As members of the intelligence, military and homeland security communities evaluate the emerging cyber threats emanating from hostile nation states, they must consider important distinctions in the capabilities and attack patterns of adversaries like China and Iran, cybersecurity experts told a House subcommittee on Wednesday.
Testifying before the House Committee on Homeland Security's cybersecurity subcommittee, witnesses drew a sharp distinction between the threats from comparatively mature actors like China and Russia, with which the United States has longstanding--if strained--diplomatic and economic ties, and nations like Iran and North Korea.
[Related: Did China's Army Hack U.S. Companies?]
The cyber threats from China and Russia are typically motivated by economic interests, according to the witnesses, who describe a pattern of intrusions in service of industrial espionage or gaining access to intellectual property. While of grave concern for U.S. businesses and the government, those activities are carried out with a far different intent than state-sponsored attacks seeking to disable critical infrastructure the witnesses warn could come from Iran--either directly or through a proxy.
Cyber Threats From Iran MOre Threatening
"Iran is a qualitatively different cyber actor," says Ilan Berman, vice president at the American Foreign Policy Council. "China and Russia are both focused primarily on cyber theft and cyber espionage. Iran is not. Iran boasts today little by way of cyber-espionage capability.
Rather, what Iran is building is a cyber capability that is retaliatory in nature, and it's built largely around Iranian perceptions of the unfolding conflict that is now ongoing between itself and the West over its acquisition of a nuclear capability."
As a result, Berman explains, the situation with Iran and its cyber posture is "particularly volatile" compared with relations between the United States and Russia and China.
"While these other countries are pursuing a degree of diplomatic normalcy with the United States, Iran is not," Berman says.
Wednesday's hearing comes amid renewed efforts by lawmakers in both houses of Congress and both parties to draft cybersecurity legislation to improve the defenses of the public and private sectors without imposing burdensome compliance mandates on businesses or weakening personal privacy protections.
Rep. Patrick Meehan (R-Penn.), chairman of the cybersecurity subcommittee, said that he hopes to advance a cybersecurity bill this congress, and Michael McCaul (R-Texas), chairman of the full Homeland Security Committee, said he is eager to work toward a markup once legislation is drafted.
In considering attacks emanating from foreign actors, where attribution and the involvement of a foreign government are often murky at best, the hearing focused on one of the more challenging aspects of the cybersecurity debate.
Wednesday's proceeding, the first hearing the cybersecurity subcommittee has held in the 113th Congress, also follows a recent flurry of high-level activity, and worrisome attacks, in the cyber realm.
The day began with word from South Korea that media outlets and banks in that country had seen their computer systems knocked offline in an outage that state officials suggested could have originated from their increasingly belligerent neighbor to the north.
In a speech earlier this month, U.S. National Security Advisor Tom Donilon spoke of "cyber intrusions emanating from China on an unprecedented scale," calling for talks between the two countries "to establish acceptable norms of behavior in cyberspace." China, for its part, said it was open to discussions about the countries' respective cyber activities.
Berman and other witnesses credit China, along with Russia, as operating as generally rational actors in the cyber arena, even if their governments are complicit in--or actively encouraging--widespread infiltration of sensitive and proprietary systems in the United States. The largely economic motivations of those countries' activities are in stark contrast to nations that stand more as outliers on the world scene.
"One of the saving graces of our China cyber problem and our Russia cyber problem is that, while we may not be comfortable with the scope, we in general understand the direction and that is missing in our calculation with regard to Iran and increasingly with regard to North Korea," Berman says.
"And the shared geopolitical driver here is that both regimes are under growing international stress as a result of their rogue behavior," Berman says." But it's also the type of international stress--economic, diplomatic, financial--that's forcing them to lash out in unpredictable ways."
Like Berman, Frank Cilluffo, director of Homeland Security Policy Institute at the George Washington University, emphasizes that Iran does not have the capacity for waging cyber attacks as sophisticated as what Russia and China could launch, but that only diminishes the threat so much.
"The bad news is what they lack in capability they more than make up for in intent," Cilluffo says. Moreover, even if Iran's capacity to launch an attack is a far cry from that of Russia or China, Cilluffo points out that the nation can fairly easily turn to proxies or rent out low-cost botnets. "The bar to entry when we talk about cyber is not very high," he says.
Cilluffo also told members of the subcommittee that many of the tools used in cyber attacks, while readily available and inexpensive, are also becoming more sophisticated. So the increasing ease with which an overseas adversary can launch of a distributed denial-of-service attack against a set of corporate targets, while not approaching the "cyber 9-11" that officials often warn about, is itself a cause for growing concern.
"You can rent a botnet for very little that can cause major disruption, Cilluffo says. "That's not the same as destruction but it can get to a point where companies that live and breathe on just-in-time inventories, that live and breathe on the ability to connect with their customers immediately--it has a huge impact."
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.