[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]
IRANIAN CYBER THREAT TO THE U.S. HOMELAND
=======================================================================
JOINT HEARING
before the
SUBCOMMITTEE ON COUNTERTERRORISM
AND INTELLIGENCE
and the
SUBCOMMITTEE ON CYBERSECURITY,
INFRASTRUCTURE PROTECTION,
AND SECURITY TECHNOLOGIES
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TWELFTH CONGRESS
SECOND SESSION
__________
APRIL 26, 2012
__________
Serial No. 112-86
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC] [TIFF OMITTED] CONGRESS
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PRINTING OFFICE
77-381 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC
area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, Washington, DC
20402-0001
COMMITTEE ON HOMELAND SECURITY
Peter T. King, New York, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Daniel E. Lungren, California Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Michael T. McCaul, Texas Henry Cuellar, Texas
Gus M. Bilirakis, Florida Yvette D. Clarke, New York
Paul C. Broun, Georgia Laura Richardson, California
Candice S. Miller, Michigan Danny K. Davis, Illinois
Tim Walberg, Michigan Brian Higgins, New York
Chip Cravaack, Minnesota Cedric L. Richmond, Louisiana
Joe Walsh, Illinois Hansen Clarke, Michigan
Patrick Meehan, Pennsylvania William R. Keating, Massachusetts
Ben Quayle, Arizona Kathleen C. Hochul, New York
Scott Rigell, Virginia Janice Hahn, California
Billy Long, Missouri Vacancy
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
Michael J. Russell, Staff Director/Chief Counsel
Kerry Ann Watkins, Senior Policy Director
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE
Patrick Meehan, Pennsylvania, Chairman
Paul C. Broun, Georgia, Vice Chair Brian Higgins, New York
Chip Cravaack, Minnesota Loretta Sanchez, California
Joe Walsh, Illinois Kathleen C. Hochul, New York
Ben Quayle, Arizona Janice Hahn, California
Scott Rigell, Virginia Vacancy
Billy Long, Missouri Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
Kevin Gundersen, Staff Director
Zachary D. Harris, Subcommittee Clerk
Hope Goins, Minority Subcommittee Director
------
SUBCOMMITTEE ON CYBERSECURITY, INFRASTRUCTURE PROTECTION, AND SECURITY
TECHNOLOGIES
Daniel E. Lungren, California, Chairman
Michael T. McCaul, Texas Yvette D. Clarke, New York
Tim Walberg, Michigan, Vice Chair Laura Richardson, California
Patrick Meehan, Pennsylvania Cedric L. Richmond, Louisiana
Billy Long, Missouri William R. Keating, Massachusetts
Tom Marino, Pennsylvania Bennie G. Thompson, Mississippi
Peter T. King, New York (Ex (Ex Officio)
Officio)
Coley C. O'Brien, Staff Director
Zachary D. Harris, Subcommittee Clerk
Chris Schepis, Minority Senior Professional Staff Member
C O N T E N T S
----------
Page
Statements
The Honorable Patrick Meehan, a Representative in Congress From
the State of Pennsylvania, and Chairman, Subcommittee on
Counterterrorism and Intelligence:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Chairman, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies:
Oral Statement................................................. 6
Prepared Statement............................................. 7
The Honorable Brian Higgins, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Counterterrorism and Intelligence.............................. 8
The Honorable Yvette D. Clarke, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Cybersecurity, Infrastructure Protection, and Security
Technologies................................................... 4
Witnesses
Mr. Frank J. Cilluffo, Associate Vice President and Director,
Homeland Security Policy Institute, The George Washington
University:
Oral Statement................................................. 9
Prepared Statement............................................. 12
Mr. Ilan Berman, Vice President, American Foreign Policy Council:
Oral Statement................................................. 18
Prepared Statement............................................. 20
Mr. Roger L. Caslow, Executive Cyber Consultant, Suss Consulting:
Oral Statement................................................. 23
Prepared Statement............................................. 25
Appendix
Questions From Chairman Michael T. McCaul........................ 43
IRANIAN CYBER THREAT TO THE U.S. HOMELAND
----------
Thursday, April 26, 2012
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Counterterrorism and
Intelligence, and
Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies,
Washington, DC.
The subcommittees met, pursuant to call, at 10:06 a.m., in
Room 311, Cannon House Office Building, Hon. Patrick Meehan
[Chairman of the Subcommittee on Counterterrorism and
Intelligence] presiding.
Present from the Subcommittee on Counterterrorism and
Intelligence: Representatives Meehan, Cravaack, and Hahn.
Present from the Subcommittee on Cybersecurity,
Infrastructure Protection, and Security Technologies:
Representatives Lungren, Higgins, Clarke, Richardson, and
Richmond.
Also present: Representative Green.
Mr. Meehan. Good morning, the Committee on Homeland
Security Subcommittees on Counterterrorism and Intelligence and
Cybersecurity, Infrastructure Protection, and Security
Technologies--this is a joint committee hearing--will come to
order. Subcommittees are meeting today to hear the testimony
regarding the threat of a cyber attack to the United States
homeland from the Islamic Republic of Iran. I will now
recognize myself for an opening statement.
I would like to begin today by thanking Chairman Lungren
and Ranking Member Clarke and all of the Members of the
Subcommittee on Cybersecurity, Infrastructure Protection, and
Security Technologies for joining us here today to examine the
threat posed by Iran in the cyber arena. The combination of our
expertise on counterterrorism and intelligence, and your
expertise on cybersecurity will inform and enhance our
discussion. I look forward to hearing from you, and our panel.
I believe the joint hearing represents the attitude we must
have when confronted with emerging threats that may not be
adequately understood. In my view, the adaptability,
flexibility, and willingness to erase institutional barriers
called for in the 9/11 Commission Report is on display here,
with each of us bringing our own expertise to study a threat
which crosses borders and cannot easily be put into a box.
While Chairman Lungren and his colleagues on the CIPST
Subcommittee have studied the ins and outs of protecting our
Nation's critical infrastructure from cyber attack, the
membership of the CT&I Subcommittee have spent a lot of time
examining the threat posed by Iran in the world's largest state
sponsor of terrorism, and its proxies, of course, principally
including Hezbollah.
For the Subcommittee on Counterterrorism and Intelligence,
this hearing is a continuation of our previous work examining
the threat from Tehran. Last year our subcommittee examined the
Hezbollah presence in Latin America that detailed the recently
exposed Iranian government plot to conduct a brazen attack here
in Washington, DC. I have also recently returned from the
region, where I met with defense and intelligence officials and
government leaders in Israel and Turkey and Jordan. After in-
depth conversations and briefings including with Turkey
president Abdullah Gul, Israeli Prime Minister Benjamin
Netanyahu, and His Majesty King Abdullah of Jordan, it became
increasingly clear that Iran is the most destructive and
malicious actor in the region, and will persist in antagonizing
the United States and our allies, especially the State of
Israel.
As Iran's illicit nuclear program continues to inflame
tensions between Tehran and the West, I am struck by the
emergence of another possible avenue of attack emanating from
Iran--the possibility that Iran could conduct a cyber attack
against the United States homeland. Now, many will discount
this threat just as many ignored the possibility that Iran
would conduct any kind of attack on American soil. Well, this
assumption was proven woefully wrong when last year's plot to
kill the Saudi Ambassador was uncovered. Now we are adjusting
to a realistic understanding of Iran's intent to conduct terror
attacks and to kill innocent Americans in the U.S. homeland, we
cannot blind ourselves to this new threat. After all, if Iran
is willing to blow up a Washington restaurant, and kill
innocent Americans, we would be naive to think that Iran could
never conduct a cyber attack against the United States
homeland.
Earlier this year, in testimony before the Senate
Intelligence Committee, Director of National Intelligence James
Clapper clearly stated that Iran's intelligence operations
against the United States, including cyber capabilities, have
dramatically increased in recent years in depth and complexity.
What I view as a private-sector validation of the cyber threat
posed by Iran, Google executive Chairman Eric Schmidt recently
stated the Iranians are talented in cyber war for some reasons
we don't fully understand.
In the event of a military strike against Iranian nuclear
facilities, former director of the National Counterterrorism
Center, Michael Leiter, assessed that a cyber attack conducted
by Iran--Tehran against the United States, would be reasonably
likely.
The threat of cyber warfare may be relatively new, but it
is not small. Iran has reportedly invested over $1 billion in
developing their cyber capabilities, and it appears they may
have already carried out attacks against organizations like the
BBC, and Voice of America. There have been reports that Iran
may have even attempted to breach the private networks of a
major Israeli financial institution. Iran is very publicly
testing its cyber capabilities in the region, and in time, will
expand its reach.
Other nations such as Russia and China may have more
sophisticated cyber capabilities, but there should be little
doubt that a country that kills innocent civilians around the
world, guns down its own people, and calls for the destruction
of the State of Israel, would not hesitate to conduct a cyber
attack against the United States homeland.
That is why today's hearing is so important.
I want to thank you for joining us today, and I look
forward to hearing from our witnesses.
[The statement of Mr. Meehan follows:]
Statement of Chairman Patrick Meehan
April 26, 2012
welcome
I would like to begin today by thanking Chairman Lungren and
Ranking Member Clarke, and all the Members of the Subcommittee on
Cybersecurity, Infrastructure Protection, and Security Technologies for
joining us here today to examine the threat posed by Iran in the cyber
arena. The combination of our expertise on counterterrorism and
intelligence and your expertise on cybersecurity will inform and
enhance our discussion, and I look forward to hearing from you and our
panel.
importance of joint hearing
I believe this joint hearing represents the attitude we must have
when confronted with emerging threats that may not be adequately
understood. In my view, the adaptability, flexibility, and willingness
to erase institutional barriers called for in the 9/11 Commission
Report is on display here, with each of us bringing our own expertise
to study a threat which crosses borders and cannot easily be put into
one box. While Chairman Lungren and his colleagues on the CIPST
subcommittee have studied the ``ins'' and ``outs'' of protecting our
Nation's critical infrastructure from cyber attack, the Members of the
CTI subcommittee have spent a lot of time examining the threat posed by
Iran, the world's largest state sponsor of terrorism, and its proxies,
including Hezbollah.
past subcommittee iran examinations
For the Subcommittee on Counterterrorism and Intelligence, this
hearing is a continuation of our previous work examining the threat
from Tehran. Last year, our subcommittee examined the Hezbollah
presence in Latin America that detailed the recently exposed Iranian
government plot to conduct a brazen terror attack here in Washington,
DC. I have also recently returned from the region, where I met with
defense and intelligence officials and government leaders in Israel,
Turkey, and Jordan. After in-depth conversations and briefings,
including with Turkey President Abdullah Gul, Israeli Prime Minister
Benjamin Netanyahu, and His Majesty King Abdullah of Jordan, it became
increasingly clear that Iran is the most destructive and malicious
actor in the region and will persist in antagonizing the United States
and our allies, especially the State of Israel.
emerging cyber threat from iran
As Iran's illicit nuclear program continues to inflame tensions
between Tehran and the West, I am struck by the emergence of another
possible avenue of attack emanating from Iran: The possibility that
Iran could conduct a cyber attack against the U.S. homeland.
Many will discount this threat--just as many ignored the
possibility that Iran would conduct an attack on American soil. This
assumption was proven woefully wrong when last year's plot to kill the
Saudi Ambassador was uncovered. Now that we are adjusting to a
realistic understanding of Iran's intent to conduct terror attacks and
kill innocent Americans in the U.S. homeland, we cannot blind ourselves
to this new threat. After all, if Iran is willing to blow up a
Washington restaurant and kill innocent Americans, we would be naive to
think Iran would never conduct a cyber attack against the U.S.
homeland.
senior officials warning
Earlier this year in testimony before the Senate Intelligence
Committee, Director of National Intelligence James Clapper clearly
stated: ``Iran's intelligence operations against the United States,
including cyber capabilities, have dramatically increased in recent
years in depth and complexity.'' In what I view as a private sector
validation of the cyber threat posed by Iran, Google Executive Chairman
Eric Schmidt recently stated, the ``Iranians are unusually talented in
cyber war for some reason we don't fully understand.'' And, in the
event of a military strike against Iranian nuclear facilities, former
director of the National Counterterrorism Center Michael Leiter
assessed that a cyber attack conducted by Tehran against the United
States would be ``reasonably likely.''
The threat of cyber warfare may be relatively new--but it is not
small. Iran has reportedly invested over $1 billion in developing their
cyber capabilities, and it appears they may have already carried out
attacks against news organizations like the BBC and Voice of America.
There have been reports that Iran may have even attempted to breach the
private networks of a major Israeli financial institution. Iran is very
publicly testing its cyber capabilities in the region and, in time,
will expand its reach.
don't ignore this threat
Other nations such as Russia and China may have more sophisticated
cyber capabilities, but there should be little doubt that a country
that kills innocent civilians around the world, guns down its own
people, and calls for the destruction of the State of Israel would not
hesitate to conduct a cyber attack against the U.S. homeland. That is
why today's hearing is so important.
I want to thank all of you for joining us today, and I look forward
to hearing from our witnesses.
Mr. Meehan. Now, I know that co-Chairman, or the Ranking
Member Mr. Higgins is expected today at this moment, but until
such time as he is able to join us at the hearing, the Chairman
would now recognize Ms. Clarke for any opening comments she may
have. Thank you.
Ms. Clarke. Thank you very much, Mr. Chairman. Chairman
Lungren, Chairman Meehan, thank you for holding this joint
hearing on the Iranian cyber threat. State-sponsored cyber
threats from Iran and actual attacks from other countries
directed at the United States, have been a hot topic over the
past few years. As you know, we have had a number of classified
briefings concerning these state-sponsored attacks. Our ability
to detect, prevent, preempt, and deter terrorists and malicious
state-sponsored cyber attacks reflect on our capability, and
our political will to protect our vital National infrastructure
from devastating consequences.
I am glad my colleague and fellow New Yorker, Mr. Higgins,
has brought some legislation to bear on the issue we are
discussing today. His bill would amplify the State Department's
report to Congress on the proficiencies of Iran cyber and
technological capabilities. This will help us assess Iran's
threat in greater detail. This is quite a story to be told
about Iran and cyber threats, and I will be interested in
hearing the testimony today.
I have seen the report put out by Reporters Without
Borders, that places Iran on the list of enemies of the
internet, describing the various censoring techniques that Iran
used to control the flow of information among its own people.
The report refers to the government-sponsored cyber police
function that uses a combination of content filtering and
access control. The report also mentions the use of distributed
denial of service cyber attack techniques used as a form of
political oppression, which it says may or may not be official
state-sponsored activity. Reports on Iranian Cyber Army have
raised questions about the regime's cyber attack capabilities
and the extent to which these attacks are coordinated by the
government. Some have said the Iranian Cyber Army may be a
loose confederation of hackers and cyber activists similar to
other hacking clusters, and may include cyber crime networks
and other groups.
One such known as the Ashiyane Digital Security Team, has
claimed responsibility for hacking into and defacing thousands
of websites. Both Iranian Cyber Army, and the Ashiyane are
alleged to have ties with the Iranian government's
revolutionary guard, but who can tell? Given the Iranian
regime's control over the internet and attempts to crack down
on citizen's internet activity, it would appear to be a
sweeping promotion of hacking without any legal or public
recourse and suggests a tacit governmental approval of these
activities.
