Why the Military Can’t Go After Iran for Hacking Your Dam

andriano.cz/Shutterstock.com

Featured eBooks
Digital Transformation
Read Now

Federal IT Modernization Still a Major Challenge

Read Now

DHS’ next chapter as an enterprise services provider

Read Now

What's happening in health tech

Read Now
Patrick Tucker By Patrick Tucker,
Science & Technology Editor, Defense One

By Patrick Tucker

|

Seven Iranians have been charged with cyber crimes in a case that reveals the limits of U.S. power.

On Thursday, the Justice Department unsealed an indictment against Hamid Faroozi, a man affiliated with an Iranian company with ties to the Iranian government, for infrastructure hacking and other cybercrimes. Faroozi is accused of breaching the control system of a dam in Rye New York. On multiple occasions, he obtained access to the dam’s supervisory control and data acquisition, or SCADA, system, which would have allowed him to open the sluice gate if the gate hadn’t been manually disconnected from the network for maintenance. The indictment doesn’t say whether the Justice Department believes the intrusion was simple reconnaissance or, more darkly, part of a dramatic cyber-physical attack that didn’t go off as planned.

That ambiguity is common in cases involving hacks by groups connected to states like Iran. Figuring out who ordered the probe and what the attack’s actual objective would be key to any military response. Here’s why not to expect one.

First, some background: Iran has some experience on the receiving end of infrastructure hacking. In 2010, it became the victim of the first cyber-physical attack: the infamous Stuxnet worm, which caused a serious of malfunctions at Iran’s nuclear enrichment site at Natanz. A good amount of evidence points to American and Israeli security researchers as the culprits.

Iran responded with a similarly unprecedented attack on the networks of Saudi oil giant Aramco, wiping the data from 35,000 computers and cause enormous disruption across the entire oil sector. Still, they didn’t actually manipulate dangerous equipment directly via remote access.

The ability to penetrate a SCADA system represents not so much a leap in capability, so much as a willingness to exploit known vulnerabilities.

“An entity can purchase all the security products in the world and acquire the best staff available but if the network has gaping holes in the perimeter, or DMZ machines have unfettered access to the secure side of the network, it is only a matter of time before an attack succeeds. A network needs to first be a defendable position with clear defined borders on which layers of security are built upon.  It is imperative that companies examine their networks from the outside to see what is exposed and what ‘windows’ are left open,” said Lamar Bailey, Senior Director of Security R&D for Tripwire in an email to Defense One.

“Utility infrastructure entities have become prime targets for hacktivists and terrorist so administrators must be even more diligent in securing theses locations. They are softer targets due to the antiquated insecure nature in how internal systems communicate so once the other shell is broken it can be trivial to cause havoc within the network,” he said.

For utility companies, there is at least one simple lesson from the attempt on the dam at Rye: the operator was lucky. If you can’t take a few steps to better secure your SCADA systems, don’t hook your sluice gate up to your outside network.

In all, seven Iranians were named in the indictment, most of which focuses on not-particularly-threatening distributed-denial-of-service attacks against financial firms, essentially, temporarily blocking public-facing bank websites.

But the indictment also shows that U.S. cyber security and deterrence policy must catch up the sorts of threats that the country actually faces. A criminal charge against individuals seems like an insufficient deterrent against hostile, possibly deadly, information-based attacks from adversarial nation-states. Where are the big guns?

Adm. Michael Rogers, the head of U.S. Cyber Command, has said that any U.S. government retaliation against a nation-state or other entity for a big information-based attack would comport with the laws of armed conflict and be “proportional.” So the United States is ready to commit attacks in retaliation for dam hacking. But it’s not that simple. The difference between a possible act of war and a simple hack lies in how much evidence there is linking Firoozi, not just to Iranian leadership but to a specific order.

Firoozi and his co-defendants worked for two companies called ITSecTeam (ITSEC) and the Mersad Company (MERSAD), based in Iran. The Justice Department alleges that those companies performed work on behalf of the Iranian Revolutionary Guard. It’s a bit stronger link than exists between many pro-Russian hacker groups and the Kremlin, but, on its face, that’s not yet enough to call the hack a state-sponsored act of terror, or even reconnaissance, at least not by the standards that the Pentagon currently uses.

The Justice Department’s evidence against Iran is thin, at least as spelled out in the indictment, which simply reads: “Mersad was founded in or about early 2011 by members of Iran-based computer hacking groups Sun Army and Ashiyane Digital Security Team (‘ADST’) … Sun Army and ADST have publicly claimed responsibility for performing network attacks on computer servers of the United States Government, and ADSThas publicly claimed to perform computer hacking work on behalf of Iran.”

At a Senate Armed Services Committee hearing in September, committee chairman Sen. John McCain, R-Ariz, wondered what sort of repercussions await state actors who perpetrate big cyber attacks. The specific context was China’s (somehow, still) alleged involvement in the OPM hack.

Deputy Defense Secretary Robert Work discussed the attribution problem from the perspective of the military.  “First, you have to identify the geographic location of where the attack. Then you have to identify the actor. Then you have to identify whether the government of that geographic space was in control,” of that action.

The response could not have been more frustrating for McCain, who responded, “We have identified the PLA, [People’s Liberation Army] the building in which they operate.”

Many in Washington, simply accept that China was behind theOPM hack. But in terms of justifying a military response, the evidence remains too circumstantial. The threshold of proof is higher for the military launching an information-based retaliation than for the Justice Department to issue an indictment.

Even in instances where a hacker who is aligned with a glorified Iranian defense contractor is caught red-handed doing reconnaissance on an American dam, the United States has few options other than an indictment.

The first Justice Department indictment against a foreign state employee for information-based crimes occurred in 2014, a charge against five Chinese army officers for data theft.

The indictments went nowhere.

NEXT STORY: The Dark Web Is Too Slow and Annoying for Terrorists to Even Bother With, Experts Say

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.