Lawmakers: Possible Iranian Cyberattack Highlights Need for Proactive Security

A leading congressional voice on cybersecurity said Jan. 7 the federal government is taking the right steps to prepare for a possible Iranian cyberattack in retaliation for Quds Force commander Gen. Qassem Soleimani’s death.

“I applaud the proactive posture of [the Cybersecurity and Infrastructure Security Agency] and the advisories that they’ve put out,” Rep. Mike Gallagher (R-Wis.) said at an event hosted by the Council on Foreign Relations. “I know that within the Pentagon, this is an issue that is being taken very seriously. Within the White House, this is an issue that’s being taken very seriously.”

CISA on Jan. 6 put out an alert instructing the organizations that control critical infrastructure—like electric and water utilities—and other information technology experts to keep an eye on their networks for unusual activity, monitor email traffic for phishing scams that people might unwittingly click on, ensure data is backed up on a separate network, and patch vulnerabilities that could let outsiders control equipment from afar or lock out their usual users.

“Iranian cyber threat actors … continue to engage in more ‘conventional’ activities ranging from website defacement, distributed denial of service attacks, and theft of personally identifiable information, but they have also demonstrated a willingness to push the boundaries of their activities, which include destructive wiper malware and, potentially, cyber-enabled kinetic attacks,” CISA wrote.

The Department of Homeland Security added in its own Jan. 4 bulletin that “Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States,” but noted it hasn’t discovered any credible, specific threats to the homeland.

US Cyber Command declined to comment Jan. 3.

Despite the public warnings, lawmakers stressed the US is still seriously vulnerable to a bad actor trying to cause chaos in the utility, financial, or other systems. Sen. Angus King (I-Maine) raised Iran as an example of why the Defense Department needs to reconsider its cyber force posture to reflect the growing dangers of cyberattacks.

“The folks in Tehran, I’m sure one of their options that they’re looking at right now is a cyberattack,” said King, who caucuses with the Democrats. “That’s a capacity that they have that they’ve developed over the years, and that may well be their choice for a response.”

Gallagher and King appeared at CFR to discuss their upcoming final report from the Cyberspace Solarium Commission, a bipartisan group of members of Congress and the executive branch who will unveil dozens of recommendations to make the public and private sectors more cybersecure. The two lawmakers co-chair the commission, which launched in May 2019, and serve on the armed services committees in their respective chambers.

One piece of that still-evolving strategy will require the Defense Department to take a hard look at how it organizes its cyber forces and manages that mission.

“Force posture today in cyber is probably not adequate,” Gallagher said. “You can expect the report to have a variety of recommendations concerning how we enhance our partnership with allied countries, particularly those that have expertise in cyber.”

The report will also address how well the military is equipped to operate in the cyber realm, how it can protect its supply chain from attacks, and how to pursue connectivity via new wireless networks.

Gallagher said the US can do more to bolster its defenses against other kinds of asymmetric warfare, or actions that can do significant damage by less-sophisticated tools like small drones. He argues it’s time to visit every American military base around the world to reassess their security.

He added it’s particularly important to check bases “where we are there at the tenuous invitation of a host government, and where, for a very small investment of resources in asymmetric capabilities, our adversaries can inflict enormous damage on exquisite weapons systems.”

That seemed to reference US military installations in Iraq, where the federal government is going through the steps of pushing out the Americans after almost two decades in response to the US drone strike that killed Soleimani. Asymmetric warfare has long plagued the Pentagon in its fight against al-Qaeda, the Islamic State group, and other terror organizations in the Middle East and Africa.

The lawmakers urged the private sector—which comprises the vast majority of US cyber targets—to proactively defend itself. Hiring hackers to help spot network holes, teaching employees not to click on suspicious links or open sketchy emails, and investing in secure technology can help.

Even though the Pentagon offers some help to the private sector through organizations like the National Guard, Gallagher said companies need to take responsibility for their own security.

“We are surely not trying to create a dynamic where the private sector has the expectation that the federal government is going to come on their networks and do everything for them,” Gallagher told Air Force Magazine. “We’re trying to promote private sector resilience that is also nested within broader resilience in the federal government.”