President Trump’s decision Tuesday to pull the United States out of the nuclear deal with Iran may escalate the risk of confrontation of another kind: in cyberspace.
Withdrawing from the Obama-era pact designed to curb Iran’s nuclear program and reinstating sanctions on the country could lead Tehran-backed hackers to retaliate against the West after several years of relative quiet, former government officials and security experts say.
Michael Daniel, who was President Barack Obama’s White House cybersecurity coordinator, said Iran may have fewer qualms about using its cyber capabilities without the diplomatic agreement in place.
“Now that the level of enmity between the United States and Iran is going to only increase, that does free them to carry out cyber operations against the United States,” Daniel said.
Trump on Tuesday called the Iran deal “an embarrassment” that did little to stop the country’s nuclear ambitions.
But the pact, experts said, seemed to have had a cooling effect on the cyberattacks Iran launched against the United States before the agreement was signed.
The past decade of digital relations between the two countries has been bleak. The Stuxnet worm, discovered by outside analysts in 2010, had been wreaking havoc on centrifuges at Iran’s Natanz uranium enrichment facility for years. The cyberweapon was the work of Israeli and U.S. experts, developed in the George W. Bush administration to quietly delay Iran’s nuclear capability.
In the following years, as the United States and European countries imposed sanctions on Iran to further thwart its nuclear weapons ambitions, Iranian hackers responded with waves of direct denial of service attacks on U.S. financial institutions that crashed bank computer networks and caused millions of dollars in lost business between 2011 and 2013. Iran-linked hackers have also been blamed for hacks on NASA servers and for breaking into the control system of a small dam in New York, among other attacks.
But the tension subsided around the time that the Iran deal, formally known as the Joint Comprehensive Plan of Action, was finalized in July 2015. The Carnegie Endowment for International Peace, a nonpartisan foreign policy think tank, noted in a report earlier this year that Iran’s disruptive attacks on the United States declined, and Iran turned its focus to Saudi Arabia and other regional adversaries in the Middle East.
Daniel said that Trump’s announcement raised the specter of a return to operations such as the DDoS attacks, which are designed to disrupt systems by overloading them with illegitimate digital traffic.
“They very much saw those as a direct and proportional response to the U.S.-imposed sanctions,” he told me. “You could imagine them wanting to do something similar. It raises the probability that we will see additional malicious cyberactivities aimed at the United States from Iran.”
Rob Knake, a senior fellow for cyber policy at the Council on Foreign Relations, rued the fallout on banks especially since Trump scrapped the deal:
Remember when we made the banks suck up the costs of the Iranian DDOS attacks so we wouldn't upset the nuclear negotiations? Sorry about that...— Rob Knake (@robknake) May 8, 2018
Yet recent research shows that Iran didn’t lose any time: It has been honing its cyber tradecraft elsewhere by focusing on targets of opportunity in the Middle East.
The cybersecurity firm Symantec reported in February that an Iran-based hacking group launched attacks on airlines, telecom services and other organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia and Turkey between 2015 and 2017.
Bill Wright, Symantec’s director of government affairs, said it was an especially well-resourced effort that used sophisticated hacking tools to surveil targets. In recent years, Iran has also been blamed for cyberattacks on Saudi Arabia, including assaults on Saudi oil infrastructure.
Efforts such as those allow Iran to project influence in the digital sphere where it can't through traditional military might, Wright said.
“Cyber is the ultimate asymmetric threat,” he said. “While a country like Iran wouldn’t directly take on the U.S. and our allies, cyber levels out that playing field.”
Even though Iran may have the capability for disruption, experts agreed that a major attack on critical infrastructure in the United States was highly unlikely.
What’s more probable: A warning shot.
“We are more likely to see Iran engage in cyberactivities designed to highlight its potential threat, as a signal that this is an arena in which it could escalate or retaliate,” said Matthew Waxman, a cybersecurity expert at Columbia University and former senior national security official in the George W. Bush administration.
“It's unclear whether Iran will react to a U.S. withdrawal by escalating tensions or playing the victim, but the U.S. and some partners should certainly be preparing for the possibility of more malicious cyberactivity from Iran,” he said. “And regardless of which strategy Iran plays, I wouldn't be surprised to see it flex this muscle and at least send threatening signals.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: The Senate Intelligence Committee's interim report on Russian election interference in 2016, released Tuesday night, blasts the Department of Homeland Security for mounting an "inadequate" response to the Russian government-affiliated campaign to undermine confidence in the American voting process, my colleague Karoun Demirjian reports.