Some have said the Iranian Cyber Army resembles a
collective of regime-backing hackers acting of their own
volition; yet it may be that the regime has actively leveraged
and employed the talents of a young population adept with
computer tools. In the wake of Iran's presidential election in
June 2009, protesters had used Twitter to skirt government
filters to promote, to report events, and organize opposition
rallies prompting the U.S. State Department to request that
Twitter reschedule its planned maintenance activities in order
to ensure access to pro-democracy users. But the Iranian
regime's brutal crackdown on the protesters seemingly
succeeded. Demonstrations are now few and far between, and many
of the web-based citizen journalists that have documented the
uprising have been killed, imprisoned, or gone underground;
their voices silenced.
The most well-known cyber event in Iran occurred late in
2009, when this Central European security firm reported the
discovery of a software worm called Stuxnet, that had infected
computers controlling centrifuges of several Iranian nuclear
enrichment plants. However, these computers were not connected
to the internet, and the worm was said to have been injected
into those computers using an external device such as a thumb
drive. Stuxnet may be proof of Iran's vulnerability and the
effectiveness of other nation's state cyber arsenals. However,
it would be--it would also be possible for Iran to gain some
knowledge of creating a Stuxnet-like virus from analyzing its
network effects.
This leads to fear of reverse engineering leading to a
capability of the types of cyber attacks on U.S. critical
infrastructure that could rise to the level of a National
security crisis. We must be prepared for such rogue actions and
be prepared on the National defense level, as well as
protecting our critical business operations, vital
infrastructure functions, and frankly, our daily lives.
The rapid technological advances in cybersecurity threats
over the last several years have outpaced our ability as
lawmakers to keep our laws up-to-date. The needed coordination
of the many Governmental agencies and private institutions, and
the implementation of the procedures that would protect our
infrastructure, are huge undertakings and will continue to have
huge challenges.
We are seeing some of those challenges being played out on
the House floor this week, and my Ranking Member, Mr. Thompson,
is talking about some of the most constructive alternatives to
the cyber legislation we are considering. Our intelligence
community and law enforcement agencies face many challenges to
anticipate, investigate, and respond to cyber threats.
Simply, all these challenges must be overcome, and
protection of our infrastructure accomplished without violating
our fundamental rights of individual privacy that are enshrined
in our Constitution. With that, Mr. Chairman, I yield back.
Mr. Meehan. Thank you, Ms. Clarke. Before I begin, let me
recognize that the gentleman from Texas, Mr. Green, has joined
us today, and I would like to ask unanimous consent that he be
able to participate in today's hearing. Hearing no objection,
so ordered. Welcome Mr. Green. Thank you for being here with us
today. The Chairman now recognizes my good friend, the Chairman
of the Subcommittee on Cybersecurity, Infrastructure
Protection, and Security Technologies, the gentleman from
California, Mr. Lungren, for any statement he may have.
Mr. Lungren. Thank you very much, Mr. Chairman. I want to
thank all of my colleagues for being here, particularly those
from our companion subcommittee to meet on a very important
subject. Those of us in the Congress know that we have an
obligation to proceed with legislation on important issues such
as cybersecurity.
We have an obligation to conduct appropriate oversight of
the Executive branch to ensure that they are doing that which
needs to be done, in concert, or consistent with legislation
that has been duly passed, but we also have another obligation,
it seems to me, and that is to raise the knowledge of the
public on issues of true National and international importance,
and cybersecurity is one of those subjects, and we hope that
this hearing provides insight into possible legislation,
insight into oversight, and particularly, helps us to raise the
public knowledge of this important issue.
As we all know, communicating through cyber space, is now
an integral part of the international marketplace, and the
global economy. Businesses of all sizes, increasingly depend
upon it in their daily operations as well as for market growth.
Individuals utilize it on a daily basis. Many people enter into
the commercial market by way of the internet these days and
other uses of cyber space.
These innovative cyber technologies help U.S. businesses to
achieve great efficiencies and to run their vital
infrastructures. But the tremendous opportunities provided by
cyber space, are accompanied by obvious vulnerabilities. For
instance, along with all of the other benefits, with all of the
benefits, cyber space is replete with nefarious actors,
including organized criminals, industrial spies, foreign
governments taking inappropriate advantage of a cyber
environment open to all users. The very openness of cyber space
contributes to its vulnerability, and its possibility of abuse.
We have been warning about cyber threats in this committee
for a long time. It has been a bipartisan effort to warn of
these threats. The Nation's top Government, intelligence, and
military leaders often cite the cyber threat as the issue that
worries them the most. The reason is that a successful cyber
attack on a power grid, transportation system, or communication
networks could cripple our economy and threaten our National
security. Any doubt about the physical damage that could be
caused by a cyber attack should have been eliminated by the
Stuxnet virus. I am happy the Stuxnet virus was used by
somebody who was a friendly, and it is probably the best
example of the cyber and physical worlds intersecting.
Like Aurora, Stuxnet demonstrates that vital critical
infrastructure can be physically disabled or destroyed by a
capable and motivated enemy, and as we know in those attacks,
they were done with a certain stealth element to them. That is,
the destruction took place before the operators that were
supposed to protect against such destruction were able to even
understand that they were under attack.
In addition to these National security concerns, cyber
threat thefts are also robbing us of our intellectual property.
We have had examples already of how this has cost U.S. jobs and
jeopardized our economic future. Cyber threats are real. They
are growing in number and sophistication. In assessing the
Iranian threat to the U.S. homeland, we need to examine their
motivation, their opportunity, and their capability. As the
victim of two recent cyber attacks nuclear and oil
infrastructure, and multiple U.S. embargoes, Iran, it would
seem, would have motivation to strike out against those they
think are responsible, or anybody associated with those they
think are responsible, or anybody who would stand on the
sidelines and cheer those efforts.
The opportunity arises as U.S. critical infrastructure
companies have been slow to harden their assets against cyber
attacks. Unfortunately, cyber attacks can be launched from any
place in the world, because cyber space does not recognize
borders. The important question when assessing Iran as a cyber
threat is their cyber capability. American Security Contracting
Firm issued a report in 2008 rating Iran cyber capability among
the top five globally. A December 2011 report indicated that
Tehran was investing $1 billion in new cyber warfare
technology.
So let me underscore a point made by the Chairman of our
other subcommittee. According to the DNI Director Clapper,
Iran's intelligence operations against the United States
including cyber capabilities, have dramatically increased in
recent years, in depth, and complexity.
Since Iran appears to have the necessary cyber capability,
we can only hope that they will fear attribution and the
overwhelming U.S. response that would surely follow such an
Iranian cyber attack against our Nation. I look forward, along
with my colleagues, to the testimony of the distinguished panel
this morning on the nature of the cyber threat from this rogue
Iranian regime. Thank you very much, Mr. Chairman.
[The statement of Mr. Lungren follows:]
Statement of Chairman Daniel E. Lungren
April 26, 2012
Communicating through cyber space is now an integral part of the
international marketplace and the global economy. Businesses of all
sizes increasingly depend upon it for their daily operations as well as
for market growth. These innovative cyber technologies help U.S.
businesses achieve great efficiencies and run their vital
infrastructures. However, along with all the benefits, cyber space is
replete with nefarious actors--including organized criminals,
industrial spies, and foreign governments taking inappropriate
advantage of a cyber environment open to all users.
We have been warning about cyber threats in this committee for a
long time. The Nation's top Government, intelligence, and military
leaders often cite the cyber threat as the issue that worries them the
most. The reason is that a successful cyber attack on our power grid,
transportation systems, or communication networks could cripple our
economy and threaten our National security. Any doubt about the
physical damage that can be caused by a cyber attack should have been
eliminated by the Stuxnet virus. Stuxnet is the best example of the
cyber and physical worlds intersecting. Like Aurora, Stuxnet
demonstrates that vital critical infrastructure can be physically
disabled or destroyed by a capable and motivated enemy.
In addition to these National security concerns, cyber thefts are
also robbing us of our intellectual property, costing U.S. jobs and
jeopardizing our economic future. Cyber threats are real and growing in
number and sophistication.
In assessing the Iranian threat to the U.S. homeland, we need to
examine their motivation, opportunity, and capability. As the victim of
two recent cyber attacks (nuclear and oil infrastructure) and multiple
U.S. embargoes, Iran clearly has motivation to strike us.
Their opportunity arises as U.S. critical infrastructure companies
have been slow to harden their assets against cyber attacks.
Unfortunately, cyber attacks can be launched from any place in the
world because cyber space doesn't recognize international borders.
The important question when assessing Iran as a cyber threat is
their cyber capability. An American security contracting firm issued a
report in 2008 rating Iran's cyber capability among the top five
globally. A December 2011 report indicated that Tehran was investing $1
billion in new cyber warfare technology. According to DNI Director
Clapper, ``Iran's intelligence operations against the U.S., including
cyber capabilities, have dramatically increased in recent years in
depth and complexity''.
Since Iran appears to have the necessary cyber capability, we can
only hope that they will fear attribution and the overwhelming U.S.
response that would surely follow such an Iranian cyber attack against
our Nation.
I look forward to the testimony of our distinguished panel this
morning on the nature of the cyber threat from this rogue Iranian
regime.
Mr. Meehan. Thank you, Mr. Lungren. The Chairman now
recognizes the Ranking Minority Member of the Subcommittee on
Counterterrorism and Intelligence, my good friend, the
gentleman from New York, Mr. Higgins, for any statement he may
have.
Mr. Higgins. Thank you, I would like to thank both Chairman
Lungren and Meehan for holding this important hearing. It is
also a pleasure to hold this hearing are Ranking Member Clarke,
a fellow Member from New York. I would also like to thank the
witnesses for appearing here today. Cyber threat is a threat
that knows no limit, and has no boundaries. We know that Iran
poses a threat to our cybersecurity. We also know that our
information technology has massive vulnerabilities. We know
that our dependence on technology is pervasive and growing. We
know that our moving forward as a Nation depends on our having
a robust, comprehensive cybersecurity policy in place.
Therefore, we must have legislation and policies that not only
examine the threat, but also protect critical infrastructure
and promote research and development that will ensure that we
have the proper protocols in place to prevent a cyber attack. I
look forward to hearing the testimony and I yield back.
Mr. Meehan. Thank you, Ranking Member Higgins. Other
Members of the committee are reminded that opening statements
may be submitted for the record. Now we are pleased to have a
distinguished panel of witnesses before us today on this very,
very important topic. Let me first give the biography of Mr.
Frank Cilluffo. He is the associate vice president and director
of the Homeland Security Policy Institute at George Washington
University, where he directs the homeland security efforts from
policy, research, education, and training on a wide range of
homeland security matters including counterterrorism and cyber
threats.
Before joining the staff at GW, Mr. Cilluffo served as the
special assistant to the President for Homeland Security.
Shortly following September 11, 2001 terrorist attack, Mr.
Cilluffo was appointed by President Bush to the newly-created
Office of Homeland Security, and served as the principal
advisor to Governor Tom Ridge.
Prior to his White House appointment he spent 8 years in
senior policy positions for the Center for Strategic and
International Studies where he directed numerous committees and
task forces homeland defense.
We are also joined by Mr. Ilan Berman, Mr. Ilan Berman is
the vice president of the American Foreign Policy Council in
Washington, DC. Mr. Berman is an expert on regional security in
the Middle East, Central Asia, and the Russian Federation. He
has consulted for both the United States Central Intelligence
Agency, and the United States Department of Defense, and
provided assistance on foreign policy and National security
issues in a range of Governmental agencies and Congressional
offices. He is a member of the associated faculty at Missouri
State University's Department of Defense, and Strategic
Studies.
Last, we are joined by Roger Caslow. He is an executive
cyber consultant for Suss Consulting. Prior to joining Suss,
Mr. Caslow served as the chief of risk management and
information security programs for the chief information officer
of the intelligence community. In this role, he is responsible
for the development, implementation, and oversight of multiple
risk management policies, security programs, and technology
solutions supporting the intelligence community, and DoD. He
has led the intelligence community in partnering with the
National Institute of Standards, at all phases of planning,
development, and delivery of significant body of Federal
security guidance. He has held a number of positions with the
DoD and intelligence community, including senior policy and
plans leader for the chief information officer.
I welcome each of the witnesses today, and the Chairman now
recognizes Mr. Cilluffo to testify.
STATEMENT OF FRANK J. CILLUFFO, ASSOCIATE VICE PRESIDENT AND
DIRECTOR, HOMELAND SECURITY POLICY INSTITUTE, THE GEORGE
WASHINGTON UNIVERSITY
Mr. Cilluffo. Chairman Meehan, Chairman Lungren, Ranking
Members Higgins and Clarke, thank you for the opportunity to
appear before you today. As you will note from my prepared
remarks, it is difficult to compress such a complex set of
issues into 5 minutes, coupled with the fact that I have never
had an unspoken thought, but hopefully we can delve into some
of the specificities during the Q&A.
First, I don't think it is a newsflash to underscore that
we as a country still have a lot of work to do on the cyber
front. I think it is appropriate and fair to suggest, while an
imperfect analogy, that our cyber community is where our
homeland community was shortly after 9/11.
Second, compounding the specific challenge before us, you
cannot effectively evaluate, assess, and ultimately address the
Iranian cyber threat through a counterterrorism, homeland
security, cybersecurity, or infrastructure protection lens
alone; rather, the complexity demands that we look at it
through a prism that incorporates all of these views. Let me
just also applaud both Chairmen that you saw the need to do
some cross-committee pollination on some of these issues.
Iran through its Islamic Revolutionary Guard Corps,
associated Quds Force, and its proxies have long had the United
States in their cross-hairs. Up until 9/11 it was Iran's chief
proxy, Hezbollah, that held the mantle of the deadliest
terrorist organization, having killed more Americans up to that
point than any other terrorist group.
The current climate is particularly challenging and
concerning, however, because the level of tension appears to be
rising. We have seen an uptick in attempted and actual attacks
on and assassinations of Israeli, Jewish, U.S., and Western
interests from Beirut to Baku, to Bangkok and, of course, the
recent assassination attempt on the Saudi Ambassador on the
U.S. soil.
Against this backdrop, getting ahead of the Iranian cyber
threat to the United States is all the more relevant and all
the more timely. The reach of Iran's proxies have gone global.
Hezbollah activities now stretch from West Africa to the tri-
border area of Argentina, Brazil, and Paraguay. Within the
United States, there have been 16 arrests in 2010 of Hezbollah
sympathizers seeking stinger missiles, M-4 rifles, and night
vision equipment. Based on this recent activity, the Los
Angeles Police Department has elevated the government of Iran
and its proxies to a tier 1 threat.
Notably, the city of Los Angeles, contains the most active
Hezbollah presence in this country, and Los Angeles happens to
also be home to the largest ethnic Iranian population outside
of Iran itself.
Law enforcement officials have also observed a striking
convergence of crime and terrorism, a trend highlighted, I
might note earlier this week by Defense Secretary Panetta, and
further reinforced by SOUTHCOM Commander General Fraser.
