A panel of experts warned lawmakers on Thursday about the looming threat of a cyber attack emanating from Iran, an increasingly isolated nation that has been linked to numerous attacks against the United States in recent years including a plot last year to assassinate the Saudi Arabian ambassador to the United States in Washington, D.C.
Appearing before a joint House subcommittee hearing, the witnesses noted that Iran has been rapidly accelerating its cyber capabilities, which the nation has been deploying both directly and through proxy groups, such as Hezbollah.
They suggested that Iran, which has been resisting mounting international pressure to submit to inspections of its nuclear program, is turning toward cyber attacks as a channel to attack corporate and government entities in the United States, noting the relative ease with which those attacks can be launched against much larger adversaries.
“Cyber basically levels the playing field. It provides asymmetry that can give small groups disproportionate impact and consequence,” said Frank Cilluffo, associate vice president and director of the Homeland Security Policy Institute at George Washington University. “And whereas they may not have the capability they can rent or buy that capability. There’s a cyber arms bazaar on the Internet. Intent and cash can take you a long way, and that is what I think we need to be thinking about.”
Cyberecurity vs. Privacy
The hearing comes as the House of Representatives is in the midst of a debate on a controversial cybersecurity bill that would create a framework for sharing information about threats to critical digital infrastructure. Several privacy and civil liberties groups have raised concerns that the bill would provide for a nearly unlimited flow of personal information to secretive military agencies with minimal oversight. The bill’s authors have offered a series of changes to narrow the scope of the information-sharing system the legislation would establish, though some groups maintain their opposition.
Many of the threats that the Cyber Intelligence Sharing and Protection Act, or CISPA, is meant to address concern cyber intrusions that expropriate U.S. firms’ intellectual property. But supporters of the bill also note the mounting volume and severity of cyber attacks sponsored by unfriendly foreign governments.
“The threat of cyber warfare may be relatively new, but it is not small,” said Rep. Patrick Meehan (R-Penn.), the chairman of the Homeland Security Committee’s Subcommittee on Cybersecurity, Infrastructure Protection and Security Technologies. “Iran has reportedly invested over $1 billion in developing its cyber capabilities.”
Iranian officials have publicly blamed the West for orchestrating the attack in 2010 that saw the Stuxnet worm infiltrate one of the country’s nuclear reactors. While Iran was on the receiving end of that attack, the witnesses at Thursday’s hearing warned that the country’s cyber experts could reverse engineer Stuxnet or other cyber weapons to deploy against critical infrastructure in the United States.
“I would make the argument that Iranian action against the United States through asymmetrical action is more rather than less likely,” said Ilan Berman, a vice president at the American Foreign Policy Council. “Iran appears to be moving increasingly from defense to offense in terms of how it thinks about cyber space.”
Lawmakers raised the concern that Stuxnet marked a fundamental shift in the threat landscape, that with that weapon, cyber warriors had “crossed the Rubicon” to achieve the capability to disrupt critical infrastructure systems such as the electrical grid or databases of electronic medical records. Stuxnet, the fear goes, provided a real demonstration of what had previously been an abstract concern.
“I don’t think it’s a news flash to underscore that we as a country have a lot of work to do on the cyber front,” Cilluffo said, noting Iran’s support for cyber warriors both within the government and through its proxies. “These developments aside, the good news is that if you were to rack and stack the greatest cyber threats … Iran is not at the top.”
Nevertheless, cyber experts continue to press for more concerted efforts on the part of civilian and military agencies to address the threats, urging a higher level of awareness, funding for research and development, and the advancement of cyber weapons that could be used as a deterrent, much as the demonstrations of nuclear weapons during the Cold War illustrated the principle of mutually assured destruction.
“We can’t firewall our way out of this problem,” Cilluffo said. “We need to start thinking about offensive capabilities.”
Kenneth Corbin is a Washington, D.C.-based writer who covers government and regulatory issues for CIO.com.