The borderless nature of cyberwar puts businesses, municipal governments, utilities, infrastructure, and people on the front lines of potential conflicts in ways that simply were not possible a decade or so ago.
Cyberspace easily crosses national boundaries, creating a post-geographical world in which it becomes trivially easy for small nation states to inflict asymmetric damage on larger nation states by directly attacking their populations and commerce. The more connected a country is, the more vulnerable it is.
As we have written, the diffuse and complex nature of modern software development and software supply chains “precludes proper security and defense in the traditional sense.” Furthermore, these complex systems are often attacked through their weakest link—people. Phishing emails and infected email attachments remain the leading methods for bad actors to compromise systems and networks. There are real questions to be asked about whether such highly-complex networked systems can ever be truly secure.
The upside to data collection now has serious downside risks. The first, of course, is cost, which includes loss of data, downtime and delay of operations, damage to reputation, and more recently international fines, such as those imposed under the E.U.’s GDPR regulatory framework. The U.K.’s Information Commissioner’s Office (ICO) has recently hit Marriott International with a $123 million fine stemming from a data breach disclosed in 2018. (See WILTW December 6, 2018.) This was a long-running breach that Marriott inherited when they acquired their Starwood properties in 2016. The ICO is also proposing a $230 million fine against British Airways for its own data breach.
Also, cyberwarfare and cybercrime are not separate and distinct activities. They often overlap and are interconnected. This is not only because state-sponsored intellectual property theft and data theft for espionage can be hard to identify and classify as either one category or the other, but because many malign state actors have ongoing relationships with cyber criminals. These proxy relationships are similar to those between maritime empires and pirates several hundred years ago. Support and safe harbor for cybercriminals means that they can continue to operate and improve their capabilities, so they can be called upon by malign state actors when needed. Use of such proxies also deflects blame and creates plausible deniability.
All of this is particularly troubling for businesses operating in highly-connected open democracies, as they easily find themselves as collateral damage in an escalating cyber conflict between the U.S. and Iran, or the U.S. and China, the U.S. and Russia, or other nations and the U.S.
While other adversaries are more dangerous, Iran has become a focal point recently, and its example is highly-illustrative of the evolving complexity and growing inevitability of international cyber conflict.
In a statement last month, Christopher Krebs, the director of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), warned of “a recent rise in malicious cyber activity” by Iranian actors against American companies and government agencies. Krebs specifically warned about the possible use of “wiper” attacks, in which the data on computers is erased, rendering them useless.
These concerns are echoed by private cybersecurity firms, including CrowdStrike, Dragos, and FireEye, which have all reported a significant increase in malicious cyber activities from Iran and its proxy actors in recent months. These activities include phishing emails meant to steal credentials in order to penetrate networks for intelligence gathering and battlefield preparation.
As tensions mount between the U.S. and Iran, and as tit-for-tat cyberattacks are traded, this poses a real risk to the IT assets for businesses and, more importantly, to their data and operations.
Writing for The Cipher Brief, recently-retired Deputy Commander of U.S. Cyber Command, Lieutenant General Vincent Stewart, outlined the scenario: Iran will seek to avoid direct conventional force conflict and instead “attempt to impose cost on a global scale, striking at U.S. interests through cyber-operations and targeted terrorism with the intent of expanding the conflict.” The hope is that such cyber pressure will cause the international community and the American population to call for restraint on the U.S.
General Stewart concludes, “Private sector leaders should be asking the key questions and dusting off the crisis-management plan. They should assume compromise and ask themselves what actions they will take in the first minute, the first ten minutes, the first sixty minutes.”
Iran began aggressively developing its offensive cyber capabilities after the 2010 Stuxnet attack on its uranium enrichment facility in Natanz. This resulted in several high-profile attacks by Iran within the next few years.
- From 2011-2013, hackers working for Iran targeted dozens of U.S. banks, including Bank of America, JPMorgan, and Citigroup, with distributed-denial-of-service (DDoS) attacks. Although not destructive, damages from these disruptive attacks resulted in millions of dollars in lost business according to a 2016 indictment from a federal grand jury in New York City.
- In 2012, Iran launched destructive “wiper” attacks against Saudi Aramco and Qatar’s RasGas. These attacks used the Shamoon malware to destroy the data on tens-of-thousands of computers, resulting in significant costs due to both damage and loss of operations.
- In 2014, Iran launched a destructive cyber attack on the Sands Las Vegas Corporation. The attacks may have been prompted by Sheldon Adelson’s past statements that the U.S. should use nuclear weapons against Iran. In 2015, CNN noted that such attacks represented a “frightening trend” of governments attacking businesses.
While Iran’s hostile cyber activity against the U.S. appeared to diminish while the Iran nuclear agreement (JCPOA) was in place, its non-destructive surveillance and battlefield-preparation cyber operations most likely continued. Iranian cyber operations have become an ongoing and integrated part of their multi-environment battlefield operations, along with proxy groups, terrorist organizations, sleeper cells, sabotage, and maritime harassment.
In addition to increased phishing activity by Iran against a range of businesses and government entities, there are other troubling signs. On July 2nd., U.S. Cyber Command warned of “active malicious use” of a known bug in Microsoft Outlook. The cybersecurity firm FireEye notes a history of Iran threat actors exploiting that vulnerability, specifically an Iranian advanced persistent threat group known as APT33 or “Refined Kitten.”
Enter China. In Beijing, on July 5, the information and technology ministers of China and Iran agreed to establish a joint workgroup to address cyber threats and spoke of facing “similar challenges” including U.S. hegemony in cyberspace. Such cooperation can be seen as a continuation of China’s expanding interests throughout the Middle East, including the strategic port city of Gwadar, Pakistan, just 100 km east of the Iranian border. (See section 4.)
In early-May, Israel responded to a Hamas cyber attack with an air strike on a building in the Gaza Strip. In late-June the U.S. responded to the downing of one of its sophisticated $220 million Global Hawk drones with a cyber attack against Iran. The boundary between cyber and kinetic is becoming increasingly porous, and this increases the chances for miscalculation and escalation. In the new reality of cyberwarfare, businesses now find themselves very much on the front lines. Will this new reality, combined with trade wars and other pressures to deglobalize, further diminish global confidence and trust? It is hard to imagine otherwise?