Increased tensions between the U.S. and Iran last month kept agencies on high alert over the threat of an Iranian cyber-attack. But even as those tensions cool, cybersecurity officials have warned agencies to remain vigilant.
David Springer, a former counterterrorism planner and intelligence officer at the Defense Intelligence Agency, now an associate at the law firm Bracewell said agencies will remain in a heighten state of cyber awareness for the weeks and months to come.
“Iran is a persistent threat and will continue to be a persistent threat in this space. There are obviously other high-end threats out there, and a lot of the same steps agencies can take against those other threats also are helpful in defending against malicious Iranian activity,” Springer said in an interview last month. “I don’t think this is, by any means, going away from the front of people’s minds.”
As far as the “very real and enduring threat” that Iran poses, Springer said agencies and the private sector should remain vigilant against mid-to-low level attacks that would deny access to systems for a limited period of time, steal valuable data or deface public-facing websites.
Iran also remains capable of standalone disinformation campaigns that can promote misleading information online, or “hybrid” attacks that combine disinformation with a cyber attack to create increased confusion.
“When you talk about hybrid use of cyber, is there certainly is a concern that you can have a mixed cyber and physical real-world attack, where a threat actor can use cyber to either amplify the effect of some real-world terrorist or military action or create conditions that allow that real-world physical attack to take place,” Springer said. “I think those are both issues that agencies have been aware of for a while and will continue to be very vigilant about.”
Making 2020 the ‘year of vulnerability management’
The looming threat of a cyber-attack from Iran prompted the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency to issue a memo last month warning that Iran and its proxies “have a history of leveraging cyber and physical tactics to pursue national interests, both regionally and here in the United States.”
While that memo brought agencies to a heightened sense of vigilance, Springer said agencies will likely remain on-guard for the foreseeable future.
“I think this is a new normal, or potentially just a reinforcement of the normal that’s been the case for a few years. A malicious cyber activity, whether it’s from Iran or another sophisticated nation-state is just a perpetual problem,” he said. “And I think heightened vigilance is certainly warranted when there’s a particular geopolitical event that makes a more imminent action more likely.”
The agency on Jan. 14 put out an emergency order to address known vulnerabilities in Microsoft’s Windows operating system. The directive gave agencies mere days to assess the scope of the vulnerability to its systems, and 10 days to patch or remedy all its affected endpoints.
The patch released by Microsoft addresses vulnerabilities discovered by the National Security Agency that affect Windows’ cryptographic functionality.
Springer said that coordinated response demonstrated growth in the federal government’s ability to share cyber threat intelligence with the private sector in real-time to mitigate vulnerabilities. More importantly, he said it showed that the federal government is “more willing to work with the private sector and reveal certain vulnerabilities rather than just keep them secret and use them.”
“The federal government has really made strides in information-sharing with the private sector, [but] there’s still more work to be done,” he said. “It’s not perfect, there are still concerns on both sides of exactly how much to share and when, but I think there’s no question that it has been improving over time.”
Meanwhile, Congress has taken steps to improve the legal framework for sharing cyber threat intelligence. The House Homeland Security Committee in January approved the Cybersecurity Vulnerability Identification and Notification Act, which would give CISA administrative subpoena power.
That authority would require internet service providers to turn over contact information for entities that CISA has identified as having critical cyber vulnerabilities.
However, Springer said there’s still a “delicate balancing act on both sides” between government and the private sector when it comes to sharing this information. Agencies, for example, try to share critical information with the private sector without giving away their methods of obtaining that information.
Meanwhile, agencies recovering from cyber threats just want to “get back to business [and] focus on the mission of their company,” Springer said.
“I think there’s a concern sometimes that a lot of government involvement in that, particularly when it’s not necessary to prevent any further damage, is just a business risk that is not worth taking — either from having the government slow down the business’s ability to do what isn’t trying to do, or just publicity,” he said. “A lot of cyber incidents are taking care of quietly … and so there is a fear that once you get the government involved, that just brings up the profile of everything and increases the likelihood of a lot of media attention or other attention to what is, in reality, a small problem that has already been remedied, and everybody can move on.”