Hezbollah's nexus with criminal activity is greater than that
of any other known terrorist group. These links, including with
gangs and cartels, generate new possibilities for outsourcing,
and new networks that can facilitate terrorist travel,
logistics, recruitment, and operations, and I might note,
including cyber.
Moreover, authorities have noted significant terrorist
interest in the tactics, techniques, and procedures of
smuggling drugs and people into the United States. These
developments suggest that our long-standing frames of
reference, our so-called red lines, have shifted. First and
foremost, whereas previously Iran and it proxies targeted U.S.
interests and personnel abroad, the cleave between here, our
homeland, and overseas is wearing away as these two fronts
merge. As you know in cyber, where we particularly know no
borders, this has great resonance.
As you mentioned, the Director of National Intelligence,
General Clapper, was very bold in stating now that Iran is now
more willing to conduct an attack in the United States. I might
note that his assessment has been echoed by many others in the
National security and law enforcement community of late.
Let me state a couple of very quick words, specifically on
Iran cyber attack capabilities. As has been mentioned, Iran is
investing heavily in building its cyber warfare capabilities,
including standing up the Iranian Cyber Army, which is in
addition to their more conventional and traditional electronic
warfare capabilities, which were quite sophisticated to begin
with. Recent open-source and public incidents demonstrate a
growing level of sophistication.
Ms. Clarke, you mentioned many of the examples earlier
today, but I might note there is one that you did not mention,
that I thought demonstrated the highest level of
sophistication, and that was the recent hack of a security
certificate company in the Netherlands, a Dutch company, that
demonstrated not only their hacking skills, but their ability
to manipulate data as well.
Prior to the official pronouncements regarding the Iranian
Cyber Army, numerous hacker groups have operated pro-regime
groups in Iran. These range from the broader Basige, to the
recent stand up of the Cyber Hezbollah, and perhaps the most
sophisticated group from a trade craft perspective, the
Ashiyane. It in increasingly becoming clear, however, that the
IRGC is not only cultivating, but also guiding, and I think
trying to assume control over these various organizations.
These developments aside, the good news is that if you were
to rack and stack the greatest cyber threats in nations, Iran
is not at the top of the list. Russia, PRC, and others are. The
bad news is is what they lack in capability, they make up for
in intent, and are not as constrained as other countries may be
from engaging in cyber attacks or computer network attacks.
Given Iran's history to employ proxies for terrorist purposes,
there is little, if any, reason to think that Iran would
hesitate to engage proxies to conduct cyber attacks against
perceived adversaries.
To paraphrase Mark Twain, whereas history may not repeat
itself, it tends to rhyme. If they did it in the kinetic and
the physical world, you can assume that they will be looking to
cyber capacities as well. I know I am over my time, but a
couple of very quick points. Another thing to think about is
cyber basically levels the playing field. It provides asymmetry
that can give small groups disproportionate impact and
consequence. Whereas they may not have the capability, they can
rent or buy that capability. There is a cyber arms bizarre on
the internet. Intent and cash can take you a long way, and that
is what I think we need to be thinking about. I might note that
many have assumed and looked at the cyber threat more from a
contingency or preemptive action that one of our allies may
have in Iran. I don't think that bar is there. I think that
they already feel, as has been mentioned by Mr. Lungren, and
yourself, Mr. Chairman, and Mr. Higgins as well, that they are
taking the gloves off right now in a cyber environment. I might
also note that specifically, the fact that they have tried to
demonstrate such a capability with the drones, which I don't
necessarily believe at all, but they need to demonstrate that
capability or they potentially lose all credibility. So I think
now is the time to act.
[The prepared statement of Mr. Cilluffo follows:]
Prepared Statement of Frank J. Cilluffo
April 26, 2012
Chairman Meehan, Chairman Lungren, Ranking Members Higgins and
Clarke, and distinguished Members of the subcommittees, thank you for
the opportunity to testify before you today. The subject is one of
National importance--we, as a country, still have work to do in order
to best respond to, and get ahead of, threats on the cybersecurity
front. Indeed, with regard to cyber, the United States is in a position
akin to where the homeland security community was shortly after 9/11.
This is problematic in terms of both cybersecurity and infrastructure
protection, as well as counterterrorism and intelligence. There are
many points of intersection and overlap between these two ``lenses'';
and if recent history has taught us anything, it is that bureaucratic
stovepiping can have fatal consequences. Your demonstrated commitment
to tackle the subject under study jointly is therefore all the more
commendable, and indeed a model for moving the Nation forward on the
truly difficult interdisciplinary challenges that characterize the
current National security ecosystem.
Iran (its Islamic Revolutionary Guard Corps, and associated Quds
Force; the Ministry of Intelligence and Security; etc.) and proxies
have long had the United States in their cross-hairs. Up until 9/11, in
fact, it was Iran's chief proxy, Hezbollah, that held the mantle of
deadliest terrorist organization, having killed more Americans up to
that point than any other terrorist group. The October 23, 1983 bombing
of the U.S. Marine Barracks in Beirut, Lebanon, cost the lives of 241
soldiers, marines, and sailors.
The current climate is particularly concerning however, because the
level of tension appears to be rising. We have seen an uptick in
attempted and actual attacks on and assassinations of Israeli, Jewish,
U.S., and Western interests. This past February saw apparently
coordinated bomb attacks against the embassies of one ally, Israel, in
the capitals of two others--India and Georgia. February also saw
Iranian agents in Bangkok prematurely detonate explosives, while
preparing devices, resulting in injuries only to the perpetrators.
Consider also the recently thwarted Iranian plot to assassinate Saudi
Arabia's ambassador to the United States.
While Iran has sought to distance itself from the incidents
described above and denied responsibility for them (not credibly mind
you), the reach of Iran's proxies has gone global. Hezbollah's
activities now stretch from West Africa to the Tri-Border Area of
Argentina, Brazil, and Paraguay. Within the United States, there were
16 arrests of Hezbollah activists in 2010 based on Joint Terrorism Task
Force investigations in Philadelphia, New York, and Detroit; and the
organization has attempted to obtain equipment in the United States,
including Stinger missiles, M-4 rifles, and night vision equipment.\1\
Based on recent activity, the Los Angeles Police Department has
elevated the Government of Iran and its proxies to a Tier One threat.
Notably, the city of Los Angeles contains the most active Hezbollah
presence in this country (Detroit is their ``traditional'' U.S. base of
operations). Los Angeles also happens to be home to the largest ethnic
Iranian population outside of Iran itself.
---------------------------------------------------------------------------
\1\ Immigration and Customs Enforcement, DHS. ``Indictment charges
4 with conspiracy to support Hezbollah 6 others charged with related
crimes,'' press release, November 24, 2009. Accessed 4/23/12 http://
www.ice.gov/news/releases/0911/091124philadelphia.htm; Mike Newall,
``Road to terrorism arrests began at Deptford Mall, Moussa Ali Hamdan's
meeting in 2007 with an undercover FBI informant led to the indictment
of 26 with alleged Hezbollah ties,'' The Philadelphia Inquirer, January
25, 2010. Accessed 4/23/12 http://articles.philly.com/2010-01-25/news/
25210171_1_hezbollah-fbi-informant-indictment; and Anti-Defamation
League, ``Four Men Indicted in Philadelphia for Attempting to Support
Hezbollah,'' modified 6/16/2010. Accessed 4/23/12 http://www.adl.org/
main_Terrorism/philadelphia_hezbollah_-
indictment.htm.
---------------------------------------------------------------------------
Law enforcement officials have observed a striking convergence of
crime and terror. Hezbollah's nexus with criminal activity is greater
than that of any other terrorist group. These links, including with
gangs and cartels, generate new possibilities for outsourcing, and new
networks that can facilitate terrorist travel, logistics, recruitment,
and operations. Authorities have noted significant terrorist interest
in tactics, techniques, and procedures used to smuggle people and drugs
into the United States from Mexico. According to Texas State Homeland
Security Director, Steve McCraw, Hezbollah operatives were captured
trying to cross the border in September 2007.\2\
---------------------------------------------------------------------------
\2\ ``Terrorists have been arrested on the border, security chief
says,'' Associated Press, September 13, 2007.
---------------------------------------------------------------------------
Law enforcement officials also confirm that Shia and Sunni forces
are cooperating to an extent. For instance, Shia members of Lebanese
Hezbollah and Sunni (Saudi/Iraqi) militant forces are drawing on each
other's skills. That said, competition persists even within Shia
circles, including between Lebanese Hezbollah and Iran's Quds Force.
These developments suggest that our long-standing frames of
reference and the ``redlines'' they incorporated have shifted. First
and foremost: Whereas previously Iran and its proxies targeted U.S.
interests and personnel abroad, the cleave between here (the homeland)
and overseas is wearing away, as the two fronts merge. The Director of
National Intelligence recently stated that Iran is ``now more willing
to conduct an attack in the United States.''\3\ His assessment does not
stand alone. In a recent hearing before the House Committee on Homeland
Security, the NYPD's Director of Intelligence Analysis asserted that
``New York City and its plethora of Jewish and Israeli targets could be
targeted by Iran or Hezbollah in the event that hostilities break out
in the Persian Gulf.''\4\ At the same hearing, the committee heard from
a former Assistant Director of the FBI that Hezbollah's fundraising
infrastructure in the United States could serve as a ``platform'' for
launching attacks against the homeland.\5\
---------------------------------------------------------------------------
\3\ Testimony of James R. Clapper before the Senate Select
Committee on Intelligence, Worldwide Threat Assessment of the U.S.
Intelligence Community, January 31, 2012, Washington, DC. Accessed 4/
18/2012 http://www.dni.gov/testimonies/20120131_testimony_ata.pdf.
\4\ Testimony of Mitchell D. Silber before the U.S. House of
Representatives Committee on Homeland Security, Iran, Hezbollah, and
the Threat to the Homeland, March 21, 2012, Washington, DC. Accessed 4/
16/2012 http://homeland.house.gov/sites/homeland.house.gov/files/
Testimony-Silber.pdf.
\5\ Testimony of Chris Swecker before the U.S. House of
Representatives Committee on Homeland Security, Iran, Hezbollah, and
the Threat to the Homeland, March 21, 2012, Washington, DC. Accessed 4/
22/2012 http://homeland.house.gov/sites/homeland.house.gov/files/
Testimony-Swecker.pdf.
---------------------------------------------------------------------------
With Iran's nuclear program under scrutiny and sanctions, the
potential for escalation is heightened. As a result of his policy
choices, President Ahmadinejad is under increasing pressure both
internationally and domestically.\6\ The complexity of the situation is
increased by the tendency of Iran and its allies to conflate the United
States and our ally Israel in the context of Israeli contingency and
attack plans. Events from Baku to Bangkok (referenced above) have been
characterized by some analysts as a ``shadow war''.\7\
---------------------------------------------------------------------------
\6\ Rick Gladstone and Alan Cowell, ``Iran's President Unfazed in
Parliamentary Grilling,'' The New York Times, March 14, 2012. Accessed
4/18/12 http://www.nytimes.com/2012/03/15/world/middleeast/iran-
ahmadinejad-questioned-before-parliament-majlis.html?_r=1&page-
wanted=all.
\7\ Andrew R.C. Marshall and Peter Apps, ``Iran `shadow war'
intensifies, crosses borders,'' Reuters, February 16, 2012. Accessed 4/
17/12 http://www.reuters.com/article/2012/02/16/us-iran-israel-
security-idUSTRE81F1E720120216.
---------------------------------------------------------------------------
The conflict is not limited to the kinetic or to the physical
world. In 2010, the Stuxnet worm disabled Iranian centrifuges used to
enrich uranium. Attribution for this attack remains unresolved,
although speculation has centered on Israel and the United States. The
possibility that Iran may feel aggrieved and seek to retaliate, even in
the absence of proof of attribution, is not to be dismissed--
particularly against the backdrop of ever-tougher U.S. and global
sanctions, and historically turbulent (at least as measured in decades)
bilateral relations with the United States. The recent SWIFT sanctions
have proven particularly effective in crippling Iran's financial
system, adding further pressure.\8\ Iran is also grappling with Duqu, a
worm which seems ``designed to gather data to make it easier to launch
future cyber attacks.''\9\
---------------------------------------------------------------------------
\8\ Corey Flintoff, ``New Sanctions Severely Limit Iran's Global
Commerce,'' NPR, March 19, 2012. Accessed 4/18/12. http://www.npr.org/
2012/03/19/148917208/without-swift-iran-adrift-in-global-banking-world.
\9\ Yaakov Katz, ``Iran Embarks on $1b. cyber-warfare program,''
The Jerusalem Post, December 18, 2011. Accessed 4/16/12. http://
www.jpost.com/Defense/Article.aspx?id=249864.
---------------------------------------------------------------------------
With Stuxnet, the virtual and real worlds collided, as the worm
caused physical damage to infrastructure. Former head of the CIA and
the NSA, General Michael Hayden, has (rightly I would suggest)
characterized Stuxnet as both ``a good idea'' and ``a big idea''--
suggesting also that it represents a crossing of the Rubicon in that
``someone has legitimated this type of activity as acceptable.''\10\
The vulnerability to cyber attack of critical systems, including
nuclear facilities and supervisory control & data acquisition (SCADA)/
industrial control systems--with concomitant possibility of loss of
life, and less than fatal but still serious and widespread
consequences--raises a host of implications for U.S. National and
homeland security. Potential targets are many and varied, and extend to
critical sectors such as finance and telecommunications. Assistant to
the President for Homeland Security and Counterterrorism, John O.
Brennan, has stated that U.S. water and power systems are under cyber
attack almost daily.\11\ Press reports also suggest that the U.S.
nuclear industry has experienced up to 10 million cyber attacks.\12\
Even if only one attempt were to succeed, the magnitude of the impact
could significantly undermine, if not shatter, trust and confidence in
the system. In addition, cyber capabilities may be used as a force
multiplier in a conventional attack.
---------------------------------------------------------------------------
\10\ ``Fmr. CIA head calls Stuxnet virus `good idea,' '' 60
Minutes, March 1, 2012. Accessed
4/20/12. http://www.cbsnews.com/8301-18560_162-57388982/fmr-cia-head-
calls-stuxnet-virus-good-idea/.
\11\ John O. Brennan, ``Time to protect against dangers of
cyberattack,'' The Washington Post, April 15, 2012. Accessed 4/23/12.
http://www.washingtonpost.com/opinions/time-to-protect-against-dangers-
of-cyberattack/2012/04/15/gIQAdJP8JT_story.html.
\12\ Jason Koebler, ``U.S. Nukes face up to 10 miilion cyber
attacks daily,'' US News & World Report, March 20, 2012. Accessed 4/24/
12. http://www.usnews.com/news/articles/2012/03/20/us-nukes-face-up-to-
10-million-cyber-attacks-daily.
