By responding with a digital attack, the Trump administration signaled it won’t tolerate Iran’s aggressiveness but avoided escalating the conflict as much as a conventional military counterattack would have, according to 59 percent of respondents to The Network — an ongoing, informal survey of more than 100 cybersecurity experts from government, academia and the private sector. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
“Using targeted offensive cyber operations was the right move to stop the Iranian activity and let them know we mean business,” said Tony Cole, chief technology officer at Attivo Networks. “This allowed for a show of force, yet still short of retaliating in the physical realm — and hopefully just short enough to not escalate things into a physical conflict.”
One main benefit of responding to Iran with a cyberattack rather than a physical one is that it “avoided loss of life and expansion into potentially deadly … exchanges” with conventional military weapons, said Charles Brooks, a former Department of Homeland Security cybersecurity official who’s now a cybersecurity executive with General Dynamics.
“A cyberattack that produces a similar effect [to a conventional strike] by disabling comparable systems, but that causes no harm to humans [also] helps ensure that the response stays within international law limits,” said Ashley Deeks, a University of Virginia Law School professor and former State Department official.
In addition, the cyberattack sends a potent warning to other digital adversaries, such as Russia and China, that the United States is willing to use digital weapons to defend its interests, cyber pros said.
“Demonstrating both the will and capability to use [digital weapons] can get us closer to establishing an international deterrence regime,” David Weinstein, vice president of threat research at the cybersecurity firm Claroty, said.
Kiersten Todt, president of Liberty Group Ventures who led an Obama-era cybersecurity commission, called the attack “a strategic demonstration of using cyber capabilities as an element of deterrence.”
Some cyber pros who said the attack was the wrong call, however, argued the Trump administration was effectively goading Iran into a tit-for-tat digital battle that would end up doing more harm to U.S. industry than to Iran.
“The U.S. economy...is currently more dependent and therefore more vulnerable to cyberattacks than most other nations,” Luta Security founder Katie Moussouris said. “We lack the ability to defend it all. Escalation...on this front should only happen if we have confidence in our cyber defense, and we simply don't.”
Tom Cross, chief technology officer at OPAQ Networks and a former top IBM cyber executive, said he hopes the conflict “will not escalate to the point of having widespread impacts on U.S. industry." But "that sort of scenario does not seem to be entirely out of the question,” he said.
Another concern is that malicious software the United States and Iran deploy against each other could leak beyond their intended targets and cause damage in other nations, said Tor Ekeland, an attorney who specializes in defending hackers.
“I don't trust this administration to be thinking at the high level of precision necessary to execute a cyberwarfare strategy effectively — one that recognizes and understands the risk of this contagion,” Ekeland said.
Other critics of the attack worried that the Trump administration had signaled to other nations that cyberattacks are within the bounds of good behavior — and created a global norm that will ultimately do more harm than good to the United States.
“Whether we intended it or not, we have imparted legitimacy on the use of cyberattacks and invited others to do the same,” said Vikram Phatak, CEO of the cybersecurity company NSS Labs. “With our own infrastructure being increasingly vulnerable and our cyber defenses being demonstrably inadequate, this is a recipe for disaster.”
Even some supporters of the administration's strategy worried it could prompt Iran to launch dangerous retaliatory cyberstrikes against U.S. businesses that aren’t prepared to defend themselves.
Jamil Jaffer, vice president at IronNet Cybersecurity, supported the strike but warned that the United States must “take appropriate steps at home to protect our critical infrastructure systems run primarily by the private sector.” He also fretted that “the government needs to do significantly more, including sharing much more detailed classified and unclassified information on potential threats.”
And Mark Weatherford, a former top DHS cybersecurity official who’s now a global information security strategist at Booking Holdings, criticized the administration for crowing publicly about the cyberattacks, which he said would make Iran significantly more likely to hack back against U.S. companies.
“I know it makes people feel good to publicly poke an opponent in the eye,” he said. “But behind-the-scenes acknowledgment that we did it — and will do it again if you continue down a path of escalation — might be more productive.”
But even if the attacks prompt blowback from Iran, they may have been the best of bad options, said Steve Weber, director of the Center for Long Term Cybersecurity at the University of California at Berkeley.
“Critics of this move need to answer the question, 'What would have been a better call?' ” Weber said. “A [physical] attack? A verbal threat? Doing nothing? The range of options isn't infinite, and in this case … a digital shot across the bow may be the best choice.”
