The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: Iran’s the scariest cyber adversary, former NSA chief says


U.S. government officials are hyper-focused on the hacking threats from Russia and China right now, but it’s the threat from Iran that keeps former NSA director Keith Alexander up at night.

“Iran concerns me the most because they’re the ones that will act emotionally while Russia and China are going to be deliberate about what they can do, what they can get away with,” Alexander said during a panel discussion I moderated at the Global Cyber Innovation Summit in Baltimore on Thursday.

Iran’s got a major geopolitical beef with the United States right now because of the Trump administration’s withdrawal from the Iran nuclear deal and re-imposition of sanctions, Alexander noted. And the tensions are about to get worse as the administration seeks to restrict even more nations from purchasing Iranian oil, he said.

When the Obama administration tightened sanctions on Iran in 2012 — while Alexander was leading the NSA and Cyber Command— the Islamic Republic responded with a series of hacks aimed at shutting down the public-facing websites of U.S. financial institutions.

This time, Iran could respond to sanctions with far more destructive attacks, said Alexander, who now leads the firm IronNet Cybersecurity.

“That’s what worries me the most,” he said. “I think Iran is not a rational actor in this regard.”

Each U.S. adversary in cyberspace presents their own challenges. China is best known for stealing massive troves of information, especially the intellectual property from competitive industries. Russia, meanwhile, has been linked to both data theft -- such as the data that intelligence agencies say Russian hackers stole and leaked from the Democratic National Committee and Clinton campaign to upend the 2016 election -- and destructive attacks including one that shut down portions of Ukraine’s energy grid in 2015 and one that hit a Saudi petrochemical plant last year.

Yet cybersecurity professionals draw a major distinction between hacking aimed at stealing or denying access to information, and hacks that destroy data or machines. While data theft can be incredibly disruptive and have far-reaching consequences, they say it's not substantially different from the way nations have always spied on each other. Destructive attacks, on the other hand, blur the lines between digital sabotage and real-world violence -- and are more similar to traditional military attacks. 

Iran is widely believed to be responsible for one of the most destructive cyberattacks against the Saudi oil company Saudi Aramco in 2012. More recently, the nation may be linked to attacks using the same destructive malware against targets across the Middle East, according to several cybersecurity firms. 

Iran has consistently denied hacking adversaries. And most of the traditional deterrence tools at U.S. officials' disposal are ineffective, Alexander said.

“With Iran, what do they have to lose?” he asked. “We’re going to sanction them? We already did that.”

The United States has historically relied on sanctions and indictments as its chief public methods to punish foreign hackers, but most Iranian industries are already heavily sanctioned. And indictments have not historically done much good against hackers who are unlikely to ever end up in a U.S. courtroom.

The Justice Department indicted seven Iranians linked to the nation's Islamic Revolutionary Guard Corps for hacking U.S. banks in 2016 and charged two other Iranians with hacking American hospitals, universities and government agencies in 2018.

The Trump administration has also loosened the reins on U.S. Cyber Command to launch retaliatory hacking operations — a move that Alexander said he fully supports — but officials are still wary of getting into a tit-for-tat hacking exchange that could escalate out of control.

And as Alexander notes, that leaves the United States with few levers to deter an Iranian hacking operation. 

“We can go back and do something to Iran [after the fact], but I think it would be good to stop it before it impacts our industries like it did Saudi Arabia,” Alexander said.


PINGED: The Trump administration published an executive order Thursday making it easier for government cyber pros to jump between agencies. The order mirrors a bill that passed the Senate this week.

The program will be run by the Department of Homeland Security’s Cybersecurity and Information Security Agency, and most rotations will involve workers going into or out of CISA, according to the order.

The order also directs government agencies to use standard definitions for cybersecurity jobs so they can compare workers’ skills across government. And it directs agencies to create aptitude tests that will help non-cybersecurity workers transition into cybersecurity jobs

The order won quick praise from lawmakers, including Sen. Gary Peters (D-Mich.) who sponsored the Senate bill with Sen. John Hoeven (R-N.D.). But some cybersecurity experts were skeptical.

Mark Weatherford, a former top Homeland Security Department cybersecurity official, told me he worried the rotation program would just result in agencies passing their poorer-performing cybersecurity workers to CISA and keeping the good ones.

Laura Bate, a cybersecurity workforce analyst with the New America think tank, said she’s optimistic the rotation program will be useful but hopes the government will do a rigorous analysis to determine whether it’s improving overall cybersecurity performance.  

There’s also no money behind the program. During a media call announcing the executive order, senior administration officials said they view the program as a first step and will be working on ways to offer more pay flexibility for cybersecurity workers in coming months.

There’s also a “President’s Cup” cybersecurity competition. Here’s more from Nextgov’s Brandi Vincent.

PATCHED: WikiLeaks founder Julian Assange began his lengthy extradition process Thursday, declaring, “I do not want to surrender for extradition for doing journalism that has protected many people and won many awards,” my colleagues William Booth and Karla Adam reported.

U.S. officials have a lot to dislike Assange for — including publishing reams of classified military and diplomatic documents and publishing documents stolen by Russia that upended the 2016 presidential election. He’s charged, however, with only a single crime that carries a maximum five-year prison sentence — offering to help Chelsea Manning crack a password on a Defense Department computer.

“Representing the U.S. government in court, British lawyer Ben Brandon said Assange stands accused of abetting the ‘largest compromise of classified information in U.S. history,’ ” my colleagues reported.

Thursday’s hearing lasted only about 15 minutes. A more substantive hearing is set for June 12.

PWNED: Russian President Vladimir Putin has signed a controversial “Internet sovereignty” bill.

“Officially, the bill is designed to protect the Russian Internet against foreign threats, including the risk that Russia could be cut off from the rest of the Internet,” Ars Technica’s Timothy B. Lee reports.

“But of course, centralizing control over Internet routing in Russia also gives the Russian government stronger powers to monitor, control, and censor its own population's Internet use,” Lee added.

“Fears of such abuses inspired strong opposition to the legislation from civil libertarians, Russian opposition parties, and ordinary Russian citizens. But their opposition wasn't enough to stop the legislation from being approved by the Russian Duma (which is dominated by Putin's United Russia party) or from the Federation Council (the upper house of Russia's parliament),” Lee reported.

Here’s an analysis of the law from the New America think tank.


Cybersecurity news from the public sector:

Global security officials to hammer out united 5G security approach (Reuters)

Hacktivists Are on the Rise—but Less Effective Than Ever (Wired)


Cyberscurity news from the private sector: 

Potential Facebook Settlement With FTC Likely to Include WhatsApp (Wall Street Journal)

No longer clicking: Online ad fraud has fallen in the past year - CyberScoop


Cybersecurity news from abroad:

Germany shuts down 'Darknet' criminal trading platform, detains 3 (Reuters)

Austrian construction group Porr hit by cyber attack (Reuters)