The policy change reflected a frustration that the U.S. wasn’t doing enough.
“We need to be more aggressive,” says Mr. Painter, a Perry Fellow at Stanford’s Center for International Security and Cooperation. “If we don’t take action against the bad actors, like Russia for instance, it just emboldens them,” he says. “But we also have to think through the larger implications.”
One major ramification is that how the U.S. decides to use cyberattacks will set a precedent for other countries in the “gray zone” field of cyberwarfare, where international law often remains unclear. The “gray zone” between diplomacy and conventional war includes other covert and clandestine tactics such as sabotage, disinformation, and fomenting political unrest.
A more assertive and intrusive U.S. military approach to going after cyberthreats overseas – wherever malicious code exists – could lead other countries to respond in kind, causing unwanted escalation. While the U.S. is considered the world’s most capable cyber power, it is also one of the most vulnerable because of its advanced digital economy.
“Companies in the U.S. would not be very happy about other countries doing things willy-nilly here,” says Mr. Painter.
Iran’s program
Iran is considered a tier-two cyber power, lacking the capabilities of the United States, Russia, or China, but on a par with or ahead of North Korea, experts say.
Iran has long developed its cyber capabilities as part of an asymmetric warfare strategy that involves targeting the weaknesses of a stronger opponent instead of trying to match its conventional military force.
“They have done a good job finding the weak points in entity security” and exploiting them, says Ben Read, senior manager for Cyber Espionage Analysis at FireEye, a cybersecurity company based in Milpitas, California.
Over the past decade, Iran has successfully used cyberattacks to hit targets from the United States to Europe to the Gulf Arab states and Israel. Major attacks have included widespread denial of service attacks on the U.S. financial sector and a massive attack on Saudi Arabia’s oil and gas industry in 2012 and 2013.
Cybersecurity experts say Iran is constantly attempting intrusions, but the motive behind them – whether for intelligence collection or for destructive operations – is often hard to discern until the damage begins. Iran’s cyber espionage is often aimed at stealing information useful for the regime, such as financial data from banks that carry out U.S. sanctions. Iran’s destructive operations can take down communications, destroy systems and hardware, or carry out ransomware attacks.
Iranian cyber agents are particularly creative in using social networks, creating fake profiles and websites – known as “watering hole” attacks – as well as fabricating convincing emails to lure victims into providing sensitive information.
In terms of timing, Iran’s pattern is to conduct such attacks “during periods of heightened tension against specific countries,” Mr. Connell says.
Indeed, in mid-June, Iran launched a broad attack on U.S. government and private entities, including the U.S. financial network, says Mr. Read. The scale of the attack was not unusual, but it was different in that it was focused specifically on the United States.
“Right now, we have confirmed that there are groups associated with Iranian state interests that are targeting several elements of the U.S. government” and industries, says Mr. Caltagirone, of Dragos. “It is absolutely energy related, but more importantly it's affecting oil and gas entities” across the United States, he says.
Iran’s motives for the latest attempted intrusions were not immediately clear. It may have been gathering intelligence on U.S. plans for Iran, including sanctions and ways to evade them. “They have typically gone after stuff that would help the Iranian government make decisions,” says Mr. Read. “Sanctions are implemented by the U.S. financial sector, so knowing how that’s going to be implemented could help them evade the sanctions.”
Incentive for restraint
The vulnerability of U.S. digital systems makes cyberwarfare a two-edged sword for the United States.
“Strategically, the U.S. has much more to lose than almost any other country in the world when it comes to the escalation of cyber weapons and their ability to harm national economies because of our reliance on the digital economy,” says Mr. Caltagirone.
While most large U.S. companies have robust cybersecurity defenses, thousands of smaller firms do not. For example, if Iran gained control of an industrial system and launched a wiper attack, it could shut down companies, oil refineries, and possibly electric utilities – at least temporarily, he says.
The U.S. has an incentive, therefore, to show restraint to prevent cyberspace from becoming overly militarized, experts say. It needs to weigh carefully its operations against Iran and other countries with an eye to minimizing harmful retaliation. One way to do this is by narrowly focusing attacks on military targets for military objectives, while preventing harm or disruption to civilian infrastructure and lives.
“The U.S. is in a very precarious situation where it needs to project some amount of power, to show other countries that you can’t just walk in and do what you want, but also respond in a very restrained manner,” says Mr. Caltagirone.
“What the U.S. does now is going to set the tone for the next five years.”