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
— More responses to The Network survey question on the Trump administration cyberattack against Iran:
- YES: “Those are legitimate military targets. Degrading them using cyber means sends an important signal that we can hold their strategic capabilities at risk. Attacking civilian critical infrastructure systems, however, would be a mistake as U.S. critical infrastructure is significantly more exposed.” — Chris Finan, CEO of Manifold Technology and an Obama-era National Security Council cybersecurity official
- NO: “Cyberweapons should be treated with the same cautions as chemical, radiological, and biological weaponry — thus far, the United States continues to show a wanton disregard for the inevitable blowbacks stemming from their use and normalization — which is a myopic long-term strategy.” — Sascha Meinrath, a Penn State professor and founding director of X-Lab, a think tank focusing on the intersection of technologies and public policy
- YES: “It may not be sufficient, but it was worth doing, especially in the absence of more immediate kinetic action.” — Stewart Baker, a Steptoe and Johnson attorney and former general counsel at the National Security Agency
- NO: “The trick is whether we can develop global norms to enable this sort of graduated response while setting limits on indiscriminate cyber-infiltration and attacks.” — Peter Swire, professor of law and ethics at the Georgia Institute of Technology
- YES: “If the alternative was a kinetic strike, a targeted cyber one would spare collateral civilian casualties. Of course, escalation still needs to be accounted for and controlled, and communication and signaling paths are essential.” — Chris Painter, former State Department cybersecurity coordinator
- NO: “Trump and his national security adviser are simply upping the ante for attacks from a country that [DHS top cybersecurity official] Christopher Krebs described as ‘the guys that come in and they burn the house down.’” — Jeffrey Carr, cybersecurity researcher and author
- YES: “Better to strike with a nonlethal capability at this point in the conflict than to use a kinetic weapon.” — Richard Bejtlich, principal security strategist at Corelight and previously chief security strategist at FireEye
PINGED: Sen. Elizabeth Warren (D-Mass.) wants answers from the Federal Communications Commission about potentially improper corporate influence on an agency advisory panel tasked with shaping cybersecurity standards for the telecommunications industry. Former agency employees raised concerns over the “heavy sway” held by industry executives on the panel to Andrea Peterson at the Project for Government Oversight last month.
“Having the FCC’s policymaking process rely on input from individuals employed by, or affiliated with, the corporations that it is tasked with overseeing is the very definition of regulatory capture,” Warren and Rep. Pramila Jayapal (D-Wash.) wrote, citing the POGO report, in a letter to the FCC released Monday.
The FCC may be in violation of a federal rule that requires advisory committees to "be fairly balanced in terms of the points of view represented and the functions to be performed by the advisory committee," Peterson noted.
PATCHED: The Georgia court system took down several websites after hackers locked them up with malicious software and demanded a ransom, Mark Niesse at the Atlanta Journal-Constitution reported Monday. The hack is the latest in a string of ransomware attacks against local and state governments that have drawn concern from both legislators and DHS officials.
Georgia state officials did not disclose how much the hackers were demanding in exchange for releasing the websites, but did say that no personal information was compromised. The attack comes less than a month after three Florida cities were also hit with malware that hackers used to hold the cities’ communications infrastructure hostage. Two of the cities have already paid out more than $1 million combined in ransom to attackers. Baltimore and Atlanta face multimillion-dollar IT repair bills after refusing to pay up to recover their communications systems from hackers.
The United Kingdom's cybersecurity agency has noticed an uptick in attacks using Ryuk ransomware, the malware potentially behind the Georgia court attack, according to ZDNet's Catalin Cimpanu.
PWNED: One of the most common software programs that doctors use for genetic mapping of patient data contained flaws hackers could use to spy on or manipulate genetic results, researchers at Sandia National Labs found.
“The bug in the open-source Burrows-Wheeler Aligner (BWA) [program] allowed genetic data to be sent over insecure channels, potentially exposing it to interception and manipulation,” CyberScoop’s Sean Lyngaas reported. “In practice, a doctor receiving erroneous data from the software could have prescribed the wrong medication to a patient.”
BWA fixed the flaw after Sandia researchers alerted them and there’s no evidence hackers actually used it to manipulate data. However, the flaw points out “the challenges of securing code in an industry that is crunching ever-larger sets of data,” Sean noted.
— Cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
— Cybersecurity news from abroad: