The United States should expect serious cyberattacks from Iran in the next few months, according to an overwhelming majority of experts surveyed by The Cybersecurity 202.
Those digital attacks are likely to hit oil refineries, financial institutions and other U.S. targets as retaliation for the U.S. killing of a top Iranian general, a whopping 85 percent of respondents to our Network survey said.
“Iran is dangerous because they have the intent, motivation and capabilities. While their cyber capabilities are not on par with Russia and China, they are innovative and can cause both physical and psychological disruption,” warned Kiersten Todt, president of Liberty Group Ventures, and who led an Obama-era cybersecurity commission.
“We should expect attacks of all stripes from Iran over the next few months,” said Betsy Cooper, director of the Aspen Institute’s Tech Policy Hub and a former Department of Homeland Security cybersecurity official.
The Network is a panel of more than 100 leaders from government, academia and the private sector who vote in our ongoing, informal survey on cybersecurity issues. (You can see the full list of experts here. Some were granted anonymity in exchange for their participation.)
One big reason Iran is likely to ramp up cyberattacks is because it’s easier to focus them at a low enough level that they don’t prompt U.S. retaliation compared with conventional military or terrorist attacks, many experts said. The United States and Iran backed away from further military hostilities after the killing of a Maj. Gen. Qasem Soleimani promoted an Iranian missile strike on two U.S. bases in Iraq.
“Iran will be looking for ways to cause pain in the United States without provoking a severe counterattack,” Stewart Baker, a Steptoe and Johnson attorney and former NSA general counsel, said.
Dmitri Alperovitch, co-founder of the cybersecurity company CrowdStrike, described Iranian leadership as “quite risk averse” and noted that “cyber … provides Iran with response options that are below the thresholds likely to trigger a U.S. retaliation.”
Cyberattacks "seem to be the most likely route where the Iranians can cause damage without casualties and hopefully stay under the thin red line for a major U.S. response,” said Tony Cole, chief technology officer at Attivo Networks.
Iran has a long track record of hacking U.S. targets, including pummeling U.S. banks with overwhelming network traffic to force them offline in 2012 and hacking control systems at a New York dam in 2013. The nation also destroyed sensitive data during a hack at the Sands Casino in 2014 after anti-Iran comments by owner Sheldon Adelson.
“Past performance is not always a perfect predictor of future results, but it is often the best that we have, [and] Iran has a long track record of using cyber means of retaliation,” said Peter Singer, a cyberwar expert and senior fellow at the New America think tank.
“They’ve demonstrated capability and intent for destructive cyberattacks inside the U.S. and I would expect to see that,” said Suzanne Spaulding, who led DHS cybersecurity efforts during the Obama administration.
“Iran is not new to this rodeo … What I expect is simply an escalation of what they've already been doing,” said Mark Weatherford, a former Department of Homeland Security cybersecurity official who’s now a global information security strategist at Booking Holdings.
Cyberattacks are also attractive because the United States is far more reliant on information technology than Iran, which makes it far more vulnerable.
“I remain concerned that the Administration did not fully anticipate the range of possible Iranian responses prior to carrying out the strike [Soleimani], particularly given the United States’ significant reliance on information and communications technology,” said Rep. Jim Langevin (D-R.I.), co-founder of the Congressional Cybersecurity Caucus and chair of the House Armed Services Committee’s main cybersecurity panel.
Iranian cyberattacks could target “industrial control systems essential to the operation of power grids, water systems, and other critical infrastructures,” warned Melanie Teplinsky, a former White House and NSA official who’s now an adjunct professor at American University’s Washington College of Law.
“The reality is that Iran is likely in a position to cause grave damage across our energy grid, water plants, and other utilities,” said Jay Kaplan, co-founder of the cybersecurity company Synack, but he added that “I don’t believe they will play this card unless things escalate further.”
Iran could also look beyond those targets.
Lance Hoffman, director of the Cyber Security Policy and Research Institute at George Washington University, warned of “manipulation of social media to … sow distrust in U.S. government agencies.”
