There are hundreds of congressional hearings on cyber threats, I chose this one because Iran has powerful motivation to retaliate against the US (and Israel) for Stuxnet, the financial sanctions, the British and United States ruthless exploitation of their oil resources, and many other reasons that go back for nearly a century.
JOINT HEARING BEFORE THE SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE AND THE SUBCOMMITTEE ON CYBERSECURITY, Infrastructure protection, & security technologies of the committee on Homeland Security House of Representatives 112TH 2ND Session April 26, 2012
Some excerpts from this 52-page document:
The threat of cyber warfare may be relatively new, but it is not small. Iran has reportedly invested over $1 billion in developing their cyber capabilities, and it appears they may have already carried out attacks against organizations like the BBC, and Voice of America. There have been reports that Iran may have even attempted to breach the private networks of a major Israeli financial institution. Iran is very publicly testing its cyber capabilities in the region, and in time, will expand its reach.
Stuxnet may be proof of Iran’s vulnerability and the effectiveness of other nation’s state cyber arsenals. However, it would also be possible for Iran to gain some knowledge of creating a Stuxnet-like virus from analyzing its network effects. This leads to fear of reverse engineering leading to a capability of the types of cyber attacks on U.S. critical infrastructure that could rise to the level of a National security crisis. We must be prepared for such rogue actions and be prepared on the National defense level, as well as protecting our critical business operations, vital infrastructure functions, and frankly, our daily lives.
Law enforcement officials have also observed a striking convergence of crime and terrorism, a trend highlighted, I might note earlier this week by Defense Secretary Panetta, and further reinforced by SOUTHCOM Commander General Fraser. Hezbollah’s nexus with criminal activity is greater than that of any other known terrorist group. These links, including with gangs and cartels, generate new possibilities for outsourcing, and new networks that can facilitate terrorist travel, logistics, recruitment, and operations, and I might note, including cyber.
the good news is that if you were to rack and stack the greatest cyber threats in nations, Iran is not at the top of the list. Russia, PRC, and others are. The bad news is is what they lack in capability, they make up for in intent, and are not as constrained as other countries may be from engaging in cyber attacks or computer network attacks. Given Iran’s history to employ proxies for terrorist purposes, there is little, if any, reason to think that Iran would hesitate to engage proxies to conduct cyber attacks against perceived adversaries.
Cyber basically levels the playing field. It provides asymmetry that can give small groups disproportionate impact and consequence. Whereas they may not have the capability, they can rent or buy that capability. There is a cyber arms bizarre on the internet. Intent and cash can take you a long way, and that is what I think we need to be thinking about.
Last summer a hard-liner Iranian newspaper affiliated with the Revolutionary Guard, warned the United States, that America no longer has the ‘‘exclusive capability in cyber space and it has underestimated the Islamic Republic,’’ and now needs to worry about ‘‘an unknown player somewhere in the world attacking a section of its critical infrastructure.’’
Anonymity, who is behind that clickety-clack of the keyboard breaking into your system? Are you dealing with a pimply kid, or are you dealing with a foreign intelligence service, an organized crime, an economic competitor? You simply don’t know much of the time at the breach itself. So attribution, while we are making progress, smoking guns are hard to find in the counterterrorism environment; smoking keyboards are that much more difficult. I would also note that cyber space is made, I mean, it is made for plausible deniability. [This was in the context of how would we know it was Iran vs China vs Russia].
I am concerned about the Russias and the Chinas is we have seen a sophistication level that is very high. But they are in the business right now of computer network exploits to steal secrets. If their intent changes, they could just flip the switch and it becomes an attack tool. I might note that what we have seen that I think is most concerning is we have seen adversaries map critical infrastructures. I don’t see what that intent could be other than to potentially use in a time of crisis. It is just that they haven’t flipped the switch. Right now it is obtaining information, but they haven’t turned it in a proactive sense into delivering some kind of an attack.
Mr. LUNGREN. When we talk about asymmetric warfare it is interesting because one way of looking at it is that the small less powerful guy who has an opportunity to do harm to a stronger adversary for less capital investment and manpower, et cetera. It seems to me we ought to look at asymmetric warfare in the terms of the war on terror; that is, asymmetric warfare with the purpose of doing what? Not just destroying property but causing psychological damage to the adversary.
So when we talk about critical infrastructure, one of the things that comes to mind with me is our health system is a critical infrastructure. If I were to attack the United States one of the things that would be very effective in an asymmetric way would be to attack the health system. If you could invade the information systems of several health systems of the United States such that no one could depend on the accuracy of the information, such as someone lying on a surgical table and getting the wrong blood type, etc. If you did that in a series of attacks, you wouldn’t have to be successful with too many of them to cause a psychological damage to the United States.
CILLUFFO: One of the biggest missing elements of our strategy is we don’t have a cyber deterrent strategy. We need to clearly articulate one, we need to identify bright red lines in the sand or maybe in the silicon more apt and we need to identify what is unacceptable. Oh, by the way, we can’t firewall our way out of this problem.
CASLOW: If Iran were to target a hospital and take down the nearby electric grid and attack the water system, i.e. parts per million of chlorine goes up down but no one knows because the read-outs are fine — all of a sudden we have hundreds of thousands people sick from an area where we have troops deployed overseas. The ultimate end-game here is not to make those people sick. The ultimate end-game is to terrorize our troops overseas so that our Marines who are deployed in combat zones can no longer do their mission because they are worried about their children, their wives, their grandmothers, whatever, who are now ill back on the home front because they are communicating with them and now they know they are sick.
CASLOW: the data flows, the internet can go everywhere. I can still go to a dark reading room on the internet and download any number of very bad, nasty little critters that are out there and then use those same critters to attack a network or system. I can buy those capabilities, I can download some of them for free.