---------------------------------------------------------------------------
The good news is that Iran is not as sophisticated as China or
Russia insofar as computer network exploitation (CNE), cyber attack,
and warfare capabilities are concerned (to be distinguished from
intent). As yet, Iran has not shown itself to be a similarly advanced
or persistent threat.\13\ This is not to give Iran a pass. To the
contrary, U.S. officials are investigating ``reports that Iranian and
Venezuelan diplomats in Mexico were involved in planned cyber attacks
against U.S. targets, including nuclear power plants.'' Press reports
based on a Univision (Spanish TV) documentary that contained ``secretly
recorded footage of Iranian and Venezuelan diplomats being briefed on
the planned attacks and promising to pass information to their
governments,'' allege that ``the hackers discussed possible targets,
including the FBI, the CIA and the Pentagon, and nuclear facilities,
both military and civilian. The hackers said they were seeking
passwords to protected systems and sought support and funding from the
diplomats.''\14\
---------------------------------------------------------------------------
\13\ But note Google executive Eric Schmidt's statement: ``Iranians
are unusually talented [at cyber warfare] for some reason we don't
fully understand.'' ``Google admits Iranian superiority in cyber
warfare,'' Payvand, December 18, 2011. Accessed 4/17/12. http://
www.payvand.com/news/11/dec/1189.html
\14\ Shaun Waterman, ``U.S. authorities probing alleged cyberattack
plot by Venezuela, Iran,'' The Washington Times, December 13, 2011.
Accessed 4/18/12 http://www.washingtontimes.com/news/2011/dec/13/us-
probing-alleged-cyberattack-plot-iran-venezuela/?page=all.
---------------------------------------------------------------------------
Cyberspace largely levels the playing field, allowing individuals
and small groups to have disproportionate impact. This asymmetry can be
leveraged by nation-states that seek to do us harm, by co-opting or
simply buying/renting the services and skills of criminals/hackers to
help design and execute cyber attacks against the United States. For
example, do-it-yourself code kits for exploiting known vulnerabilities
are easy to find and even the Conficker worm (variants of which still
lurk, forming a botnet of approximately 1.7 million computers) was
rented out for use.\15\ In short, no comfort can be taken from the fact
that Iran lacks the sophistication of nations such as China, Russia, or
the United States. Proxies for cyber capabilities are available. There
exists an arms bazaar of cyber weapons. Adversaries do not need
capabilities, just intent and cash.
---------------------------------------------------------------------------
\15\ Conficker Working Group, ``Conficker Working Group: Lessons
Learned,'' accessed 4/18/12 http://www.confickerworkinggroup.org/wiki/
uploads/Conficker_Working_Group_-
Lessons_Learned_17_June_2010_final.pdf
---------------------------------------------------------------------------
Iran has a long history of demonstrated readiness to employ proxies
for terrorist purposes, drawing on kinetic means. There is little, if
any, reason to think that Iran would hesitate to engage proxies to
conduct cyber strikes against perceived adversaries. To paraphrase Mark
Twain, history may not repeat itself, but it does tend to rhyme.
Elements of the IRGC have openly sought to pull hackers into the
fold;\16\ and the Basij, who are paid to do cyber work on behalf of the
regime, provide much of the manpower for Iran's cyber operations.\17\
As in the physical world however, we must keep in mind when crafting
security solutions and response mechanisms that Iran is not monolithic:
Command-and-control there is murky, even within the IRGC, let alone
what is outsourced. The attribution challenge associated with cyber
space is therefore all the more complicated where Iran is concerned.
Smoking keyboards are hard to find. Cyber space is a domain made for
plausible deniability.
---------------------------------------------------------------------------
\16\ Golnaz Esfandiari, ``Iran Says it Welcomes Hackers Who Work
for Islamic Republic,'' Radio Free Europe, March 07, 2011. Accessed 4/
18/12. http://www.rferl.org/content/
iran_says_it_welcomes_hackers_who_work_for_islamic_republic/
2330495.html
\17\ ``The Role of the Basij in Iranian Cyber Operations,''
Internet Haganah, March 24, 2011. Accessed 4/17/12. http://internet-
haganah.com/harchives/007223.html.
---------------------------------------------------------------------------
In addition to hired or acquired cyber capabilities, the Government
of Iran is, according to press reports, investing heavily ($1 billion)
to develop and build out its own cyber war capabilities, both offense
and defensive.\18\ There is evidence that at the heart of IRGC cyber
efforts one will find the Iranian political/criminal hacker group
``Ashiyane.''\19\ In late 2009 and early 2010, hackers calling
themselves the Iranian Cyber Army struck Twitter and the Chinese search
engine Baidu.\20\ The group also appears to have struck Iranian
websites managed by the opposition Green Movement, with deleterious
results for the opposition's ability to coordinate its activities.\21\
The high visibility of these attacks suggests that the Iranian Cyber
Army and similar groups might be utilized as proxies by Iran's Islamic
Revolutionary Guard Corps. In the event of a conflict in the Persian
Gulf, similar attacks on public-facing websites could provide Iran an
avenue for psychological operations directed against the U.S. public.
Though fluid, hacker groups could be cultivated and guided--if not
directly managed--by the IRGC. Iran's ability to conduct Electronic
Warfare, including the jamming and spoofing of radar and communications
systems, has been enhanced through its acquisition of advanced jamming
equipment. In the event of a conflict in the Persian Gulf, Iran might
hope to combine electronic and computer network attack methods to
degrade U.S. and allied radar systems, complicating both offensive and
defensive operations. \22\
---------------------------------------------------------------------------
\18\ Yaakov Katz, ``Iran embarks on $1b. cyber-warfare program,''
The Jerusalem Post, December 18, 2011. Accessed 4/18/12 http://
www.jpost.com/Defense/Article.aspx?id=249864.
\19\ Iftach Ian Amit, ``Cyber[Crime/War],'' paper presented at
DEFCON 18 conference, July 31, 2010.
\20\ Robert Mackey, `` `Iranian Cyber Army' Strikes Chinese
Sites,'' The Lede (NYT Blog), January 12, 2010; Scott Peterson,
``Twitter hacked: `Iranian Cyber Army' signs off with poem to
Khamenei,'' Christian Science Monitor, December 18, 2009.
\21\ Robert F. Worth, ``Iran: Opposition Web Site Disrupted,'' The
New York Times, December 18, 2009.
\22\ Michael Puttre, ``Iran bolsters naval, EW power,'' Journal of
Electronic Defense vol. 25 no. 4 (April 2002): 24; Robert Karniol,
``Ukraine sells Kolchuga to Iran,'' Jane's Defense Weekly, vol. 43 no.
39 (September 27, 2006): 6; Stephen Trimble, ``Avtobaza: Iran's weapon
in alleged RQ-170 affair?'' The DEW Line, December 5, 2011. Accessed 4/
23/12 http://www.flightglobal.com/blogs/the-dewline/2011/12/avtobaza-
irans-weapon-in-rq-17.html.
---------------------------------------------------------------------------
There is also an Iranian ``cyber police force''\23\ that blocks
``foreign websites and social networks deemed a threat to national
security,'' with overall policy guidance provided by ``The Supreme
Council of Virtual Space.''\24\ Interestingly, a distributed denial of
service (DDoS) attack against the BBC this year happened to ``coincide
with efforts to jam two of the service's satellite feeds in Iran.''\25\
There has also been considerable speculation about Government of Iran
involvement in a number of hacking incidents including against Voice of
America, and a Dutch firm in the business of issuing security
certificates. Fallout from the latter was significant and affected a
range of entities including western intelligence and security services,
Yahoo, Facebook, Twitter, and Microsoft.\26\
---------------------------------------------------------------------------
\23\ Thomas Erdbrink, ``Iran cyber police cite U.S. threat,'' The
Washington Post, October 29, 2011. Accessed 4/18/12 http://
www.washingtonpost.com/world/middle_east/iran-cyber-police-cite-us-
threat/2011/10/27/gIQA1yruSM_story.html.
\24\ ``Cyber-attack on BBC leads to suspicion of Iran's
involvement,'' BBC News, March 14, 2012. Accessed 4/17/12. http://
www.bbc.co.uk/news/technology-17365416.
\25\ ``Cyber-attack on BBC leads to suspicion of Iran's
involvement,'' BBC News, March 14, 2012.
\26\ Kevin Kwang, ``Spy agencies hit by CA hack; Iran suspected,''
ZDNet Asia, September 5, 2011. Accessed 4/18/12. http://
www.zdnetasia.com/spy-agencies-hit-by-ca-hack-iran-suspected-
62301930.htm. See also Bill Gertz, ``Iranians hack into VOA website,''
The Washington Times, February 21, 2011. Accessed 4/19/12. http://
www.washingtontimes.com/news/2011/feb/21/iranian-hackers-break-voa-
deface-web-sites/.
---------------------------------------------------------------------------
Not surprisingly, Iran is trying to make its cyber capabilities
appear truly muscular. When a U.S. drone fell into Iranian hands in
December 2011, Iranian officials were quick to claim that it was
brought down by ``electronic ambush of the armed forces.''\27\ The
facts surrounding this incident are not all known, but from what U.S.
authorities suggest, it seems that the drone likely malfunctioned, and
perhaps was also affected by jamming efforts. Regardless, the fact that
Iranian officials went public about their supposed capabilities
suggests that they plan to do something significant by cyber means, or
else they risk losing credibility.
---------------------------------------------------------------------------
\27\ Thomas Erdbrink, ``Iran shows alleged downed US drone,'' The
Washington Post, December 8, 2011. Accessed 4/18/12. http://
www.washingtonpost.com/blogs/blogpost/post/iran-shows-alleged-downed-
us-drone/2011/12/08/gIQAKciXfO_blog.html.
---------------------------------------------------------------------------
In June 2011, Hezbollah too entered the fray, establishing the
Cyber Hezbollah organization. Law enforcement officials note that the
organization's goals and objectives include training and mobilizing
pro-regime (that is, Government of Iran) activists in cyber space. In
turn and in part, this involves raising awareness of, and schooling
others in, the tactics of cyber warfare. Hezbollah is deftly exploiting
social media tools such as Facebook to gain intelligence and
information. Even worse, each such exploit generates additional
opportunities to gather yet more data, as new potential targets are
identified, and tailored methods and means of approaching them are
discovered and developed.
Given all the above evidence of (both conventional and cyber)
capability and intent on the part of Iran and its proxies, the United
States requires a robust posture. There are steps we can take to shore
up our stance and create a more solid platform for proactive and, if
necessary, reactive purposes. From a counterterrorism and intelligence
standpoint, it is crucial to focus on and seek to enhance all-source
intelligence efforts. Such is the key to refining our understanding of
the threat in its various incarnations, and to facilitating the
development and implementation of domestic tripwires designed to thwart
our adversaries and keep us ``left of boom.''\28\ Disruption should be
our goal. Planning and preparation to achieve this end includes
information gathering and sharing--keeping eyes and ears open at home
and abroad to pick up indications and warnings (I&W) of attack, and
reaching out to and partnering with State and local authorities as well
as technical and academic communities. Outreach to respected leaders in
the community is essential to keep channels open, build trust, and
foster mutual assistance. These dialogues should take place across the
board, and not just in major metropolitan centers. The history of the
Conficker Working Group, captured in a DHS-sponsored lessons learned
document, provides examples of the types of relationships that need to
be established and maintained.\29\
---------------------------------------------------------------------------
\28\ Frank J. Cilluffo, Sharon Cardash, and Michael Downing, ``Is
America's View of Iran and Hezbollah Dangerously Out of Date?''
FoxNews.com, March 20, 2012. Accessed 4/18/12 http://www.foxnews.com/
opinion/2012/03/20/is-americas-view-iran-and-hezbollah-dangerously-out-
date/.
\29\ Conficker Working Group, ``Conficker Working Group: Lessons
Learned,'' accessed 4/18/12 http://www.confickerworkinggroup.org/wiki/
uploads/Conficker_Working_Group_-
Lessons_Learned_17_June_2010_final.pdf.
---------------------------------------------------------------------------
Searching for I&W will require fresh thinking that identifies and
pursues links and patterns not previously established. The above-
described nexus between terrorist and criminal networks offers new
possibilities to exploit for collection and analysis. To take full
advantage, we will have to hit the beat hard, with local police tapping
informants and known criminals for leads. State and local authorities
can and should complement what the Federal Government does not have the
capacity or resources to collect, and thereby help determine the scope
and contours of threat domains in the United States. Further leveraging
our decentralized law enforcement infrastructure could also serve to
better power our Fusion Centers. The post-9/11 shift of U.S. law
enforcement resources away from ``drugs and thugs'' toward
counterterrorism is, ironically, in need of some recalibration in order
to serve counterterrorism aims. For the last decade, furthermore, U.S.
Government analysts have (understandably) focused on al-Qaeda,
resulting in a shallower pool of U.S. intelligence on Hezbollah. Recent
incidents cited above may provide insight into current tactics,
techniques, and procedures, and we should comb through further to mine
for and learn possible lessons.
Officials in the homeland security community must undertake
contingency planning that incorporates attacks on U.S. infrastructure.
At minimum, ``red-teaming'' and additional threat assessments are
needed. The latter should include modalities of attack (such as cyber,
and attacks on our critical infrastructures) and potential
consequences.
From the perspective of cybersecurity and infrastructure
protection, the United States should develop and clearly articulate a
cyber-deterrence strategy. Computer network exploitation directed
against us is presently a major issue--we are losing billions of
dollars in intellectual property as a result. Even more ominous are
adversary efforts underway to engage in the cyber equivalent of
intelligence preparation of the battlefield, again to be used against
us.\30\ There is simply no other explanation for the nature and extent
of the activity that we have seen so far. Yet, insofar as our response
posture is concerned, the current situation is arguably the worst of
all worlds: Certain adversaries have been singled out in Government
documents released in the public domain, yet it is not altogether clear
what we are doing about these activities directed against us.\31\ The
better course would be to undertake and implement a cyber-deterrence
policy that seeks to dissuade, deter, and compel both as a general
matter, and in a tailored manner that is actor/adversary-specific. A
solid general posture could serve as an 80 percent solution,
neutralizing the majority of threats before they manifest fully. This
would free up resources (human, capital, technological, etc.) to focus
in context-specific fashion on the remainder, which constitute the
toughest threats and problems, in terms of their level of
sophistication and determination. To operationalize these
recommendations, we must draw lines in the sand or, in this case, the
silicon. Preserving flexibility of U.S. response by maintaining some
measure of ambiguity is useful, so long as we make parameters clear by
laying down certain markers or selected redlines whose breach will not
be tolerated. The entire exercise must, of course, be underpinned by
all-source intelligence. Lest the task at hand seem overly daunting,
remember that we have in past successfully forged strategy and policy
in another new domain devoid of borders, namely outer space.
---------------------------------------------------------------------------
\30\ Nick Hopkins, ``Militarisation of Cyberspace: how the global
power struggle moved online,'' The Guardian, April 16, 2012. Accessed
4/17/12. http://m.guardian.co.uk/technology/2012/apr/16/militarisation-
of-cyberspace-power-struggle?cat=technology&type=article; and http://
m.guardian.co.uk/technology/2012/apr/16/us-china-cyber-war-
games?cat=technology&type=- article.
\31\ See Bryan Krekel et al., Occupying the Information High
Ground: Chinese Capabilities for Computer Network Operations and Cyber
Espionage (Report, U.S.-China Security and Review Commission, 2011);
Office of the National Counterintelligence Executive, Foreign Spies
Stealing U.S. Secrets in Cyberspace: Report to Congress on Foreign
Economic Collection, 2009-2011 (Washington, DC: NCIX, 2011) for the
espionage activities of China and Russia in particular.
---------------------------------------------------------------------------
Sometimes, however, the best defense is a good offense. Yet the
U.S. cyber offense to defense ratio, at least as represented in the
public domain, has skewed overwhelmingly to defense.\32\ There are some
signs of late that this may be changing, including newspaper reports
suggesting that rules of engagement regarding cyber attacks are being
developed, and that the Department of Defense is seeking to bolster its
arsenal of cyber weapons.\33\ These are encouraging developments, if
true, because having a full complement of instruments in our toolkit,
and publicizing that fact (minus the details), will help deter
potential adversaries--provided that we also signal a credible
commitment to enforcing compliance with U.S. redlines. Again history
provides guidance, suggesting two focal points upon which we should
build our efforts. One is leadership--we must find the cyber
equivalents of Billy Mitchell or George Patton, leaders who understand
the tactical and strategic uses of new technologies and weapons. The
other is force protection--not only must we develop offensive
capabilities, but we ought to make sure we develop second-strike
capabilities. We cannot simply firewall our way out of the problem.
U.S. Cyber Command must both lend and receive support, if our cyber
doctrine is to evolve smartly and if our cyber power is to be exercised
effectively.
---------------------------------------------------------------------------
\32\ For comments by GEN James Cartwright, USMC, to this effect,
see Julian E. Barnes and Siobhan Gorman, ``Cyberwar Plan Has New Focus
on Deterrence,'' The Wall Street Journal, July 15, 2011. Accessed 4/23/
12 http://online.wsj.com/article/SB100014240527023045213045764-
46191468181966.html
\33\ Cheryl Pellerin, ``DOD Develops Cyberspace Rules of
Engagement,'' American Forces Press Service, March 20, 2012. Accessed
4/23/12 http://www.defense.gov/news/newsarticle.aspx?id=67625; Zachary
Fryer-Briggs, ``U.S. Military Goes on Cyber Offensive,'' Defense News,
March 24, 2012. Accessed 4/23/12 http://www.defensenews.com/article/
20120324/DEFREG02/303240001/U-S-Military-Goes-Cyber-Offensive. See also
Testimony of GEN Keith Alexander, USA, before the U.S. House of
Representatives Committee on Armed Services, Fiscal Year 2013 Budget
Request for Information Technology and Cyber Operations Programs, March
20, 2012. Accessed 4/23/12 http://armedservices.house.gov/index.cfm/
hearings-display?ContentRecord_id=92823c77-38f0-4c20-a3ee-36729e8e19a3.
---------------------------------------------------------------------------
While it is up to the Government to lead by example by getting its
own house in order, cybersecurity and infrastructure protection do not
constitute areas where Government can go it alone. With the majority of
U.S. critical infrastructure owned and operated privately, robust
public-private partnerships are essential, as is a companion commitment
by the private sector to take the steps necessary to reinforce national
and homeland security. Government and industry must demonstrate the
will and leadership to take the tough decisions and actions necessary
in this sphere.
Lest the incentives to do so not be clear to all by now, consider
the words of the FBI's then-executive assistant director responsible
for cybersecurity, Shawn Henry, who said: ``We're not winning.'' He
illustrated his conclusion by citing a company that, due to hackers,
lost 10 years of effort (R&D) and the equivalent of $1 billion.\34\
While we cannot expect the private sector to defend itself alone from
attacks by foreign intelligence services, we need to do a better job
(as a country) of making the business case for cybersecurity. Failure
to shore up our vulnerabilities has National security implications. Yet
crucial questions remain open, such as how much cybersecurity is
enough, and who is responsible for providing it?
---------------------------------------------------------------------------
\34\ Devlin Barrett, ``U.S. Outgunned in Hacker War,'' The Wall
Street Journal, March 28, 2012. Accessed 4/18/12 http://online.wsj.com/
article/SB100014240527023041771045773077- 73326180032.html
---------------------------------------------------------------------------
The facts in this case support the need for standards, as
identified and self-initiated (along with best practices) by the
private sector, across critical industries and infrastructures,
together with an enforcement role for Government, to raise the bar
higher--in order to protect and promote, not stifle, innovation. The
economic and intellectual engines that made this country what it is
today are, arguably, our greatest resource. They will power us into the
future too, so long as we act wisely and carefully to foster an
environment in which they can continue to thrive and grow. To be blunt,
legislation of the type described is needed, and it is needed now, in
order to remedy crucial gaps and shortfalls, and hold critical
infrastructure owners and operators accountable, by focusing on
behavior rather than regulating technology.
At the same time, a mix of incentives is needed, to include tax
breaks, liability protections, and insurance premium discounts, for
private owners and operators of critical infrastructure to take the
steps needed to help improve our overall level of security. These
measures must also be accompanied by a mechanism to enable and
encourage information sharing between the public and private sectors.
In addition, as former director of national intelligence, Admiral Mike
McConnell, has suggested, the information exchanged must be
``extensive, . . . sensitive and meaningful,'' and the sharing must
take place in ``real-time'' so as to match the pace of the cyber
threat. There must be ``tangible benefits'' for those yielding up the
information.\35\
---------------------------------------------------------------------------
\35\ VADM J. Michael McConnell, USN (Ret.), remarks given February
22, 2012 at Homeland Security Policy Institute, The George Washington
University, Washington, DC. Transcript and video accessed 4/23/12
http://www.c-spanvideo.org/program/CyberSecurityL.
---------------------------------------------------------------------------
In conclusion, now is the time to act. For too long, we have been
far too long on nouns, and far too short on verbs. Again, I wish to
thank both subcommittees and their staff for the opportunity to testify
today, and I would be pleased to try to answer any questions that you
may have.
Mr. Meehan. Thank you, Mr. Cilluffo. That might be
something you want to develop further in your--in your response
to questions. Mr. Berman, we now recognize you for 5 minutes.
Thank you.
STATEMENT OF ILAN BERMAN, VICE PRESIDENT, AMERICAN FOREIGN
POLICY COUNCIL
Mr. Berman. Thank you, sir, and let me start by thanking
you, Mr. Chairman, and thanking Chairman Lungren for holding
this hearing. Like my colleague, I am appreciative of the fact
that this is a synergistic problem and it is one that lends
itself to a synergistic solution rather than simply holding
one-off events. Let me also say by way of starting, that I am a
subject-matter specialist in Iran, rather than infrastructure
protection or cybersecurity, so I am going to focus my remarks
on the political and the strategic aspects of the emerging
Iranian cyber threat.
Let me start by saying that I think the question that is
being posed increasingly here within the Washington Beltway is
whether or not Iran poses a real and immediate cyber threat to
the United States, and the conventional wisdom here is that it
doesn't because Iran is squeezed by increasingly harsh economic
sanctions from the United States and the European Union and
others, and also because Iran, as a result, is weathering
significant domestic socioeconomic malaise. But for those very
same reasons, I would make the argument that Iranian action
against the United States, particularly asymmetric action
against the United States, is more rather than less likely. If
you look at the Iranian--the way the Iranians approach cyber
space, they are essentially looking at two geopolitical drivers
that are animating their focus and their attention. The first
has to do with domestic repression. The Iranian regime is
erecting what President Obama recently called an electronic
curtain around its population and it is doing so through the
construction of a National intranet to essentially supplant and
cordon off Iranian access to the world wide web. It is doing so
through the passage of new restrictive regulations and rules
governing internet usage, public internet usage. It is doing so
through the passage of penalties relating to content that is
deemed inappropriate by the Iranian regimes--Iranian regime,
and is doing so through the installation, acquisition, and
installation of technologies, foreign origin technologies, such
as Chinese origin technologies for the monitoring, filtering,
and limiting of access to the internet.
This focus on the part of the Iranian regime, began in
earnest after June 2009, when the fraudulent re-election of
Iranian President Mahmoud Ahmadinejad catalyzed a groundswell
of opposition from the Iranian street. The Iranian opposition
elements at the time leveraged the internet extensively in
their protests, and as a result, the Iranian regime responded
in that domain as well.
It has been successful. If you look over the last year or
so, it is very clear that the Iranian Green Movement as it is
called, has migrated into the ether. It has migrated into the
internet, and the regime has followed them there. If you look
at the new restrictions that are being passed by the Iranian
regime in terms of access to Facebook, and Twitter, and other
accounts, it is very clear that the competition and contest
between Iran and its opposition is much more virtual now than
it is actually on the streets, but it is still there.
This focus, though, has been confirmed by what has happened
in the Middle East over the last year. The Arab Spring has been
touted by Iran as a victory for the Ayatollah Khomeini Islamic
Revolution, but in practical terms, the anti-regime sentiment
that is embodied by the turmoil that has taken place in
Tunisia, and Libya, and Egypt is taking place now in Syria and
elsewhere, poses a mortal threat to the Iranian regime on a
number of levels. As a result, the Arab Spring has confirmed to
them the need to clamp down domestically and isolate their
population from these outside sources.
The second, and for the purposes of this committee, I think
more important geopolitical driver of Iran's interest has to do
with the asymmetric conflict that is already occurring over
Iran's nuclear program. We heard earlier in the opening
statements about the application of Stuxnet, and Stuxnet is one
of at least three, possibly more, cyber attacks against--
discrete cyber attacks that have taken place against the
Iranian nuclear program over the last 2 years or so.
In policy circles in Washington the question of
attribution, where Stuxnet and these other malwares came from,
who has deployed them, is still an open question. But from the
Iranian perspective, it is not. It is very clear for Iran, that
the west writ large has launched an asymmetric attack on the
Iranian nuclear program and it is mobilizing as a response,
mobilizing through the creation of a $1 billion program to ramp
up its cyber defense and cyber offense capabilities, the
construction of a cyber army of sympathetic hacktivists, and
leveraging attacks against entities such as Twitter, such as
the Chinese search engine Baidu, such as the BBC. This all
shows a very clear pattern of increasingly aggressive behavior,
and it underscores, I think, a fundamental point, which is that
Iran appears to be moving increasingly from defense to offense
in terms of how it thinks about cyber space.
In the opening remarks, Chairman Meehan, you referenced the
assessment of General Clapper, about how Iran has become
increasingly bold in its strategy. I would make the argument
that this represents nothing less than a seismic shift in terms
of how Iran thinks about the U.S. homeland. In his testimony,
General Clapper talked about the fact that Iranian officials,
probably including the Supreme Leader Ali Khamenei himself,
have changed their calculus and are now willing to conduct an
attack on the United States. This has salience with regard to
the attempted foiled attack in October 2001 against the Saudi
Ambassador in Washington, but increasingly, it is likely to
manifest itself in other ways as well, including in the cyber
realm. Here Iran has significant capability, and significant
intent.
Last summer, for example, a hard-liner Iranian newspaper
affiliated with the Revolutionary Guard, warned the United
States, that America no longer has the ``exclusive capability
in cyber space and it has underestimated the Islamic
Republic,'' and now needs to worry about ``an unknown player
somewhere in the world attacking a section of its critical
infrastructure.''
Are we ready for this? This is, I think, the most salient
question of all. The past year has seen a dramatic expansion on
the part of the United States in terms of Governmental
awareness of cyber space as a domain for conflict. But this
attention is still uneven, I would argue. It focuses largely on
network protection and resiliency, particularly in the military
arena, and on threat capabilities from China, and from Russia.
Serious institutional awareness of the threat from Iran and the
cyber warfare potential of Iran, has lagged behind the times
and so has the Governmental response to it.
So why does this matter? I would argue that it matters for
three reasons: First of all, it matters because operationally,
an Iranian cyber attack may look similar to a Chinese cyber
attack, or a Russian cyber attack, but there are key
differences. The first is with regard to targeting objects.
Iran has, in both its public statements and its writings,
talked extensively about U.S. critical infrastructure.
Mr. Meehan. Mr. Berman, can I do this? I am going to pursue
that specific line of questioning with you as soon as I have an
opportunity. I want you to articulate more on that. Allow me to
move with Mr. Caslow at this point in time, and we will return
to that.
Mr. Berman. Absolutely, thank you, sir.
[The prepared statement of Mr. Berman follows:]
Prepared Statement of Ilan Berman
April 26, 2012
Congressman Lungren, Congressman Meehan, distinguished Members of
the subcommittees: Thank you for the opportunity to appear before you
today to address the cyber warfare capabilities of the Islamic Republic
of Iran, and the threat that they pose to the U.S. homeland.
Conventional wisdom suggests that the Iranian regime, now being
squeezed significantly by sanctions from the United States and Europe
and grappling with significant domestic socio-economic malaise, is far
from an imminent threat to the American homeland (even if it does
present a vexing foreign policy challenge for the United States and its
allies). Yet, over the past 3 years, the Iranian regime has invested
heavily in both defensive and offensive capabilities in cyber space.
Equally significant, its leaders now increasingly appear to view cyber
warfare as a potential avenue of action against the United States.
iranian capabilities in geopolitical context
Iran's expanding exploitation of cyber space can be attributed to
two principal geopolitical drivers.
The first are the Iranian regime's efforts to counter Western
influence and prevent the emergence of a ``soft revolution'' within its
borders. In his March 2012 Nowruz message to the Iranian people,
President Obama alluded to the growing efforts of the Iranian regime to
isolate its population from the outside world when he noted that an
``electronic curtain has fallen around Iran.''\1\ That digital barrier
has grown exponentially over the past 3 years, as Iran's leadership has
sought to quell domestic dissent and curtail the ability of its
opponents to organize.
---------------------------------------------------------------------------
\1\ White House, Office of the Press Secretary, ``Remarks of
President Obama Marking Nowruz,'' March 20, 2012, http://
www.whitehouse.gov/the-press-office/2012/03/20/remarks-president-obama-
marking-nowruz.
---------------------------------------------------------------------------
The proximate cause of this effort was the fraudulent June 2009
reelection of Mahmoud Ahmadinejad to the Iranian presidency, which
catalyzed a groundswell of domestic opposition that became known
colloquially as the ``Green Movement.'' In the months that followed,
Iran's various opposition elements relied extensively on the internet
and social networking tools to organize their efforts, communicate
their messages to the outside world, and rally public opinion to their
side. In turn, the Iranian regime utilized information and
communication technologies extensively in its suppression of the
protests--and thereafter has invested heavily in capabilities aimed at
controlling the internet and restricting the ability of Iranians to
access the world wide web.\2\
---------------------------------------------------------------------------
\2\ See, for example, Saeid Golkar, ``Liberation or Suppression
Technologies? The Internet, the Green Movement and the Regime in
Iran,'' International Journal of Emerging Technologies and Society 9,
no. 1 (2011), 50-70, http://www.swinburne.edu.au/hosting/ijets/journal/
V9N1/pdf/Article%204%20Golkar.pdf.
---------------------------------------------------------------------------
This focus has only been reinforced by recent revolutionary fervor
throughout the Middle East and North Africa. For while Iranian
authorities have sought to depict the so-called ``Arab Spring'' as both
the start of an Islamic awakening and an affirmation of their regime's
worldview,\3\ the anti-regime sentiment prevalent in the region
actually represents a mortal threat to their corrupt, unrepresentative
regime. As a result, the past year has seen a quickening of the
regime's long-running campaign against ``Western influence'' within the
Islamic Republic. These efforts include:
---------------------------------------------------------------------------
\3\ ``Khamenei Credits Iranian Revolution With Fuelling Egyptian
Revolt,'' Reuters, February 4, 2011, http://www.thenational.ae/news/
world/middle-east/khamenei-credits-iranian-revolution-with-fuelling-
egyptian-revolt; Robert F. Worth, ``Efforts To Rebrand Arab Spring
Backfires In Iran,'' New York Times, February 2, 2012, http://
www.nytimes.com/2012/02/03/world/middleeast/effort-to-rebrand-arab-
spring-backfires-in-iran.html?pagewanted=all.
---------------------------------------------------------------------------
The construction of a new, ``halal'' national internet. This
``second internet,'' which will effectively sever Iran's
connection to the world wide web by routing web users to pre-
approved, Iranian-origin sites, is currently expected to come
on-line by late summer 2012.\4\
---------------------------------------------------------------------------
\4\ See Steven Musil, ``Iran Expected To Permanently Cut Off
Internet By August,'' CNET, April 9, 2012, http://news.cnet.com/8301-
1023_3-57411577-93/iran-expected-to-permanently-cut-off-internet-by-
august/.
---------------------------------------------------------------------------
Installation of a sophisticated Chinese-origin surveillance
system for monitoring phone, mobile, and internet
communications.\5\
---------------------------------------------------------------------------
\5\ Steve Stecklow, ``Special Report: Chinese firm helps Iran spy
on citizens,'' Reuters, March 22, 2012, http://www.reuters.com/article/
2012/03/22/us-iran-telecoms-idUSBRE82L0B8- 20120322.
---------------------------------------------------------------------------
The passage of new, restrictive governmental ``guidelines''
forcing internet cafes to record the personal information of
customers--including vital data such as names, national
identification numbers, and phone numbers--as well the
installation of closed-circuit cameras to keep video logs of
all customers accessing the world wide web.\6\
---------------------------------------------------------------------------
\6\ Radio Free Europe, January 4, 2012.
---------------------------------------------------------------------------
Movement toward the formation of a new government agency to
monitor cyber space. Once operational, this ``Supreme Council
of cyber space,'' which will be headed by top officials from
both Iran's intelligence apparatus and the Revolutionary
Guards, will be tasked with ``constant and comprehensive
monitoring over the domestic and international cyber space,''
and be able to issue sweeping decrees concerning the internet
that would have the full strength of law.\7\
---------------------------------------------------------------------------
\7\ Ramin Mostaghim and Emily Alpert, ``Iran's Supreme Leader Calls
for New Internet Oversight Council,'' Los Angeles Times, March 7, 2012,
http://latimesblogs.latimes.com/world_now/2012/03/iran-internet-
council-khamenei.html.
---------------------------------------------------------------------------
The second geopolitical driver of Iran's interest in cyber space
relates to the expanding conflict with the West over its nuclear
ambitions. Since the fall of 2009, Iran has suffered a series of
sustained cyber attacks on its nuclear program. The most well-known of
these is Stuxnet, the malicious computer worm that attacked the
industrial control systems at several Iranian nuclear installations,
including the uranium enrichment facility at Natanz, between late 2009
and late 2010. At the height of its effectiveness, Stuxnet is estimated
to have taken 10 percent or more of Iran's 9,000 then-operational
centrifuges off-line.\8\
---------------------------------------------------------------------------
\8\ David Albright, Paul Brannan, and Christina Walrond, ``Stuxnet
Malware and Natanz: Update of ISIS December 2, 2010 Report,'' Institute
for Science and International Security ISIS Reports, February 15, 2011,
http://www.isis-online.org/isis-reports/detail/stuxnet-malware-and-
natanz-update-of-isis-december-22-2010-reportsupa-href1/.
---------------------------------------------------------------------------
Stuxnet has been followed by at least two other cyber attacks aimed
at derailing Iran's nuclear development. ``Stars,'' a software script
targeting execution files, was uncovered by the Iranian regime in April
2011.\9\ Subsequently, ``Duqu,'' a malware similar to Stuxnet and aimed
at gaining remote access to Iran's nuclear systems, was identified in
October/November 2011.\10\
---------------------------------------------------------------------------
\9\ ``After Stuxnet: Iran Says It's Discovered 2nd Cyber Attack,''
Reuters, April 25, 2011, http://www.jpost.com/IranianThreat/News/
Article.aspx?id=217795.
\10\ ``Iran Says Has Detected Duqu Computer Virus,'' Reuters,
November 13, 2011, http://www.reuters.com/article/2011/11/13/us-iran-
computer-duqu-idUSTRE7AC0YP20111113.
---------------------------------------------------------------------------
Publicly, the origins of these intrusions are still an open
question. Israel has steadfastly denied any role in the authorship of
Stuxnet or other cyber attacks, despite widespread speculation to the
contrary. The United States, too, has remained silent on the subject,
although suspicions abound that the CIA played at least some part in
putting together and deploying Stuxnet (and perhaps other malware as
well).\11\
---------------------------------------------------------------------------
\11\ Ralph Langner, ``Cracking Stuxnet, a 21st Century Cyber
Weapon,'' TED Talks, March 2011, http://www.ted.com/talks/
ralph_langner_cracking_stuxnet_a_21st_century_- cyberweapon.html.
---------------------------------------------------------------------------
For the Iranian regime, however, the conclusion is clear. War with
the West, at least on the cyber front, has been joined, and the Iranian
regime is mobilizing in response. In recent months, it reportedly has
launched an ambitious $1 billion governmental program to boost national
cyber capabilities--an effort that involves acquisition of new
technologies, investments in cyber defense, and the creation of a new
cadre of cyber experts.\12\ It has also activated a ``cyber army'' of
activists which, while nominally independent, has carried out a series
of attacks on sites and entities out of favor with the Iranian regime,
including social networking site Twitter, Chinese search engine Baidu,
and the websites of Iranian reformist elements.\13\
---------------------------------------------------------------------------
\12\ Yaakov Katz, ``Iran Embarks On $1b. Cyber-Warfare Program,''
Jerusalem Post, December 18, 2011, http://www.jpost.com/Defense/
Article.aspx?id=249864.
\13\ Farvartish Rezvaniyeh, ``Pulling the Strings of the Net:
Iran's Cyber Army,'' PBS Frontline, February 26, 2010, http://
www.pbs.org/wgbh/pages/frontline/tehranbureau/2010/02/pulling-the-
strings-of-the-net-irans-cyber-army.html; Alex Lukich, ``The Iranian
Cyber Army,'' Center for Strategic & International Studies, July 12,
2011, http://csis.org/blog/iranian-cyber-army.
---------------------------------------------------------------------------
cyberwar and iranian strategy
In his testimony to the Senate Select Committee on Intelligence
this past January, General James Clapper, the director of national
intelligence, alluded to what amounts to a seismic shift in Iranian
strategy. In response to growing economic sanctions and mounting
pressure from the United States and its allies, he noted, ``Iranian
officials--probably including Supreme Leader Ali Khamenei--have changed
their calculus and are now willing to conduct an attack in the United
States.''\14\
---------------------------------------------------------------------------
\14\ James Clapper, testimony before the Senate Select Committee on
Intelligence, January 31, 2012.
---------------------------------------------------------------------------
Gen. Clapper was referring, most directly, to the foiled October
2011 plot by Iran's Revolutionary Guards to assassinate Saudi Arabia's
envoy to the United States in Washington, DC. But, as the international
crisis over Iran's nuclear ambitions continues to deepen, Iran's cyber
capabilities should be a matter of significant concern as well. Experts
have warned that, should the standoff over Iran's nuclear program
precipitate a military conflict, Iran ``might try to retaliate by
attacking U.S. infrastructure such as the power grid, trains, airlines,
refineries.''\15\
---------------------------------------------------------------------------
\15\ Brian Ross, ``What Will Happen to the US if Israel Attacks
Iran?'' ABC News, March 5, 2012, http://abcnews.go.com/Blotter/israel-
attacks-iran-gas-prices-cyberwar-terror-threat/
story?id=15848522#.T4g5tqvY9Ll.
---------------------------------------------------------------------------
The Iranian regime appears to be contemplating just such an
asymmetric course of action. In late July 2011, for example, Kayhan, a
hardline newspaper affiliated with Iran's Revolutionary Guards, issued
a thinly-veiled warning to the United States when it wrote in an
editorial that America, which once saw cyber warfare as its ``exclusive
capability,'' had severely underestimated the resilience of the Islamic
Republic. The United States, the paper suggested, now needs to worry
about ``an unknown player somewhere in the world'' attacking ``a
section of its critical infrastructure.''\16\
---------------------------------------------------------------------------
\16\ ``STUXNET has Returned Home,'' Kayhan (Iran), July 27, 2011.
(Author's collection).
---------------------------------------------------------------------------
In keeping with this warning, over the past year infrastructure
professionals in the United States have noted that Iran's ``chatter is
increasing, the targeting more explicit, and more publicly
disseminated.''\17\ The Islamic Republic, in other words, increasingly
has begun to seriously contemplate cyber warfare as a potential avenue
of action against the West.
---------------------------------------------------------------------------
\17\ Author's personal communication, August 17, 2011.
---------------------------------------------------------------------------
Iran has significant capacity in this sphere. A 2008 assessment by
the policy institute Defense Tech identified the Islamic Republic as
one of five countries with significant nation-state cyber warfare
potential.\18\ Similarly, in his 2010 book Cyber War, former National
Security Council official Richard Clarke ranks Iran close behind the
People's Republic of China in terms of its potential for ``cyber-
offense.''\19\ These capabilities, moreover, are growing. In his
January 2012 Senate testimony, General Clapper alluded to the fact that
Iran's cyber capabilities ``have dramatically increased in recent years
in depth and complexity.''\20\
---------------------------------------------------------------------------
\18\ Kevin Coleman, ``Iranian Cyber Warfare Threat Assessment,''
Defense Tech, September 23, 2008, http://defensetech.org/2008/09/23/
iranian-cyber-warfare-threat-assessment/.
\19\ Richard A. Clarke and Robert K. Knake, Cyber War: The Next
Threat to National Security and What to do About It (New York: Harper
Collins, 2010), 148.
\20\ Clapper, testimony before the Senate Select Committee on
Intelligence.
---------------------------------------------------------------------------
preparing for cyber war with iran
Where does the United States stand with regard to a response? The
Obama administration has made cybersecurity a major area of policy
focus since taking office in 2009, and the past year in particular has
seen a dramatic expansion of Governmental awareness of cyber space as a
new domain of conflict. But this attention remains uneven, focused
largely on network protection and resiliency (particularly in the
military arena), and on the threat capabilities of the People's
Republic of China and, to a lesser extent, of the Russian Federation.
Serious institutional awareness of, and response to, Iran's cyber
warfare potential has lagged behind the times.
Indeed, personal conversations with a range of experts inside and
outside of Government reveal a troubling lack of clarity about the
Iranian cyber threat--and the absence of serious planning to counter
it. While some parts of the Federal bureaucracy (namely U.S. Strategic
Command and the State Department's Nonpoliferation Bureau) have begun
to pay attention to Iran's threat potential in the cyber realm, as yet
there exists no individual or office tasked with comprehensively
addressing the Iranian cyber warfare threat. The U.S. Government, in
other words, has not yet even begun to get ready for cyber war with
Iran.
It should. After all, it is not out of the question that the
Iranian regime could attempt an unprovoked cyber attack on the United
States. As the foiled October 2011 plot against Saudi Arabia's
ambassador to the United States indicates, Iran has grown significantly
bolder in its foreign policy, and no longer can be relied upon to
refrain from direct action in or against the U.S. homeland. Far more
likely, however, is a cyber warfare incident related to Iran's nuclear
program. In coming months, a range of scenarios--from a renewed
diplomatic impasse to a further strengthening of economic sanctions to
the use of military force against Iranian nuclear facilities--hold the
potential to trigger an asymmetric retaliation from the Iranian regime
aimed at vital U.S. infrastructure, with potentially devastating
effects.
At the very least, it is clear that policymakers in Tehran are
actively contemplating such an eventuality. Prudence dictates that
their counterparts in Washington should be doing so as well.
Mr. Meehan. Mr. Caslow, I now want to recognize you for
your 5 minutes.
STATEMENT OF ROGER L. CASLOW, EXECUTIVE CYBER CONSULTANT, SUSS
CONSULTING
Mr. Caslow. Good morning, and thank you for inviting me to
share my testimony today. I do want to emphasize that my
background is primarily in the realm of cybersecurity as it
relates to computer and network defense. I am not an Iranian
subject-matter expert, but I do know how to secure something
and lock it down. It is an honor to appear before the joint
subcommittee to testify about the Iranian cyber threat to the
U.S. homeland, and I do hope that my testimony is of benefit to
create a better defensive posture against this stated threat.
My colleagues here have already identified the threat. They
scoped it out for us. That is good. Looking from a pure
vulnerability perspective and how we go forward and how we
attack that, according to the 2012 Data Breach Investigations
Report from Verizon, 97 percent of all reported data breaches
were avoidable through basic level security controls
implementation. Now, let me just state, that in order to
protect our way of life, we must be prepared to return to the
basics of security, not the flashing glitz of a Duqu or a
Stuxnet, which I could talk if we wanted to about that, but
rather the foundational aspects of cybersecurity.
Once we have secured the basics across all sectors, then
and only then can we have the greater certainty that the
weakest link is not as exploitable by those who seek to do us
harm. Within the field of cybersecurity, this requires ensuring
the foundation is secure by knowing what is on and connected to
our networks, what our basic security posture is, and what it
should be, and ensuring the right people with the right skill
sets are building, maintaining, and protecting these assets and
data. Furthermore, within the cybersecurity discipline, we
require a strong governance structure. Governance is far from
the most exciting area of cybersecurity, but it is foundational
to ensure better management of our vulnerabilities against our
threats. For this to work, we must have clearly defined
language, write what is meant, and leave little room for
negotiation as possible.
Good governance is required for best performance of our
National, State, local, and industrial activities. Good
governance supports better integration of cybersecurity and
information technology architectures, building in the security
requirements up front. Good governance supports the adoption of
risk-management-based decisions, which are only as good as the
information available to the decision makers responsible for
the defense of our interconnected networks, both public and
private. I am going to mention Executive Order 13587, which was
the structural reforms to improve the security of classified
networks. That was a good start, however, I believe it required
more teeth, but it also required better integration across all
levels to include our industrial partners, less the bureaucracy
overrun the implementation.
Another not-too-exciting area, is the emphasis on
education, training, and awareness. Education emphasis, not
merely on the hard technology engineering skills, but also on
the basic critical thinking skills which are lost in many
technology disciplines. With respect to training as a Nation,
our standards need to be fully matured and established across
all sectors.
We can make improvements by leveraging the private-sector
security-based and -focused training organizations which are
aware of the threats, vulnerability, and respective
countermeasures. Basic awareness of the threats posed to all
sectors and elements to our society is also important. We still
have too many people who are ignorant of the threats, and
become caught in phishing, spear phishing, social engineering,
and other types of manipulation, exploitation, and exfiltration
schemes.
Again, all sectors are important and require some level of
targeted awareness campaigns. I consider it more of an op-sec,
or an operational security against a cyber attack. Now, there
is a National initiative for cybersecurity education which
evolved from the Comprehensive National Cybersecurity
Initiative, was intended to address many of these education
training and awareness issues, but has not taken root. I fully
understand the concept of measure twice and cut once, but when
we face the threats we do as a Nation, the 85 percent solution
should be enough to start. More focus on results and
accomplishments, less talking, will better serve this
initiative in our overall cybersecurity posture regardless of
the threat vector.
Finally, when to seek out and leverage by name, when and
where possible, specific people, tailorable process,
integratable security technology solutions. We must allow the
security--the subject-matter experts to research, propose,
implementable processes and technology solutions and then put
them in place with minimal delay. Bureaucracy is not our friend
in this arena.
Now, there are no easy solutions, and we have been speaking
to these topics for a number of years, but if we are serious
about protecting our Nation's interests, we must first secure
the basics before moving into more advanced methods and
techniques. Thank you again. I look forward to any questions
you might have for me.
[The statement of Mr. Caslow follows:]
Prepared Statement of Roger L. Caslow
April 26, 2012
Good morning and thank you for inviting me to share my testimony
today. My name is Roger Caslow \1\ and I am an executive consultant
with Suss Consulting. My background is primarily in the realm of
cybersecurity as it relates to computer and network defense. It is an
honor to appear before this joint subcommittee to testify about the
``Iranian Cyber Threat to the U.S. Homeland'' and I hope that my
testimony is of benefit in to creating a better defense posture against
this stated threat.
---------------------------------------------------------------------------
\1\ Roger Caslow Bio.
---------------------------------------------------------------------------
According to the 2012 Data Breach Investigations Report,\2\ 97% of
all reported data breaches were avoidable through basic levels security
controls implementation. Allow me to state that in order to protect our
way of life we must be prepared to return to the basics of security.
Not the flashy and glitzy but rather the foundational aspects of
cybersecurity. Once we have secured the basics, across all sectors,
then and only then can we have greater certainty that the ``weakest
link'' is not as exploitable by those who seek to do us harm. Within
the field of cybersecurity this requires ensuring that the foundation
is secure by knowing what is on or connected to our networks, what our
basic security posture is and what it should be, and ensuring that the
right people with the right skill sets are building, maintaining, and
protecting these assets and their data.
---------------------------------------------------------------------------
\2\ 2012 Data Base Investigations Report, Verizon.
---------------------------------------------------------------------------
Furthermore, within the cybersecurity discipline we require a
stronger governance structure. Governance is far from the most exciting
area in the field of cybersecurity but it is foundational to ensure
better management of our vulnerabilities against our threats. For this
to work we must have clearly defined language, write what is meant and
leave as little room for negotiation as possible. Good governance is
required for best performance of our National, State, local, and
industry activities. Good governance supports better integration of
cybersecurity and information technology architectures, building in the
security requirements up-front. Good governance supports the adoption
of risk-management-based decisions, which are only as good as the
information made available to the decision makers responsible for the
defense of our interconnected networks, both public and private.
Executive Order 13587,\3\ Structural Reforms to Improve the Security of
Classified Networks and the Responsible Sharing and Safeguarding of
Classified Information, is a good start but it requires more ``teeth''
and better communication across all levels, to include our industry
partners, lest the bureaucracy overrun the implementation.
---------------------------------------------------------------------------
\3\ Executive Order 13587, Structural Reforms to Improve the
Security of Classified Networks and the Responsible Sharing and
Safeguarding of Classified Information, Signed October 7, 2011.
---------------------------------------------------------------------------
Another, not-too-exciting area, is the emphasis on education,
training, and awareness (ETA). Education emphasis, not merely on the
hard technology engineering skills but also on basic critical thinking
skills, which are all but lost in many technology disciplines. With
respect to training, as a Nation our standards need to be fully matured
and established across all sectors. We can make improvements by
leveraging the private-sector security-based and -focused training
organizations, which are aware of the threats, vulnerabilities, and
countermeasures. Basic awareness of the threats posed to all sectors
and elements of our society is also important. We still have too many
people who are ignorant of the threats and become caught in phishing,
spear phishing, social engineering, and other types of data
manipulation, exploitation, and exfiltration schemes. Again, all
sectors are important and require some level of targeted awareness
campaigns. Consider it as operational security against the cyber
attack. The National Initiative for Cybersecurity Education (NICE)\4\
which evolved from the Comprehensive National Cybersecurity Initiative
was intended to address many of the ETA issues but it has not taken
root. I fully understand the concept of ``measure twice and cut once''
but when we face the threats we do as a Nation, the 85% solution should
be enough to start. More focus on results and accomplishment, with less
talking; will better serve this initiative, and our overall
cybersecurity posture.
---------------------------------------------------------------------------
\4\ National Initiative for Cybersecurity Education Strategic Plan,
August 2011.
---------------------------------------------------------------------------
Finally, we must seek out and leverage, by name when and where
possible, specific people, tailorable processes, and integratable
security technology solutions. We must allow the subject matter experts
to research and propose implementable process and technology solutions
and then put them in place with minimal delay; bureaucracy is not our
friend in this arena. Also, we must not be afraid to embrace the hacker
community, but in order to do so we must leverage a different type of
recruiter. Our talent recruiters going to this community via to the
major hacker conferences, also known as ``CONS'', will have little
success in three-piece suits. They must be people who have the look,
feel, and knowledge to speak with this community at the social and
technical levels. This is critical to securing the skill sets and
knowledge base from a community with a greater knowledge of the
offensive side of the battle. It's a known fact in sports, combat, and
security that knowledge of the offensive tactics, techniques, tools,
and procedures are of utmost importance in further bolstering our
defensive posture, and in the case of cybersecurity, securing our
networks.
There are no easy solutions, and we have been speaking to these
topics for a number of years, but if we are serious about protecting
our Nation's interests we must first secure the basics before moving
onto more advanced methods. Thank you again and I look forward to any
questions you might have for me.
Mr. Meehan. Thank you, Mr. Caslow. Thanks to each of the
panelists. The Chairman will now recognize the other Members
for questions. The Chairman will recognize Members for
questions in the order in which they were here today. I now
recognize myself for 5 minutes of questioning.
I thank all of the panelists for your compelling testimony
and I believe as we work together as a panel, will explore a
number of these areas. I could jump in with anybody, but let me
begin with you, Mr. Berman, because you were touching on some
issues that I think are important to develop. First, that was a
pretty strong statement to say that we have experienced a
seismic shift in how Iran not only views the United States, but
its willingness to carry out actions against the United States.
So I would like to have you tell me how you have come to
that conclusion, and then where you see our cyber capacity as
being a likely target. Then if you have a moment, I am
interested as well in the idea of what we have talked about in
which, you know, we spent our time with Russia, and China, and
so worried--this concept that we don't even know what is coming
from Iran; the use of proxies, which is part of the MO. I think
I have given you a little bit to jump with, so I would love you
to just take off.
Mr. Berman. Well, thank you, sir, that is a little bit of a
tall order. I am going to try to do my best to address it. The
question first of the seismic shift. I think it is very clear,
and I don't know if you recall, but I was a witness before this
panel last summer looking at Hezbollah activity in the Western
Hemisphere, and at the time, myself, and a number of the
panelists that were with me, made the point that Latin America,
and the Western Hemisphere generally, is seen as a staging
area, an area of opportunity for the acquisition of funding for
illicit activity that provide revenue to the Iranian regime.
Mr. Meehan. I note this testimony was prior to the point
where we were aware of what happened in Mexico.
Mr. Berman. Exactly right. What you see--or at least what I
have seen in the months since has been an evolutionary approach
that Iran has taken towards how it positions itself, vis-a-vis,
the U.S. homeland. Previously, it would have been very
difficult to imagine a scenario where the Iranian regime, in
any part, would authorize such a brazen attack as it did in
October--tried to carry out in October 2011. There have been
many commentaries that have cast aspersions on that account
with regard to the complexity of the plot, the amateurishness
of its execution, but the folks that I have spoken to, maintain
that this was a credible plot. It was one that was, perhaps not
executed properly, but it is one that signaled intent. That
intent is, I think, key to this discussion here today. Because
when you look at the potential for an Iranian cyber attack, you
have to marry capability and intent. With regard to intent
specifically, I would argue that Iran has more potentially.
Mr. Meehan. But you are talking about intent. In fact,
capability here, that required that they had to penetrate the
United States physically. Here we are talking about a global
network which they can access, not only from Iran, but from
anywhere the world.
Mr. Berman. I think that is exactly right, and when you
look at cyber space, as Mr. Cilluffo said, cyber space is, you
know, it is flat. It has the advantage being sticky. It is a
field that advantages asymmetric actors. Iran can reach out and
touch us in the U.S. homeland via cyber space much more easily
than it could via, say, Latin America. As a result, the
capabilities are an issue, but the intent, I would argue, is
more of an issue. Here, Iran has an overabundance, because
unlike the scenario in our foreign policy that we have with
China, and with Russia now where conflicts do exist, where we
have a stable diplomatic relationship, we have a series of
scenarios that are potentially coming down the pike, a renewed
diplomatic impasse over Iran's nuclear program as a result of
the negotiations, new economic sanctions, potentially even a
military conflict that could trigger an attack on the part of
the Iranian regime as an asymmetric retaliation.
Mr. Meehan. Mr. Cilluffo, do you agree that that the United
States is now the cyber network, as was identified by Mr.
Leiter, is a traditional terrorist attack target right now?
Mr. Cilluffo. Unequivocally, when you are looking at Iran,
and a couple of other points that make cyber space unique. Mr.
Chairman, you had just asked a question along those lines of
Mr. Berman. But anonymity, who is behind that clickety-clack of
the keyboard breaking into your system? Are you dealing with a
pimply kid, or are you dealing with a foreign intelligence
service, an organized crime, an economic competitor? You simply
don't know much of the time at the breach itself. So
attribution, while we are making progress, smoking guns are
hard to find in the counterterrorism environment; smoking
keyboards are that much more difficult. I would also note that
cyber space is made, I mean, it is made for plausible
deniability.
So what we have seen, and the reason I am concerned about
the Russias and the Chinas is we have seen a sophistication
level that is very high. But they are in the business right now
of CNE, computer network exploits to steal secrets. If their
intent changes, they could just flip the switch and it becomes
an attack tool. I might note that what we have seen that I
think is most concerning, and certainly to Mr. Lungren's
subcommittee is, we have seen adversaries map critical
infrastructures.
I don't see what the value of that, the cyber equivalent of
intelligence preparation in the battlefield. I don't see what
that intent could be other than to potentially use in a time of
crisis.
Mr. Meehan. So there is a lot of presence within the
network right now. It is just that they haven't flipped the
switch. Right now it is obtaining information, but they haven't
turned it in a proactive sense into delivering some kind of an
attack.
Mr. Cilluffo. I might note that we tend to look at this
only through a tech lens. The more sophisticated actors realize
that it is the convergence of human intelligence, and technical
intelligence, and that is where we should be worried.
Mr. Meehan. Well, my time has expired. At this point, I
would like to open it to questions to the Ranking Member Mr.
Higgins.
Mr. Higgins. Thank you, Mr. Chairman. You know, I sense
from both the substance and the tone of your testimony, there
is an underlying frustration that perhaps we are not doing as
much as we need to do in order to defend ourselves against a
potential threat. So let me start with Mr. Caslow. According to
the former director of the National Counterterrorism Center,
Michael Leiter, the United States, he says, can likely defend
itself against the types of cyber attacks of which Iran is
capable. Given what you know about the vulnerabilities of both
the governments, and the private sector cyber infrastructure in
the United States, do you agree with the former director that
the United States is capable of handling a cyber threat from
Iran?
Mr. Caslow. If I might say, that at the time this statement
was made, there may have been certain assumptions made as well,
about the understanding of our networks. The vulnerabilities,
as technology shifts, vulnerabilities shift. Also, the threat
vectors shift. I don't say that I disagree with him, but at the
time he was probably correct. As of today, I would believe that
it would be less correct, only because, as my colleagues here
have already mentioned, the capability and intent is important.
Those feed into the risk equation of what threat is. But the
other parts of that are equally important. They are not
weighted of one more important than the other. The other parts
of that are the big V of vulnerability, the likelihood, or
probability of those things happening, and ultimately, the
impact of those occurring.
My personal viewpoint from the years I have been doing this
is that we can't consider ourselves looking at one threat
vector unless we understand our own vulnerabilities. We have to
know ourselves first and foremost. I do know with certainty
from speaking with my colleagues across industry and across the
Government that it is not all boats rising at the same.
Unfortunately with the interconnection of our networks from the
TS all the way through that we have the--be careful here--we
have the known vulnerabilities for a boat that is not as high
in the water as the others could negatively impact some of the
higher-level boats, to take that analogy further. Again, I
frequently use analogies with my colleagues who aren't on the
technical side, of a house. You have a house, you build your
structure. You are considered--sir, I am sure you are
considered with the furniture, or the paint of the color or the
varnish on the trim, or how the chair rails go in the dining
room or what type of appliances are inside your home. How often
do we investigate how deep the footer has been dug. Or is the
footer the appropriate depth or width, is it maybe the right
construction material. All these other things are actually
ultimately more important in many aspects of you having a home
that will keep you secure and your family secure over the
lifetime. The United States of America is my home. So I want to
make sure that we do secure the foundation, the foundation and
the building materials and everything that goes into that.
Mr. Higgins. I think the other thing that is often missed
in terms of counterterrorism is the importance of remaining
agile. It seems as though, first of all, no technology advances
more quickly in our society than the technology of killing.
Every day new weapons of mass destruction are being created to
kill more people more quickly, and it is a big problem. I just
think that there is a tendency to think terrorism 10 years ago
is the same terrorism we have today. What you have is a new
generation of terrorists that are more aggressive, that are
more technologically savvy and thus more dangerous to their
potential targets. As has been stated here, when you consider
the testimony that was been given several months ago about the
Hezbollah, which acts as a proxy for Syria, for Venezuela, for
Iran, having not only a presence in the 20-country region of
Latin America but also having a presence in American cities.
Their activities we are told is limited to fund-raising. Well,
I don't make that distinction. Fund-raising is a component of
terrorist activity. What are you raising funds to do? It
doesn't have a beneficial impact on society.
So I think this is a threat obviously that is very
important that all of you have emphasized the importance of it,
and I appreciate your testimony here today. Thank you, I yield
back.
Mr. Meehan. Thank you, Mr. Higgins. The Chairman now
recognizes the Chairman from California, Mr. Lungren.
Mr. Lungren. Thank you very much. Mr. Berman, only a few
weeks ago a former director of National Counterterrorism
Center, Michael Leiter, said or indicated that because of
strict financial sanctions facing the Iranian regime they might
target international financial systems in a cyber attack. Would
you agree that our financial institutions would be a prime
target for Iran based on motivation?
Mr. Berman. That is an interesting question, sir, and I
think I would have from what I know about how Iran is
weathering the international financial sanctions regime, my
answer would be ``not yet''. If you look at what Iran is doing,
the attack that Iran has allegedly carried out against
financial institutions such as Israel's Banque Poaley,
signaling Iranian's ability to reach out and touch and affect
and manipulate these financial institutions. Iran as a result
of the sanctions that have been levied since the start of the
year by the Obama administration and more recently by the
European Union is increasingly dependent on utilizing that
financial system in places like Venezuela, for example, to
circumvent, to skirt, to attain another avenue to access
international markets as these sanctions truly begin to bite.
