Cybersecurity front and center in Iran threat hearing

Cybersecurity was front and center during a House Homeland Security Committee hearing Jan. 15 exploring how Iran might react to the killing of Quds Force General Qassem Soleimani.

Committee Chairman Bennie Thompson (D-Miss.) said he was "particularly interested in understanding how Iran could use its relatively sophisticated cyber capabilities against state and local government and critical infrastructure." He also expressed concern about an observed "uptick" in Iranian influence operations on social media in recent weeks, speculating that such activity will only increase leading up to the 2020 presidential elections.

A number of other members used the hearing to express their concerns about cyber retaliation by Iran over the long term. Representative Xochitl Torres Small (D-N.M.) asked about the impact of Iranian cyberattacks on rural utilities, Rep. Lauren Underwood (D-Ill.) had queries about how hospitals might defend against wiper malware attacks, while Rep. Lou Correa (D-Calif.) pressed the witnesses on the potential for a team up between Iranian and Russian hacking groups.

"As I look at it, I do think [cyber] is one of the greatest threats to our country right now," said Rep. John Katko (R-N.Y.).

Thus far, the only confirmed Iranian response has been kinetic, with operatives launching rockets at U.S. military bases in Iraq days after Soleimani's killing. Still, analysts believe that attack represented the opening salvo in a longer campaign. Within the U.S., most experts believe physical attacks are possible, but unlikely. They say cyberattacks are the greater risk.

"The direct threat to the homeland is if the rhetoric continues and we decide to do something in cyberspace," said retired Lt. Gen. Vincent Stewart. "There are vulnerable areas within our cyber environment, both in the financial and electrical power sector, so if we're not doing everything to harden those positions…we could see activity in cyberspace."

Stewart said Iranian leaders perceive themselves as rational actors and victims of U.S. actions who are "protecting the region and themselves from undue foreign influence." Since it cannot match America's conventional military might, the government relies on a "three-legged stool" of asymmetric warfare: support to proxy groups, influence campaigns and offensive cyber operations.

While their toolkit is not as sophisticated as that of Russia or China, Tehran has slowly built up its offensive and defensive cyber capabilities over the past decade. The government draws from a pool of about 2,000 contractors and other individuals to carry out its cyber operations, as well as Advanced Persistent Threat groups that seek to achieve different strategic goals.

Threat intelligence firms have pointed to industries like the banking and financial sectors as top potential targets, while other critical infrastructure sectors like energy and oil could also see new attacks.

"It's important this committee asks if our bank and credit card companies are ready if Iran tries to hack credit card numbers of millions of Americans," said Tom Warrick, a senior fellow at the Atlantic Council.

While Iranian influence operations are newer are less understood, Stewart said they target a variety of audiences, both to shore up domestic support as well as militant groups, Russia, China and U.S. allies abroad. Tehran has also taken a page out of Russia's playbook, targeting different factions within the U.S. in the hopes of widening political divides.

"That includes building upon the divide between Democrats and Republicans and convincing the American people that we have no interest in the region, that the only thing we can expect from the region is enduring warfare and therefore we should withdraw," said Stewart.

Iranian hackers can target a broad set of users within an industry, relying on simple tactics like social engineering and phishing attacks to gain an initial foothold into networks without using or burning more valuable tools. Warrick said the problem speaks to a nationwide failure of cybersecurity literacy.

"They literally try computer system after computer system until they find somebody who has not updated their software, that does not have antivirus software, that has failed to use two-factor authentication, that has failed to do all of the basic things that really need to be something we start teaching in American schools," said Warrick.

Much of the work protecting U.S. federal and private sector networks falls on the Cybersecurity and Infrastructure Security Agency, and multiple witnesses said they were worried the agency lacks the funding and personnel to effectively respond to a sustained attack.

While a number of lawmakers expressed similar concerns last year and CISA Director Chris Krebs told the same committee that he could use more funding to protect critical infrastructure, the agency did receive a $334 million funding boost in 2020. Thompson said his committee planned to ask for even more next budget cycle "because we're still behind in terms of capacity" and Rep. Elissa Slotkin (D-N.Y.) also called for hearings involving CISA personnel "to tell us how to get to right, since they're not resourced the way they need to be."

Members of Congress are pressing other agencies for their plans as well. On Jan. 14 Sen. Mark Warner (D-Va.) wrote to Secretary of State Mike Pompeo to ask what the State Department was doing to defend information systems at U.S. embassies abroad from potential Iranian cyberattacks.

Referencing past blunders and a 2019 Inspector General report that found a hiring freeze at State has taken a toll on its cybersecurity efforts, Warner asked for details on how department was dispersing its staff, whether its CISO has a direct line of communication to Pompeo, anti-phishing trainings for employees, technical changes to protect against wiper and ransomware attacks and whether the department has corrected information security issues raised in past audits.

Separately, Rep. Frank Pallone (D-N.J.), the chairman of the House Energy & Commerce Committee, and Rep. Mike Doyle (D-Pa.), who heads the Communications and Technology Subcommittee, are seeking a briefing from DHS and the Federal Communications Commission on what steps are being taken to protect the nation's telecommunications infrastructure from Iranian reprisals in cyberspace.