Or Iranian hackers may take a page from Russia and try to disrupt the 2020 election or Democratic primaries and caucuses, warned Maurice Turner, deputy director of the Internet Architecture Project at the Center for Democracy & Technology think tank.
“The 30-plus primary elections in March will be prime targets if ideological messaging becomes an attack objective,” he said.
Another danger is that Iranian hackers could miscalculate and end up damaging organizations they don’t intend to.
“Unfortunately, organizations that aren't typically targeted by the Iranian government may nevertheless experience collateral damage or be targeted by hacktivists during a conflict like this,” said Tom Cross, chief technology officer of network security provider OPAQ Networks.
Several experts also fretted that other nations might use escalating tensions between the United States and Iran to launch false flag cyberattacks against U.S. targets that look as if they’re launched by Iran but aren’t.
Michael Daly, chief technology officer for cybersecurity and special missions for Raytheon Intelligence, noted that “North Korea and Russia may choose to create distractions and difficulty for the U.S. under the guise of the Iranian conflict.”
Among the 15 percent of experts who didn’t predict serious Iranian cyberattacks, most still expected Iran would punch back in cyberspace — they just didn’t think it would do much harm.
Megan Stifel, executive director for the Americas at the Global Cyber Alliance nonprofit and a former National Security Council cybersecurity official, said she expected “small-scale interruptions and nuisance activities with limited impact.”
Sam Visner, director of the National Cybersecurity Federally Funded Research and Development Center, managed by the Mitre Corporation, predicted “cyberattacks that will cause some difficulty, akin to vandalism, but Iran will move with caution and exercise some control, avoiding significant escalation.”
John Pescatore, director of emerging security trends at the SANS Institute cybersecurity training organization, meanwhile, predicted Iran couldn’t do enough damage in cyberspace to send the message it wants to.
“Pictures and stories of blood and deaths is … the goal, not stories of delays in plane takeoffs or deliveries of bicycles,” he said.
This story has been updated to correct Camille Stewart’s title.
— More responses to The Network survey question about cyberattacks from Iran:
- YES: “Iranian-linked actors are already quite active against United States targets. Given the current tension, we should expect an increase in activity. The question is whether they will be strategic and state-directed or undertaken at the initiative of their numerous proxies.” — John Carlin, former assistant attorney general for the Justice Department’s National Security Division and a partner at the Morrison & Foerster law firm
- YES: “Although the intensity of the operations have waxed and waned and the focus of the operations has shifted between regional targets and Western targets, Iran has made steady use of this tool.” — Michael Daniel, former White House cybersecurity coordinator during the Obama administration who now leads the Cyber Threat Alliance
- YES: “It’s safe to assume that the gloves will come off and we can expect a more aggressive posture in cyberspace from Iran.” — Vikram Phatak, founder of the cybersecurity firm NSS Labs
- YES: “It's always better to expect serious cyberattacks and prepare accordingly than to assume they won't occur. We don't have a very clear sense of Iran's capabilities beyond espionage and sabotage, but that doesn't mean we shouldn't be preparing for and expecting more extreme attacks.” — Josephine Wolff, assistant professor of cybersecurity policy at the Fletcher School of Law and Diplomacy at Tufts University
- YES: “With kinetic attacks already underway, coming from Iran towards American troops still stationed in Iraqi bases, it stands to reason that cyberattacks will escalate as well.” — Katie Moussouris, founder and CEO of Luta Security
- YES: “The Iranian government and its agents have proven themselves to possess a small yet potent cadre of cyber operators…I anticipate that they will…use tactics, techniques and procedures such as obfuscation and redirection, outsourcing, and other methods to attack without solid attribution.” — Greg Touhill, president of Cyxtera Federal Group who served as the U.S. government’s first chief information security officer under President Barack Obama
- YES: “Although Iranian leadership has called for Iran’s responses to the Soleimani killing to be overt and direct, it is hard to imagine that Iran or its proxies will not resort to hostile cyber operations, whether against U.S. military or civilian targets.” — Ashley Deeks, a former State Department official and professor at the University of Virginia Law School
- NO: “The Iranians do not have escalation dominance in cyberspace, and they know it.” — Dave Aitel, a former NSA hacker who is president and CEO of the cybersecurity firm Immunity Inc.