"While the report chastises the DHS of both the Trump administration and the Obama administration for a slow response — pointing out it took committee pressure and until September 2017 for the department to reach out to chief elections officials in each state that had been targeted — it also congratulates the agency for making 'tremendous progress' over the past six months," Karoun writes.
The report identified at least 18, and potentially as many as 21, states whose election systems were targeted. Hackers could have altered or deleted voter registration data in “a smaller number of states," the report found. But the committee said it saw no evidence that vote totals were manipulated, nor voter registration information changed.
But we still don't know everything about Moscow's motivations. As Karoun notes: "The committee also warned in the report that while Russia was clearly planning on undermining confidence in voting systems, they could not determine whether cyber actors stopped short of exploiting certain vulnerabilities because they 'decided against taking action, or whether they were merely gathering information and testing capabilities for a future attack.' "
Committee Chairman Sen. Richard Burr (R-N.C.) took a jab at the House Intelligence Committee majority's final Russia report, which came out late last month:
Burr on HPSCI's Russia report, when asked if SSCI would also find fault with the intel comm's assessment of Russian intent: "I'm not sure that the House was required to substantiate every conclusion with facts." (Promised SSCI would "have the facts to show for" its conclusions.)— Karoun Demirjian (@karoun) May 8, 2018
A BuzzFeed reporter put it this way:
Sen. Richard Burr, chairman of Senate Intel Committee, with some fairly devastating shade for House Intel Committee Republicans as it relates to their final Russia report: “I’m not sure that the House was required to substantiate every conclusion with facts."— Emma Loop (@LoopEmma) May 8, 2018
PATCHED: Voters in West Virginia, Indiana, North Carolina and Ohio headed to the polls yesterday for those states' primaries amid mounting concerns over election hacking. And while some states have been slow to shore up their defenses ahead of the midterms, West Virginia's embrace of cybersecurity to protect its voting system stands out, according to the New York Times's Michael Wines.
West Virginia's voter database is "air gapped" — that is, cut off from public access — and online voter registrations are hosted on a different computer, Wines writes. At the county level, clerks receive phone briefings on best practices about passwords. And state law requires hand-countable paper ballots in all elections.
“It gave me a comfort level as a new secretary of state that, yes, we’re going to be attacked, and when it happens, don’t freak,” West Virginia Secretary of State Mac Warner told Wines. “You have to have your detection capabilities up to know when it happens. And when it does, close it down.”
PWNED: Georgia Gov. Nathan Deal (R) vetoed a controversial cybercrime bill Tuesday following backlash from Google, Microsoft and a chorus of cybersecurity researchers, the Atlanta Journal Constitution reports. Opponents objected to the vague language of the two-page bill, which would have made it a crime to access a computer network “without authority.”
Dozens of cybersecurity researchers wrote to the governor urging a veto, saying the bill would have chilled good-faith efforts to identify vulnerabilities in networks. So did Google and Microsoft, which argued that the bill's exemption for “active defense” -- which can refer to a range of activities for monitoring and preventing cyberattacks -- was also too vague and could have allowed companies to hack each other.
Deal seemed to take their complaints seriously. “While intending to protect against online breaches and hacks, SB 315 may inadvertently hinder the ability of government and private industries to do so,” he said.
-- More cybersecurity news from The Post and elsewhere:
— Representatives from Amazon, Facebook and other major companies will head to the White House tomorrow for a summit aiming to explore ways to boost the development of artificial intelligence, The Post’s Tony Romm and Drew Harwell write.
“The Trump administration intends to ask academics, government officials and AI developers about ways to adapt regulations to advance AI in such fields as agriculture, health care and transportation, according to a draft schedule of the event. And they’re set to discuss the U.S. government’s power to fund cutting-edge research into such technologies as machine learning.”
It's a change of tone for the administration. Last year, Treasury Secretary Steven Mnuchin said AI was “not even on my radar screen.”
Steve Mnuchin is not concerned one bit with AI and automation. pic.twitter.com/VvEooCoAbf— Axios (@axios) March 24, 2017
“Among those expected to be in the room for that private gathering Thursday will be representatives from tech giants like Microsoft, Nvidia and Oracle, as well as other businesses like Ford, Land O’Lakes, MasterCard, Pfizer and United Airlines, according to the White House,” Romm and Harwell write.
