26 January 2020

Prepare For the Worst From Iran Cyber Attacks, As DHS Issues Warning: Experts

By THERESA HITCHENS

WASHINGTON: With the risk of Iranian cyber attacks high enough for the Department of Homeland Security and the FBI to issue a warning, experts say the US government and the private sector must accept their sites will go down and be prepared to hit restart.

“I’m going to tell you a painful truth. When you have actors like this that are well trained — in the thousands — by a nation-state, if they are targeting something they will probably succeed,” says Diana Volere, whose (wonderful) title is “Chief Security Evangelist” at Saviynt. Over the past few years “Iran has been successful” in attacking a number of defense and civil aviation firms. Saviynt, based in El Segundo, helps organizations authenticate that people, software and systems accessing their networks are who and what they say they are, and not malicious actors.

Further, experts warn, Iran almost certainly has the cyber tools to inflict physical damage on US critical infrastructure. For example, Volere said, hacking the smart electrical grid could shut down power on the West Coast, or they could target military drones to crash them.


(Readers may remember that in 2011, Iran announced the capture of a Lockheed Martin RQ-170 Sentinel unmanned aerial vehicle (UAV) near the city of Kashmar in northeastern Iran — with Tehran saying it was brought down by a military cyber warfare unit. And in 2012, Iran formally established a special high-level command for cyber war, led by the Revolutionary Guards and directly overseen by Supreme Leader Ali Khamenei.)

So, since systems will likely get taken down should Iran attack, experts say, network backups, fail safe measures, plans for rallying recovery resources and personnel, and other methods of rapidly getting back to business are key to ensuring the attacks do not severely disrupt American society.

Piyush Pandey, CEO of Dallas-based Appsian (a company that provides services similar to Saviynet’s), said that while cyber incidents happen all the time, announcements about imminent threats from a specific country or actor “don’t come out very often.”

DHS on Jan. 4 issued a public bulletin warning of the increased potential for Iranian-backed cyber terrorism, and CNN reported this afternoon that the FBI and DHS also had issued a “joint intelligence bulletin” that predicted attacks first on overseas facilities — such as the Iranian missile attacks yesterday at two US air bases in Iraq — followed in the “medium-term” by attacks on the US homeland.

Further, DHS’s Cybersecurity and Infrastructure Security Agency (CISA) on Jan. 6 issued a warning to cybersecurity experts to be on guard. As Pandey and Volere both noted, the CISA warning included specific guidance about the technical nature of possible Iranian attack attempts, based on previous hacking incidents traced back to Iranian sources.

A CISA spokesperson would not address whether the agency is seeing an increase in attempted cyber incursions in the United States. However, the governor of Texas, Governor Greg Abbott announced that state agencies under his control have seen an increase in attempted cyber attacks by Iran in the past 48 hours — as many as ten thousand per minute — and blamed Iran. None of those attempts had been successful, he added.

Pandey explained that the first step agencies and companies need to take is to increase monitoring of network activity, but he stressed that there is no way to really “rapidly gear up defense” — with the exception of simply giving up and “shutting yourself down,” which of course leads to a loss of business.

Instead, he said, US government and agencies must invest strategically in protecting networks and, importantly, the data inside those networks. “Think of it like a house,” he said. “You can put really good doors and locks outside, and nowadays people have monitoring outside, but you have to have those things inside too. No matter what you do with the periphery, people will still come inside.”

Cyber Command (CYBERCOM), responsible for defending DoD information networks world wide, would not comment on whether they’ve seen an increase in cyber incidents or on their activities to respond to the heightened Iranian threat.

Gen. Paul Nakasone briefs reporters on cybersecurity at the White House in February

“The Command is charged with providing mission assurance for the Department of Defense by directing the operation and defense of the Department’s information systems (what we call the DoDIN); deterring or defeating strategic threats to national interests and infrastructure; and helping the combatant commanders achieve their missions in and through cyberspace,” he told lawmakers.

Thus, it is fair to assume that CYBERCOM would be offering options, both defensive and offensive, for combatant commanders. Further, DoD’s cyberwar strategy is focused on “persistent engagement” that involves what officials call “defending forward” in cyberspace.

In an interview with Joint Force Quarterly in January 2019, Nakasone explained:

“Persistent engagement is the concept that states we are in constant contact with our adversaries in cyberspace, and success is determined by how we enable and act. In persistent engagement, we enable other interagency partners. Whether it’s the FBI or DHS, we enable them with information or intelligence to share with elements of the CIKR [critical infrastructure and key resources] or with select private-sector companies. …

“Enabling our partners is two-thirds of persistent engagement. The other third rests with our ability to act-that is, how we act against our adversaries in cyberspace. Acting includes defending forward. How do we warn, how do we influence our adversaries, how do we position ourselves in case we have to achieve outcomes in the future? Acting is the concept of operating outside our borders, being outside our networks, to ensure that we understand what our adversaries are doing. If we find ourselves defending inside our own networks, we have lost the initiative and the advantage.”

No comments: