Cybersecurity front and center in Iran threat hearing

Members of the House Homeland Security Committee quizzed experts about the capabilities of Iran's cyber forces.

by Aleksandar Malivuk shutterstock ID 721814395
 

Cybersecurity was front and center during a House Homeland Security Committee hearing Jan. 15 exploring how Iran might react to the killing of Quds Force General Qassem Soleimani.

Committee Chairman Bennie Thompson (D-Miss.) said he was "particularly interested in understanding how Iran could use its relatively sophisticated cyber capabilities against state and local government and critical infrastructure." He also expressed concern about an observed "uptick" in Iranian influence operations on social media in recent weeks, speculating that such activity will only increase leading up to the 2020 presidential elections.

A number of other members used the hearing to express their concerns about cyber retaliation by Iran over the long term. Representative Xochitl Torres Small (D-N.M.) asked about the impact of Iranian cyberattacks on rural utilities, Rep. Lauren Underwood (D-Ill.) had queries about how hospitals might defend against wiper malware attacks, while Rep. Lou Correa (D-Calif.) pressed the witnesses on the potential for a team up between Iranian and Russian hacking groups.

"As I look at it, I do think [cyber] is one of the greatest threats to our country right now," said Rep. John Katko (R-N.Y.).

Thus far, the only confirmed Iranian response has been kinetic, with operatives launching rockets at U.S. military bases in Iraq days after Soleimani's killing. Still, analysts believe that attack represented the opening salvo in a longer campaign. Within the U.S., most experts believe physical attacks are possible, but unlikely. They say cyberattacks are the greater risk.

"The direct threat to the homeland is if the rhetoric continues and we decide to do something in cyberspace," said retired Lt. Gen. Vincent Stewart. "There are vulnerable areas within our cyber environment, both in the financial and electrical power sector, so if we're not doing everything to harden those positions…we could see activity in cyberspace."

Stewart said Iranian leaders perceive themselves as rational actors and victims of U.S. actions who are "protecting the region and themselves from undue foreign influence." Since it cannot match America's conventional military might, the government relies on a "three-legged stool" of asymmetric warfare: support to proxy groups, influence campaigns and offensive cyber operations.

While their toolkit is not as sophisticated as that of Russia or China, Tehran has slowly built up its offensive and defensive cyber capabilities over the past decade. The government draws from a pool of about 2,000 contractors and other individuals to carry out its cyber operations, as well as Advanced Persistent Threat groups that seek to achieve different strategic goals.

Threat intelligence firms have pointed to industries like the banking and financial sectors as top potential targets, while other critical infrastructure sectors like energy and oil could also see new attacks.

"It's important this committee asks if our bank and credit card companies are ready if Iran tries to hack credit card numbers of millions of Americans," said Tom Warrick, a senior fellow at the Atlantic Council.

While Iranian influence operations are newer are less understood, Stewart said they target a variety of audiences, both to shore up domestic support as well as militant groups, Russia, China and U.S. allies abroad. Tehran has also taken a page out of Russia's playbook, targeting different factions within the U.S. in the hopes of widening political divides.

"That includes building upon the divide between Democrats and Republicans and convincing the American people that we have no interest in the region, that the only thing we can expect from the region is enduring warfare and therefore we should withdraw," said Stewart.

Iranian hackers can target a broad set of users within an industry, relying on simple tactics like social engineering and phishing attacks to gain an initial foothold into networks without using or burning more valuable tools. Warrick said the problem speaks to a nationwide failure of cybersecurity literacy.

"They literally try computer system after computer system until they find somebody who has not updated their software, that does not have antivirus software, that has failed to use two-factor authentication, that has failed to do all of the basic things that really need to be something we start teaching in American schools," said Warrick.

Much of the work protecting U.S. federal and private sector networks falls on the Cybersecurity and Infrastructure Security Agency, and multiple witnesses said they were worried the agency lacks the funding and personnel to effectively respond to a sustained attack.

While a number of lawmakers expressed similar concerns last year and CISA Director Chris Krebs told the same committee that he could use more funding to protect critical infrastructure, the agency did receive a $334 million funding boost in 2020. Thompson said his committee planned to ask for even more next budget cycle "because we're still behind in terms of capacity" and Rep. Elissa Slotkin (D-N.Y.) also called for hearings involving CISA personnel "to tell us how to get to right, since they're not resourced the way they need to be."

Members of Congress are pressing other agencies for their plans as well. On Jan. 14 Sen. Mark Warner (D-Va.) wrote to Secretary of State Mike Pompeo to ask what the State Department was doing to defend information systems at U.S. embassies abroad from potential Iranian cyberattacks.

Referencing past blunders and a 2019 Inspector General report that found a hiring freeze at State has taken a toll on its cybersecurity efforts, Warner asked for details on how department was dispersing its staff, whether its CISO has a direct line of communication to Pompeo, anti-phishing trainings for employees, technical changes to protect against wiper and ransomware attacks and whether the department has corrected information security issues raised in past audits.

Separately, Rep. Frank Pallone (D-N.J.), the chairman of the House Energy & Commerce Committee, and Rep. Mike Doyle (D-Pa.), who heads the Communications and Technology Subcommittee, are seeking a briefing from DHS and the Federal Communications Commission on what steps are being taken to protect the nation's telecommunications infrastructure from Iranian reprisals in cyberspace.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.