— The House yesterday passed legislation seeking to improve small businesses’ cyberdefenses. The Hill’s Morgan Chalfant writes that the measure would direct the Small Business Administration to create a mechanism for employees of small business development centers that receive federal grants to undergo cybersecurity training.
“The legislation would also mandate that the Small Business Administration reimburse development centers for costs associated with cyber training, though the price tag could not exceed $350,000 in any given year,” Chalfant writes. Sen. James E. Risch (R-Idaho) has introduced similar legislation in the Senate.
More government cybersecurity news:
— Amid the fallout from Russia's interference in the 2016 election, Facebook will change the way it runs issue ads on the social network, Politico's Ashley Gold reports. Facebook will demand that those who want to run advertisements on topics such as race or immigration verify their identity and location, and indicate who is funding the ad, Gold writes.
“Viewers of the issue ads on Facebook will eventually see a label with the disclosures about the identity, location and funder of the ads, as well as a link to other ads from the same funder, according to the company,” Gold writes. “A Facebook spokesman said the labels aren't yet live so advertisers can get used to the new policy before the changes take effect by June.”
Sen. Mark R. Warner (D-Va.), the vice chairman of the Senate Intelligence Committee, said he was “glad to see Facebook introducing transparency requirements for issue ads.”
Glad to see Facebook introducing transparency requirements for issue ads, a measure I proposed last year along with @AmyKlobuchar & @SenJohnMcCain. We need to pass our #HonestAds Act so that other platforms play by the same rules, just like broadcast, cable & satellite providers. https://t.co/gZT3Zfj6aT— Mark Warner (@MarkWarner) May 8, 2018
More cybersecurity news on the private sector from The Post and elsewhere:
— Sweeping regulations to strengthen data privacy across the European Union take effect in less than three weeks, but regulators say they don't have enough funding or powers to do the job, Reuters's Douglas Busvine, Julia Fioretti and Mathieu Rosemain write.
Isabelle Falque-Pierrotin, the head of France's data protection watchdog, told Reuters that her organization lacks the means to enforce the E.U.'s General Data Protection Regulation. “We’ve realized that our resources were insufficient to cope with the new missions given by the GDPR,” she said.
The regulations, which aim to give citizens greater control over their online data, will be enforced by national and regional bodies instead of a single central organization.
“Many watchdogs lack powers because their governments have yet to update their laws to include the Europe-wide rules, a process that could take several months after GDPR takes effect on May 25,” Busvine, Fioretti and Rosemain write.
New York Times columnist Bari Weiss wrote a piece exploring how polarizing figures such as Jordan Peterson, a University of Toronto clinical psychologist who argues that men need to man up, and conservative commentator Ben Shapiro have found a way to widely share controversial ideas on what she calls the “Intellectual Dark Web.”
But more than a few observers ribbed Weiss over her definition of these “dark” corners of the Internet:
i love going to the underground websites youtube and twitter to access the intellectual dark web— leon (@leyawn) May 8, 2018
Some wondered how tech-savvy Weiss needed to be to track down these subjects:
what nodes did Bari Weiss use to access this Intellectual Dark Web? Did it require a VPN, proxies, masking her presence, and exchanging cryptocurrency with someone (probably a cop) for, like, a Forbidden Take? If not, then it's just "the sites my peers mock me for visiting."— Kelsey D. Atherton (@AthertonKD) May 8, 2018
From the Intercept's Glenn Greenwald:
EXCLUSIVE: I got some hacker friends to help me find images from Bari Weiss' Dark Web. It's chilling, shocking, and appalling what these brave dissidents have had to resort to - the dangerous places they've been forced to go to - just to be heard. pic.twitter.com/lA6RiX8wAr— Glenn Greenwald (@ggreenwald) May 8, 2018
- Gina Haspel, Trump's nominee for CIA director, appears before the Senate Intelligence Committee for her confirmation hearing.
- The Senate Appropriations Defense Subcommittee holds a hearing on the Department of Defense's budget request for fiscal year 2019.
- Google’s I/O developer conference is happening this week.
- So is Microsoft's Build conference.
- Cal Poly San Luis Obispo hosts a Women in Cybersecurity Leadership Forum.