What Iran Can – And Won’t – Do In A Cyberwar

A crippling cyberwar with Iran looms, but maybe not. In an interview with Karen Webster, Samuel S. Visner, director of the National Cybersecurity Federally Funded Research and Development Center (FFRDC), separates fact from fiction as to what Iran can — and won’t — do when it comes to a tech-based response to the killing of a top general. Planes won’t fall out of the sky, and the lights won’t go dark.  However, one thing’s crystal clear: It’s time for U.S. firms to examine where they’re most likely to get hit.

In the coming cyberwar with Iran, the U.S. may get hit hard. Planes may fall out of the sky, the financial system may be crippled, the energy grid may go dark — actually, it’s likely that none of this will come to pass.

Amid the headlines speculating how, when and why Iran may respond to the killing last week of a top general, Qassem Soleimani, Director Samuel S. Visner of the National Cybersecurity Federally Funded Research and Development Center (FFRDC) — managed by nonprofit MITRE — said it’s important to put the cyberthreats, and Iran’s willingness to deploy them, in context.

“As a spoiler alert, as they say online, I do not think we are facing a catastrophic situation,” he told Karen Webster in a PYMNTS interview.

There is no need, then, to go out and stock up on canned goods at the local market. However, examining Iran’s intentions and cyber capabilities, as well as the U.S.’ vulnerabilities, offers a bit of roadmap across some familiar terrain.

What Iran Wants

Iran’s options and goals on the geopolitical stage (without taking a deep dive into specific policy issues) should be examined against the backdrop that Iran — like, any number of countries, said Visner — is seeking greater regional influence, and greater international respect and leverage. It’s also important to realize that, inside the country itself, the people making decisions — i.e., the people at the very top — are highly rational.

As Visner said, “They believe they know what they are doing, and they believe they know what capabilities they have. … In any response to the United States, or anyone else, they will certainly want to be highly calibrated,” even as they seek the element of surprise.

If the Iranians do opt to conduct operations (cyber or otherwise), he added, it will partly be to show that the nation is not powerless, and that they are in control of their capabilities and proxies. All this will help to avoid sparking what Visner termed an unfortunate escalation of events, especially with the U.S.

In a match-up with the U.S., after all, Iran is less powerful on all fronts, but will seek to display at least some asymmetrical capabilities. Taking down planes through remote means (likely beyond Iran’s technological capabilities, as estimated by Visner), or causing significant loss of life, along with crippling infrastructure, would be tantamount to acts of war, he said.

“Whatever Iran does,” said Visner, “they don’t want this to be out of control. They are careful. Even if they appear provocative, they are not idiots.”

What Iran Might Do

Iran may not be a cyber-superpower, but it’s fairly well-equipped to do at least some damage in a cyberwar, according to Visner.

Consider one example of asymmetrical ability, evident in the so-called Shamoon attack of 2012. At the time, Iran deployed a cyberattack that wiped data from tens of thousands of Saudi Aramco computers — reportedly replicating some techniques of the Stuxnet attack, uncovered in 2010, which had targeted Iran’s nuclear program.

The Iranians, said Visner, are adept at social engineering, phishing and exploits that seek to take advantage of known vulnerabilities. All this points to the fact that as Iran considers calibrated, significant, cyber-based responses to the Soleimani killing, we in the U.S. are not completely in the dark when it comes to cyber risk.

Visner noted that the U.S. has done a better job in recent years of identifying vulnerabilities, and creating mitigations to those same vulnerabilities, but it has simply been less effective at embracing those defenses on a wide scale.

Addressing The Vulnerabilities

As a result, there’s an overall lack of preparedness in the U.S. for a cyberwar, said Visner, as Iran might mull attempts to take down part of a payment system, attack infrastructure or wipe data off computers. Simply put, many western firms do not yet have the cybersecurity controls in place that they should ordinarily have.

Some familiar cyberthreats still loom as surprisingly effective weapons, even going into 2020.

“Phishing and spear phishing continue to be problems,” he told Webster, adding that “organizations continue to demonstrate [that] they are vulnerable. The targeting and messaging associated with phishing is incredibly sophisticated.”

Another vulnerability comes through third-party providers, noted Visner, particularly for state and county government agencies — where such providers are integral components of everyday IT operations, due to the pursuit of cost efficiencies. Those providers may not have adequate cybersecurity controls in place, he said.

Poor patching has always been a problem, too, Visner explained, who added that some firms just don’t have processes set up to make sure that IT updates occur regularly, or that dual-factor authentication is in use.

There’s also the potential for “false flag” operations, he said. In this case, other nations can test their own cyberattacks on the U.S., cloaked well enough so that the U.S. blames it all on the Iranians — with perhaps disastrous consequences for the U.S. and Iran (there’s that threat of escalation, again).

In the end, there is a silver lining amid all the dire cyberwar warnings and geopolitical saber-rattling. As Visner advised executives, “Use this as an opportunity to stimulate your organization to get its act together, and not allow itself to be vulnerable to organizations with sophisticated, and even unsophisticated, cyber exploits.”