Confronting Iran as a Cyber-Adversary
Is Stuxnet-Type Reaction Too Harsh for DDoS Attacks?If Iran is behind distributed-denial-of-service attacks targeting American banks, should the United States retaliate aggressively with a Stuxnet-like response?(see Who's Really Behind DDoS?.)
Jason Healey, director of the Cyber Statecraft Initiative at the think tank Atlantic Council, appreciates why some people believe such a forceful response would be justified. "Iran is so dangerous that covert steps like Stuxnet are completely worth it to delay one of the worst regimes in the world from getting the more awful weapons," Healey says in an interview with Information Security Media Group (see transcript below).
But Healey expresses concerns that overacting to Iranian DDoS attacks with Stuxnet-like assaults could unnecessarily escalate a cyberconflict.
"Glass infrastructure shouldn't throw stones," Healey says. "Cyberspace is still relatively new. It might turn out that cyberspace is far more sensitive to nation-state conflicts than we know today."
If the United States makes Stuxnet-type attacks the acceptable norm, he says, "we could see a tremendous increase in these kinds of attacks."
The United States and Israel in 2010 implanted the computer worm called Stuxnet on computers that disabled centrifuges used to enrich uranium intended for Iran's nuclear weapons program.
In the interview, Healey:
- Discusses whether Iran's moderate new president could curb the more radical Islamic Revolutionary Guard in regards to cyber-attacks;
- Analyzes the justification for nations to use malware such as Stuxnet against their adversaries; and
- Explains the differences between first, second and third-tier cyberpowers.
Healey edited the first-ever history of cyberconflict, "A Fierce Domain: Cyber Conflict, 1986 to 2012," and co-authored the book "Cybersecurity Policy Guidebook." As director for cyber-infrastructure protection at the White House from 2003 to 2005, he coordinated efforts to secure American cyberspace and critical infrastructure.
Assessing Cyberpowers
ERIC CHABROW: You characterized Iran as a third-tier cyber power. What's the difference of a first-tier, second-tier and third-tier cyberpower?
JASON HEALEY: It's an interesting distinction because we're stuck with this myth that any two kids in their basement can take down the Internet. A lot of people even resist thinking about first-tier, second-tier and third-tier. When we were talking to other experts about this, the U.S., China and Russia were in the first-tier, meaning that they could gain access to just about any system they need, not just using the Internet but industrial control systems, having spies go in and do a black bag job to gain access to it and to help gain electric access to it later. We don't see that Iran can do much of that.
Moreover, [most] countries could not just take something down, but keep it down over time, like the United States appears to have done with Stuxnet. But compare that with ... Shamoon, the attack against Saudi Aramco that seemed to have taken down 30,000 computers. Yes, Iran was able to take them down, but they weren't able to keep them down, and the Saudis were able to bring their computers back up with no loss to oil production. If that was the Iranian's goal, they failed in that goal. We don't think a third-tier power would have necessarily failed.
CHABROW: Are the Iranians the equivalent of a neighborhood thug?
HEALEY: Iran certainly seems to be a regional cyberpower, but we don't see them to be a world cyberpower in this. To me, Iran and North Korea ... [are] probably not irrational, but they're going to be doing unexpected things that are outside of the norm of normal national security conflicts between nations. Usually, you can predict when China is going to strike out, or Russia is going to strike out, or the United States is going to strike out, because it fits in part of an existing conflict. North Korea and Iran, because they're always at conflict with their neighbor, it's much more difficult to predict when they're going to do something.
Iran as a Cyberthreat
CHABROW: How worried should American businesses or the American government be about cyberthreats originating in Iran?
HEALEY: U.S. companies and government should be appropriately cautious. Iran is a third-tier power. We haven't seen that they have the capability to really bring down the American infrastructure. Even DDoS against the banks - yes they're a hassle and they might affect us around the margins; but let's face it, the banks' profits have been in the billions these last few quarters, so obviously the [DDoS attacks are] not that bad.
Where we really worry about Iran is in a couple of different things. One, they might just get lucky ... they might just actually be able to strike out and do some damage. Second is things are so politicized, our relationships with Iran right now, that if they were to build up another large campaign, the U.S. and Israel are so tightly wound on Iran right now it might be considered much more escalatory than the actual damage they caused, and you might see a very strong reaction from Israel or from the United States, but it's actually out of scale with what the Iranians actually did to us.
CHABROW: Was Stuxnet out of scale?
HEALEY: It's a great question. Stuxnet was against these Iranian control systems that were controlling the Iranian's centrifuges. It was centrifuge subterfuge I guess. In the U.S. and Israel, there's a sense that it was not out of scale. If there are other programs out there that seemed to have been killing Iranian nuclear scientists, to the covert operations community, Stuxnet would seem a small step for covert actions. I think for cyberconflict, Stuxnet was a giant leap because it was the first attack that was really going against industrial control systems. In one sense, I don't think Stuxnet was that big, because it was in line with the tit-for-tat that has been going back and forth covertly between Iran and Israel and the U.S. It certainly was a big step for cyberconflict.
Iran's Growing Power
CHABROW: You don't see any evidence yet that Iran's going to be a greater threat - that they're going to be able to move up to that first-tier anytime soon?
HEALEY: Some of the people that we had talked with ... particularly Dmitri Alperovitch of CrowdStrike, who first put them in the third-tier category, are starting to see them work up. There's starting to be more of a concern, especially in the way that Iran uses proxies both for groups like the non-states that have been going after the banks. ... There's a lot more concern that they might be able to get more physical access to groups so that they could get more non-states involved into their cause. Dmitri and others feel the times when we could consider them third-tier are starting to be in the rear-view mirror.
CHABROW: Who's behind the cyberthreats emanating from Iran? Is it the government, which now has a supposedly more moderate new president? Is it the Islamic Revolutionary Guard or others?
HEALEY: We're certainly hopeful that with the new president of Iran we will start seeing a migration of the conflict away from cyber. There are reasons to be hopeful for that, because at the end of the day we do believe it's the Revolutionary Guards in particular that have their finger on the trigger and, of course, the new president doesn't have direct access of the Revolutionary Guards. There are reasons to be hopeful and we're going to be continuing to watch for those signs.
Avoiding Tit-for-Tat Responses
CHABROW: Should Israel and the United States avoid Stuxnet-type attacks against Iran in the near future? If I heard what you said earlier, it sounds like it would be maybe counter-productive? It would just be the tit-for-tat response?
HEALEY: Yes. I completely understand the point-of-view in Washington D.C., Jerusalem and other places that says, "Iran is so dangerous that covert steps like Stuxnet are completely worth it to delay one of the worst regimes in the world from getting the more awful weapons." That certainly has logic to it.
For two reasons, I believe actions like Stuxnet are not in the long-term United States interest. The very direct one is countries with glass infrastructure shouldn't throw stones. We have now made it OK. We have now taught the world that this is both acceptable and possible, and neither side of that is in the direct U.S. interest. Cyberspace is still relatively new and its future is a jump ball. It might turn out that cyberspace is far more sensitive to nation-state conflicts than we know today. And if the U.S. has made this as an acceptable norm to go out and attack other countries' infrastructures, we could see a tremendous increase in these kinds of attacks.
Most of the people that listen to your podcast know that it's always been easier to attack than to defend in cyberspace, but it doesn't have to be that way. If nations are going out and attacking each other like Stuxnet, it might be that attack isn't just easier, it becomes way easier. The job for us defenders is going to be significantly worse than it is today. It's just possible that we could make defense better than offense and that the defenders are on the high ground. I think actions like Stuxnet that are so against America's stated strategy in cyberspace make that much less likely.