Iran a more dangerous cyber threat than China or Russia, experts tell Congress
Iran has demonstrated a willingness to attack the United States and the intent to develop a cyber war capability, eclipsing Russia and China as a threat to the nation, a panel of policy and technical experts told House lawmakers.
“Iran appears to be moving from defensive to offensive in the way it thinks about cyberspace,” said Ilan Berman, vice president of the American Foreign Policy Council, in an April 26 hearing before joint subcommittees of the House Homeland Security Committee.
Berman called an Iranian plot to assassinate the Saudi ambassador to the United States, uncovered in October, credible and said it is an example of the country’s willingness to carry out attacks on U.S. soil. He said it would be unreasonable to expect Iran could balk at a cyberattack against U.S. critical infrastructure.
Major cyberattack on US 'inevitable,' experts tell Congress
Iran building a private, isolated Internet, but can it shut out the world?
“Iran is not at the top of the list” of cyber adversaries, said Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University. Those spots usually are given to Russia and China. “But what it lacks in capability, it makes up for in intent.”
Iran also is investing heavily in developing a cyber war capability, having established an Iranian Cyber Army that has taken credit for attacking the online services of the U.S. Voice of America last year. “Intent and cash will take you a long way,” Cilluffo said.
The joint hearing of the Cybersecurity, Infrastructure Protection, and Security Technologies, and Counterterrorism and Intelligence subcommittees, was called to assess the threat posed by Iran in cyberspace.
In an April 24 hearing before the Homeland Security Committee's Oversight, Investigations and Management Subcommittee, James Lewis, a senior fellow at the Center for Strategic and International Studies, said he was not worried about cyber war with Russia and China, with whom the United States has stable diplomatic relationships. “They aren’t going to start a war just for fun. I don’t know if we can say that for Iran and North Korea,” Lewis said.
Recent digital attacks against Iran, including the Stuxnet worm that damaged equipment in a nuclear development facility and more recent malware attacks to oil pipelines, have demonstrated to the Iranians the West’s willingness to carry out attacks against them. This could motivate the country to respond in kind, said Rep. Dan Lungren (R-Calif.), chairman of the Cybersecurity, Infrastructure Protection, and Security Technologies Subcommittee.
Responsibility for the attacks against Iran has not been established.
“I’m happy the Stuxnet virus was used by somebody who was friendly” to the United States, Lungren said.
But Stuxnet could prove to be a double-edged sword, said New York Democratic Rep. Yvette Clarke. Iranians have the opportunity to reverse-engineer the sophisticated worm and use it as a weapon themselves.
The ability to reverse-engineer malware for their own use is not a given, said cyber consultant Roger Caslow of Suss Consulting. But the ability to collaborate internationally could magnify threats, and Iran should be taken seriously, he said.
The witnesses said the U.S. cybersecurity posture has been long on talk and short on action. Caslow called for explicit cybersecurity policies and requirements for both government and the private sector that leave no room for interpretation, and he warned against letting the quest for absolute security interfere with the job of establishing adequate security.
“We must first secure the basics,” he said. Most breaches of IT systems and networks exploit known vulnerabilities that can be corrected or defended against, he said. Cleaning those up would deny our enemies access to the weakest links and significantly raise the bar for a serious attack against this country, he said.
Cilluffo agreed with the need for better defense but said the United States must also improve its offensive capabilities, demonstrating the ability to respond in kind to cyberattacks to create a deterrent.
“We need to demonstrate capabilities; we need to be visible,” he said.