By Sue Halpern
In 2010, the United States and Israel covertly inserted malware into the automated control system at Iran’s Natanz nuclear facility, causing nearly a thousand centrifuges to self-destruct. The centrifuges were necessary to enrich uranium for nuclear weapons, and the Stuxnet attack, as it came to be known, was credited with slowing down Iran’s nuclear program and driving the Iranians to the negotiating table. Though neither Israel nor the United States has claimed credit for the attack, the ensuing nuclear deal, signed in 2015, was seen as a triumph for the Obama Administration. (Trump unilaterally walked away from the deal in 2018.) But an unintended consequence of Stuxnet—along with the inadvertent release of the virus into the “wild,” where it continues to be used by nation-state and rogue hackers—was that it inspired the Iranian government to accelerate the development of its own cyber army within the Islamic Revolutionary Guard Corps. The government also recruited thousands of volunteer “patriotic” hackers—among them, criminal gangs and ideologically aligned terrorist groups such as Hezbollah—who work independently, but with the regime’s implicit blessing. (In its most recent bulletin, the D.H.S. noted that “Homegrown Violent Extremists could capitalize on the heightened tensions to launch individual attacks.”) As Ed Parsons and George Michael, who research cyber threats in the private sector, have pointed out, “The Iranian regime has demonstrated greater appetite towards destructive or disruptive cyber-attacks in peacetime than any other nation.”
Cyber weapons also level the battlefield. P. W. Singer, a senior fellow and strategist at New America, told me that, though a nation can’t create an air force in a matter of years, it can gain a great deal of cyber capability in that time. Cyber weapons do not have to be cutting edge to lacerate a community, a company, or a country, either. In 2011, for example, Iranian hackers breached the Dutch certificate authority, DigiNotar, and issued fake security certificates that allowed them to spy on the encrypted communications of tens of thousands of Iranian citizens. Around the same time, Iranian hackers launched a relentless denial-of-service attack on some forty-six American companies, including A. T. & T. and JPMorgan Chase, which continually knocked them offline for a hundred and seventy-six days. Though using a blunt instrument, the attackers still managed to pierce the defenses of some of the biggest businesses in the United States, inflict millions of dollars of damage, and, at times, prevent banking customers from accessing their accounts. A member of the same group also breached the control system of a dam not far from New York City.
Water systems, electrical grids, and other infrastructure are especially vulnerable to cyberattacks, not only because they are high-value targets, essential to sustaining life as we know it, but because they are largely unguarded. In October, a cybersecurity researcher in the Netherlands identified twenty-six thousand industrial control systems across the United States whose undefended presence on the Internet makes them easy targets for malicious actors. What would such an attack look like? In the winter of 2015, Russian hackers briefly shut down the electrical grid in western Ukraine, and the lights went out on up to two hundred and twenty-five thousand residents. Over the next six hours, the trains stopped running, cash machines and gas pumps did not work, credit cards were worthless, and communications with the wider world were essentially cut off. “It is hard to set a limit on the potential damage hacking industrial control systems can lead to,” the cybersecurity researcher Ofer Maor told The Independent, in 2018. “Imagining an attack that causes a blackout is simple, but imagine a case where a vulnerability in a power plant’s control system can be used to bypass load limitations, driving the power plant to work overtime, leading to an explosion, or reversing a sewer pump to overflow sewers across an entire city.”
A study by researchers at the University of Cambridge Centre for Risk Studies and Lloyd’s of London that was released in 2015 found that, if hackers disabled sections of the power supply to fifteen states and the District of Columbia, significant numbers of people would die as health and safety systems failed. They estimated the economic cost to be as much as a trillion dollars. In 2018, U.S. officials acknowledged that Iran had been probing the American power grid and other critical infrastructure for the past few years, potentially laying the groundwork for a cyberattack. James Lewis, the Technology Policy Program director of the Center for Strategic and International Studies, told me that cyber weapons enable Iranians to “do things in the domestic United States that they can’t do with their other weapons, like cruise missiles, because they can reach out and touch.” (At the same time, he questioned whether a cyberattack “is violent enough to be justified as an attack.”)
Even if there were a cyberattack, we might not know its provenance. Not long ago, Russian hackers were observed impersonating Iranian hackers; they disguised their hack of the 2018 Olympics to look like it had come from North Korea. Three years ago, the cybersecurity firm Dragos identified a group of hackers it dubbed Xenotime, which it considered to be “the world’s most dangerous cyber threat.” The group was thought to be Iranian. It was later traced to Moscow. “In cybersecurity, attribution is a big deal—who has hit you and how do you know,” Singer said. If the Iranians do launch a cyberattack on the United States, he said, they may want to toss plausible deniability aside, take credit for it, and let the world know they were the perpetrators. But, he cautioned, “Iran may want to be loud and proud of an attack, but in turn you could have some nefarious third party that wants to look like Iran being loud and proud.” There were many reasons to be concerned about a potential cyberattack before last Friday, Singer told me. There are even more now.
No comments:
Post a Comment