The US attack on Iran that caused the death of Iranian general Qasem Soleimani has led to mounting discussions of war, but for many, it is a battle that looks set to be fought as much on digital lines as physical ones, through cyberattacks on US companies and critical infrastructure.
This is a perception that Tom Kellermann, head cybersecurity strategist at VMware Carbon Black and former cybersecurity commissioner for President Obama, agrees with, and he anticipates significant and at times very serious cyber warfare activity from Iran over the next few weeks.
“Geopolitical tension is manifesting in cyberspace now,” he says.
“For the past three years cyber has been the go-to form of immediate, soft power response to failures in international diplomacy. And what’s concerning to me is that the Iranian cyber capabilities have evolved dramatically over the past two years thanks to technological transfer and assistance from their ally, Russia.”
But this is not simply a matter of attacks that only impact the digital space. Kellerman warns that we are likely to see a rise in cyberattacks that also cause physical, real-world damage, known as kinetic impact.
“We should be very wary of hybrid attacks – attacks that leverage cyber and physical events – or cyberattacks that render kinetic impact that would actually destroy critical infrastructure and or kill military personnel or civilians, because of the nature of the system that has been corrupted,” he says.
“Whether that’s in transportation, whether that’s energy, whether that’s an aviation, it doesn’t matter.”
So what actions can we expect Iran to take against the US over the next few weeks when it comes to cyberattacks? Verdict spoke to Kellermann to find out.
Lucy Ingham: In your opinion, how likely is it that cyberattacks will dominate Iran’s response to the US’ actions?
Tom Kellermann: I think it’s very likely in terms of the impact on US civilians and US critical infrastructure. I don’t think it will be limited to a cyber response.
That being said, the future of warfare, and if there were to be a natural war between Iran and the US, will be dominated by the use of missiles, drones and aviation, all of which can be successfully attacked and manipulated by cyber means. So I think cyber will be the underwriting, underpinning current of conflict.
I do think that this will be prolonged, that the cyberattacks against the US will be prolonged. And they will mimic more of an insurgency than one-off massive attacks due to the nature of which Iranians have successfully burrowed into numerous us critical infrastructures over the past couple of years, specifically in energy, and that backdoor and that footprint on those systems has yet to be fully eliminated.
How would you characterise Iran’s current level of cyber capabilities?
In the grand scheme of things outside of Western powers, the best the greatest cyber adversary is Russia, followed by China, followed by Iran, followed by North Korea. But Iran and North Korea have directly benefited from their their allies, vis-à-vis tech transfer, and they have modelled their kill chains, they have begun to emulate the strategems used by their allies in their attacks and in the way in which they can they maintain persistence.
That being said, I also want to pay particular attention to the nature in which Iran was the one of the first countries to leverage a destructive cyberattack years ago against Saudi Arabia. And I do think, with the prevalence of destructive malware out there, and the nature in which VMware and Carbon Black data has shown an 11% increase of the use of destructive attacks against corporations of in 2019, that we’re going to see an explosion of attacks on the integrity of data and attacks that would manipulate artificial intelligence against its primary mission. Attacks wherein we will see physical manifestations of cyberattacks.
And so, like I said, I don’t think it’s going to be one giant attack. It’s not going to be some massive DDoS. It’s going to be something that is more akin to guerrilla warfare within US critical infrastructures.
How well equipped is the US to respond to these types of attacks?
The US as a whole is not well prepared to deal with this type of attack because of the nature in which the private sector does not allow, typically, US government agencies to come in and help them solve their cyber problems. Because of the lack of an industrial policy in the US, the Department of Homeland Security can’t proactively help harden or protect corporations in the US unless they are invited to do so. This is compounded by the fact that in the US, we’ve taken a very reactive approach to cybersecurity and critical infrastructures with more of a focus on things like resiliency, which have exacerbated the cyberattack surface. And in addition to that, more of a focus on vulnerability assessment, then active cyber threat hunting.
I think that hopefully, the silver lining here of this very ominous dark cloud will be that we will see a shift in the culture of cybersecurity in the US to make it a functionality of conducting business, and to really go to a proactive stance where people are actively looking for compromised systems and backdoors and systems on a regular basis through cyber threat hunting.
But I do think, tragically, there will be a handful of events in American cyberspace over the next fortnight that will become historical precedent setters for this changing culture.
What do you think those events are most likely to be?
I do think that the energy sector, financial sector and the Department of Defence will get hammered with attacks. I think they will be able to afford 99% of those attacks, but as in all conflicts, the adversary only has to be right once.
I do think then the US will leverage a proportionate cyber response, but it’s a it’s a downward spiral. You’ll see a dramatic escalation of conflict and and frankly, you have a martyr situation here. So I think that you’re going to have Shiite loyalists to the regime who live around the world, who have technical capability, leveraging a protracted cyber insurgency against the US.
To what extent do businesses in the US and their allies in other countries need to be worried about preparing for this?
Every CEO of either a Fortune 1000 US business or a business who has partnerships and or customers in the Pentagon and or in the energy sector should be extremely concerned, and there should be a an immediate meeting convened between the CEO and the chief information security officer, where they should ask the following questions:
One, do we have a cyber threat hunting team and have we conducted a cyber threat hunt across our infrastructure to see if any back doors exist?
Two, do we have visibility on all of our endpoints? All of our machines? All of our devices right now? Do you have visibility? Can you tell me what’s going on on that device right now? My device, my secretary’s device, my general counsel’s device right now?
Three, have we even integrated all of our security controls? Don’t tell me that this is human-dependent still, that we have to have various security controls that are not talking to one another? Because I don’t want to miss anything.
And then four, do we have an incident response firm or a managed security service provider on 24/7 call right now, in case something happens that we can bring them in?
Those are the fundamentals that need to be enacted immediately by all CEOs. And if you feel that you’re not a Fortune 1000 corporation and that you wouldn’t be targeted by Iran because you have security through obscurity, well, just look at your most recent press release on your website where you highlighted the fact that you got a great big defence contract. Or you have this big old partner and customer that has those as well.
You mentioned hybrid attacks. How much do you see that type of attack becoming prevalent over the next few weeks or next the year?
I do think that that’s going to become the theme of 2020. And not just in a military construct in the region. But I do think that groups like Hezbollah, and Hamas who have individuals who are willing to martyr themselves for this martyr, who was next in line to become the leader of Iran, frankly, that they will be willing to leverage cyberattacks before they leverage terrorist attacks or sabotage critical infrastructure.
And the challenge here will always be that, like they’ve done in the past, they’ve done a very effective job of nurturing and organising these militia groups and proxies around the world. And now, as the daughter recently stated, the daughter of the victim, of the martyr, she’s called upon Hezbollah to bring the attacks home to the US. And I don’t think that those will be limited to physical events.
Do you think we are going to see a shift in the way people see cyberattacks, where they see them more in line with terrorist attacks?
I do and I do think that, tragically, what we will experience over the next few weeks will highlight that the nature in which cyberattacks can have physical real-world consequences and can leverage kinetic events that could very much result in a loss of life of human beings.
I think we finally reached that point where everyone has to take the red pill – that’s a Matrix reference – in that the physical world and cyber worlds have converged. And in 2020 Pandora’s box will be opened. So here we sit.