PINGED, PATCHED, PWNED
PINGED: The United States was prepared to launch a cyberattack to disable Iran's gas and oil sector if Iran hit back too hard after a U.S. drone attack killed a top Iranian general, Peter Baker, Ronen Bergman, David D. Kirkpatrick, Julian E. Barnes and Alissa J. Rubin at the New York Times report. The revelation highlights a shift under the Trump administration to be more aggressive in cyberspace.
The planned response also included physical strikes against a command-in-control ship. But officials backed away from the plans after Iran signaled it would go no further than its missile attacks against U.S. targets in Iran, which were designed to not cause casualties. U.S. officials also sent secret messages through Swiss intermediaries, urging Iran to not go further, the Times reports.
PATCHED: U.S. officials are arriving in Britain today to urge leaders there to exclude Huawei equipment from the nation’s next-generation 5G telecommunications networks, two sources told Jack Stubbs, William James, and Alexandra Alper at Reuters. The delegation comes as British security officials close in on a decision about whether to use the controversial Chinese firm that U.S. officials say can’t be trusted not to assist Beijing spying.
The U.S. delegation will include deputy national security adviser Matt Pottinger, Reuters reports. Huawei has steadfastly denied it helps China spy.
Last week Sen. Tom Cotton (R-Ark.) introduced a bill that would cut off Great Britain and other allies from U.S. intelligence sharing if they fail to ban Huawei from their 5G networks.
Andrew Parker, head of Britain’s MI5 domestic security agency, meanwhile, said he has “no reason to think” that the U.S. intelligence-sharing relationship would be damaged if Britain adopted Huawei technology, Lionel Barber, Helen Warrell and George Parker at the Financial Times report.
PWNED: Millions of medical images that include patients’ sensitive health information are being exposed online every day in ways that make it easy for hackers to scoop them up, Zack Whittaker at TechCrunch reports.
The culprit is insecure servers that hospitals are using to store X rays, ultrasounds and CT scans and that hackers can crack into with easy-to-download software. The servers are now putting about 1 billion medical images across the world at risk -- about half of which belong to patients in the United States, Zack reports.
In one case, it took a researcher “just a few minutes” to find tens of thousands of patients' scans from one of the largest hospitals in Los Angeles.
“The amount of data exposed is still rising, even considering the amount of data taken offline due to our disclosures,” said Dirk Schrader, lead researcher at a German security firm that unearthed more than 720 million exposed medical images in September.
The exposures, which can lead to greater risk of insurance fraud and identity theft for patients, have sparked concern from U.S. health officials and lawmakers.
“As Health and Human Services aggressively pushes to permit a wider range of parties to have access to the sensitive health information of American patients without traditional privacy protections attached to that information, HHS’s inattention to this particular incident becomes even more troubling,” Sen. Mark Warner (D-Va.) told Zack.
— Former House Intelligence Committee chairman Rep. Mike Rogers (R-Mich.) is announcing a new nonprofit group today aimed at highlighting the economic and national security importance of next-generation 5G telecommunications networks. The group will work with members of Congress “to win the 5G race against China,” according to a news release.
— More cybersecurity news from the public sector:
— Cybersecurity news from the private sector:
THE NEW WILD WEST
— Cybersecurity news from abroad:
— Coming up:
- The U.S. Election Assistance Commission (EAC) will host an all-day summit on Tuesday addressing preparations for the 2020 elections at the National Press Club.
- The House Armed Services Committee will host a hearing on the Department of Defense's Role in Competing with China” on Wednesday at 10 am