As such Iran at least for the moment doesn't have the incentive
or the motivation to attack in a catastrophic fashion and take
down financial institutions. Will it later? Perhaps. If there
is an all-out military conflict over its nuclear program. But
as of right now I don't think that threat is mature.
Mr. Lungren. Mr. Cilluffo, I have heard it said that with
Stuxnet or the public recognition of Stuxnet we have crossed
the Rubicon; that is, we now have seen expressed in a prime
example of the ability not only to enter into another's
computer system or network but to control it in such a way to
cause physical destruction. Would you say that is a fair
statement?
Mr. Cilluffo. Absolutely. I do think it did cross a Rubicon
and certainly serves as a harbinger of what we are going to be
looking to in the future. I might note that I personally feel
it was the right thing to do. Let me suggest though that those
that may have been hit may not be as discriminate as perhaps
Stuxnet was to affect centrifuges. I think the same
vulnerabilities that were exploited through our various systems
could have catastrophic effect on some of the various critical
infrastructure in the United States. So I think we need to
inoculate ourselves from a whole host.
Mr. Lungren. When we talk about asymmetric warfare it is
interesting because one way of looking at it is that the
``underdog'', the small guy, the one that is less powerful has
an opportunity to do harm to the stronger adversary at lesser
capital investment, lesser requirement for manpower, et cetera.
At the same time it seems to me we ought to look at asymmetric
warfare in the terms of the war on terror; that is, asymmetric
warfare with the purpose of doing what? Not just destroying
property but causing psychological damage to the adversary.
So when we talk about critical infrastructure, one of the
things that comes to mind with me is our health system is a
critical infrastructure. If I were to attack the United States
one of the things it seems to me that would be very effective
in an asymmetric way would be to attack the health system. If
you could invade the information systems of several health
systems of the United States such that no one could depend on
the accuracy of the information contained therein, someone
lying on the surgical table and getting the wrong blood type,
information indicating that you ought not to take certain
medications and it indicating that you ought to take them. If
you did that in a series of attacks, you wouldn't have to be
successful with too many of them to cause a psychological
damage to the United States.
So, I would ask both Mr. Cilluffo and Mr. Caslow whether
that kind--do we need to appreciate that kind of a difference
in terms of perhaps the target and the impact? As opposed to
our sense of conventional warfare view of asymmetric warfare,
if that makes sense.
Mr. Cilluffo. Chairman Lungren, I think it does make sense.
I mean cyber has extended and expanded the battlefield to
incorporate all of society. So what we used to look through in
a more traditional targeting kind of sense, vis-a-vis the
military C4ISR now has potential to be against us from a
critical infrastructure perspective.
Let me just note though that I feel we have nearly limited
vulnerabilities, limited resources and let's not forget we have
a thinking predator and actor that bases their actions on our
actions. So the best we can really do is get to the point where
we are managing risk. I very much agree with Mr. Caslow's view,
let's get to the 80 percent solution and then focus on specific
actors, because Iran is not China. You have got different sets
of tools that need to be brought to bear. Russia is not DPRK,
or North Korea.
So I feel that one biggest missing element of our strategy
is we don't have a cyber deterrent strategy. We need to clearly
articulate one, we need to identify bright red lines in the
sand or maybe in the silicon more apt and we need to identify
what is unacceptable. Oh, by the way, we can't firewall our way
out of this problem. We need to start talking about offensive
cyber capabilities and capacities.
Mr. Lungren. Mr. Caslow.
Mr. Caslow. I fully agree. Your analogy of the health care
system brings to light a scenario that we tried to scheme out
where the health care system connected at one point. If I were
to target a hospital near a major military installation, let's
take Jacksonville, North Carolina, and maybe I was able to
target with something like either a Duqu, which they believe to
be the precursor for Stuxnet, we are not quite sure about yet,
something that has the ability to attack the SCADA, you tell
people it is terminator, it really is because now you actually
have computers telling machines what to do. We have had that
capability a long time but now we have the adversaries trying
to use it in different areas, and granted it was a good thing
it was used against someone who means us well, but the minute
it is flipped around on us that is a bad thing. They target
that hospital with the basic generator backup, they take out a
power grid around that area as well. They are also able to take
and attack the water system, parts per million of chlorine goes
up down depending, and again the read-out says it's right
because that is what Stuxnet does. All of a sudden now we have
hundreds of thousands people sick in an area where we have
troops who are deployed overseas. The ultimate end-game here is
not to make those people sick. The ultimate end-game is to
terrorize our troops overseas so that our Marines who are
deployed in combat zones can no longer do their mission because
they are worried about their children, their wives, their
grandmothers, whatever, who are now ill back on the home front
because they are communicating with them and now they know they
are sick.
Now that does deplete and impact our ability to carry the
war out in a physical and kinetic manner overseas. So you are
right on target, sir, we do have to be worried about that, but
again we do have to ratchet things down to make sure we do have
that strong defense, because the tactics, techniques,
procedures, a strong defense is necessary in sports and
necessary in the cyber world, but in order to do strong defense
we have to have the offensive capabilities together as one.
Mr. Cilluffo. And linebackers in between.
Mr. Meehan. An appropriate analogy for draft day. The
Chairman now recognizes the gentlewoman from New York, Ms.
Clarke.
Ms. Clarke. Thank you very much, Mr. Chairman. My first
question goes to Mr. Caslow. There are reverse engineering
possibilities associated with the downing of U.S. drones in the
advent of the Stuxnet virus that presents a possibility of
advanced cyber weaponry being developed in Iran. In your
opinion, is Iran close to developing the cyber attack
capabilities that present a threat to U.S. critical
infrastructure? Do you believe that other countries with
already well-developed cyber weaponry capabilities are aiding
Iran?
Mr. Caslow. Again, ma'am, I am not an Iranian expert, I am
a pure computer network cybersecurity person.
Ms. Clarke. Right.
Mr. Caslow. However, to answer your question as best as I
possibly can, any number of countries, we will go back to the
P-3 downing in China, the reverse engineering capability with
their inability to fully discharge all of the equipment on that
platform and a number of other areas. Any time that we can get
someone who has a knowledge base to reverse engineer something
that could potentially create a threat. Now that threat is
against a specific targeted area, it could foreseeably do that.
I would never take away that possibility, but it is the art of
the probability because there are a lot of technical aspects
involved with the downing of that Pacific platform as well as
downing of a lot of other platforms. So not only that, but also
the back chatter and how organizations station--the state
actors and non-state actors share data and information. We do
know this--it was quoted, I guess, the axis of evil and
previous administration quoted that, used that term. The
reality is it is beyond an axis, the data streams everywhere,
the data flows, the internet can go everywhere. I can still go
to a dark reading room on the internet and download any number
of very bad, nasty little critters that are out there and then
use those same critters to attack a network or system. I can
buy those capabilities, I can download some of them for free.
So I say, yes. But again this stuff keeps me up at night,
it doesn't have to keep you up at night.
Ms. Clarke. Thank you. Let me just sort of put this in
context because this week the House is considering several
cybersecurity bills, including the Cybersecurity Intelligence
Sharing and Protection Act. I believe that none of these bills
that are being considered will provide the country with a
comprehensive cybersecurity strategy, vesting cybersecurity
authority in a single domestic Federal agency and include
robust privacy protections.
Given the testimony here today on the cyber threat from
Iran, what would you recommend as the basis for real
cybersecurity legislation that addresses these concerns?
Mr. Caslow. Thank you for asking that, ma'am, I have been
doing a lot of reading on CISPA, and as I mentioned before in
my testimony we do have to ensure that we have the governance
piece in place. That is important. Integration with industry is
exceptionally important. I do believe I also mentioned the fact
that we require some level of emphasis on education, training,
and awareness, which CISPA is lacking in a lot of areas.
To get away from the privacy aspect, I came from a world
where it was about the data--the security and the sharing, now
I am in a world where it is about the privacy and the security.
So I understand those areas fairly well.
Putting it all in one person's plate, integrating it, it
all depends on how it is executed. The old adage goes, the best
plan in the world poorly executed is not as good as the worst
plan in the world executed with superiority. So we really need
to make sure it comes down to the execution. Again as I
mentioned, we need to specifically state what the intent is.
What do we need to get across, not allow others to try to
misarticulate the intent as in some laws and some Executive
Orders, it gets down to the actual tactical level at the
implementation and they are going it must have been 10 of this
and my experience is it is this far away, it is not even close
to what the intent is. So we need to make sure that that is
clearly stated. Here is exactly what we need. I know that may
take longer, I understand that, but I think that is what is
needed.
Ms. Clarke. Let me just ask Mr. Berman, over the past
decade have been proposals within the United Nations and other
international forums for treaties and convention that would ban
the development and use of information weapons. Critics counter
that as a form of cyber arms control and would stifle
innovation and favor an international norm building approach
and code of conduct.
What international internet governance regime would you
recommend for countering the Iranian cyber threat? Along those
same lines how are the State Department's global internet
freedoms initiatives deconflicted with NSA and USCYBERCOM's
intelligence gathering and warfighting mission?
Mr. Berman. Well, ma'am, thank you for the question. Since
it is draft day I may mercilessly punt this over to my
colleagues. But let me just point out again I am not a
cybersecurity specialist. I am not in the position to speak
about that. I can tell you very that parenthetically in my
understanding of how the cyber community has dealt with the
Iran threat specifically, not the cyber threat writ large,
there is a gap in understanding between the operational, what
Iran may do, and the political and strategic, what Iran is
likely to do if something happens in the real world. That seems
to me to be a gap that needs to be closed.
Beyond that in terms of what rules, what standards need to
be applied, I would like to turn it over to my colleagues.
Mr. Cilluffo. Ms. Clarke, thank you for the question. I am
pretty vocal in terms of my views on this. I would vehemently
not support a U.N. arms control approach to deal with cyber. If
you think back to nuclear and it is not a perfect analogy, but
as Ronald Reagan said, trust but verify. Given some of the
attribution challenges here and given that the two countries
advocating this approach, China and Russia, have been known to
be active in this space, I think we should be very cautious in
terms of what their intentions are. We are not obviously not
going to compromise our sources and methods even if we get to
100 percent verification. So I would push back on some of those
proposals.
Now, the flip side is that the Council of Europe has a
cyber crime treaty. Here I think you have got the behavioral
level that everyone can agree when you are dealing with child
predators, you are dealing with child pornography, some of the
tools that we have used in other confines and environments can
be brought to bear in this environment, and I think we ought to
consider some of those, but I have very little confidence in
the U.N. approach. Quite honestly I feel we need to get more
proactive in some of our offensive capabilities because we are
not going to firewall--at least to demonstrate a capability to
signal that we are serious and we will respond.
Ms. Clarke. Thank you, Mr. Chairman.
Mr. Meehan. Thank you, Ms. Clarke. At this point in time
the Chairman recognizes Mr. Cravvack from Minnesota.
Mr. Cravaack. Thank you, Mr. Chairman. I appreciate it.
Being an old Navy helicopter pilot, this is a brand-new
battlefield, a virtual battlefield if you will. But some of the
things that can go back to the basics is the best defense is
probably a good offense.
So my question would be: How can we not only as a
Government agency but unleash the private sector as well and be
able to go proactive on if they receive a cyber attack, how can
they have a counter offense in identifying where this comes
from and beat these back. Can you give me a comment on that?
Mr. Caslow. Is this punt the football again? If I could I
have actually in my written testimony something along those
lines.
Mr. Cravaack. I apologize I was late. I was in another
meeting.
Mr. Caslow. No, I didn't actually speak to that part, it
was just purely written. So I am glad. I wanted to cut my time
down and make sure I was within the 5-minute window.
Mr. Cilluffo. Which was amazing by the way.
Mr. Caslow. Thank you. I tried to get that right.
Your point is 100 percent correct. We in our community,
both the Federal and the industrial side, do have to take a
better effort towards embracing the hacker community. Now there
is a lot of places I could send you to and hopefully you have
your firewall set up the right way so you don't take any nasty
critters out with you. But lots of places that we have to
leverage those. But in order to leverage those properly we have
to send in a different type of recruiter. This recruiter cannot
be looking like us in a 3-piece suit or in a suit and tie, walk
in there and go, ``Hey, guys, how are you doing? I am from the
Government, I am from Boeing, let's give you a job.'' No. These
types have to understand the people, they have to have the
look, the feel, they have to have the knowledge to speak to
this community at the social and technical levels. Again I
emphasize the word ``social'' because they do think
differently. These people understand the hacker community more
than anything. This is everything from the 13-year-old kid
sucking down Mountain Dew and eating Hot Pockets in their
parents' basement to some of the more astute ones like--I will
give a name like Dark Tangent who is out there and who is known
inside the cyber community, but we have to be able to leverage
those as resources. Many of these people are patriots, I will
tell you that right now, as was seen when it came to the
Anonymous attack. A lot of Americans, United States American
hackers came and said, ``wait a second, you can't do that to
us, only we can do that to us.'' So we do need to--only my dog,
only I can kick it, right? But the reality is we need to
embrace those more.
So on that side, again you are right about the offensive
nature of the game. As a former fleet Marine Force Navy
Corpsman, I have a grunt mentality towards a lot of these
issues. I believe in warheads on foreheads. That is a great way
to solve a lot of problems. This way we do have to embrace the
people who actually are able to pull the trigger. In this case
those people, acknowledged as the snipers so to speak, are this
hacker community and some of these others. But again we are not
going to go in recruiting them looking like this.
Mr. Cravaack. My Dad was a Navy guy, 3rd Battalion, 3rd
Marines.
You know it is so important what you are saying is that at
the United States Naval Academy now they have major,
cybersecurity. I mean that is how important that the Government
is finally getting this. To be honest with you, if you told me
about cybersecurity 5 years ago I would have said, huh? So I am
slowly coming around. This is a new virtual battlefield. The
implications of which are so massive, providing with the right
attack, that the ramifications are unbelievably massive,
shutting down grids, you name it.
Now I look at it from a National security aspect that we
really have to start focusing on this effort. So I commend you
for what you are doing. I am schooling myself up quickly on
jumping on this bandwagon saying that we definitely have to do
this.
Now I am very concerned about Iranians. A small force can
overpower just like you said and overcoming a Nation and that
concerns me greatly. So the bottom line, I have got 18 seconds,
but the bottom line is: Do you believe in that philosophy, a
better offense is probably the best defense?
Mr. Cilluffo. I wrote that in my testimony. So yes, I
dissuade----
Mr. Cravaack. Great minds think alike then.
Mr. Cilluffo. I also think, not to take away from the Navy
is fine service, but we need the equivalent of Billy Mitchell
to work at cyber. We have a lot of tactics masquerading as
strategy. We have to be confident to be able to take these
issues in a strategic kind of way, and that includes the
computer network attack. We need to demonstrate capabilities,
we need to be visible. What good is having a doomsday weapon if
no one knows you have it? At the end of the day to me it is
part of the solution, it is by no means the end-state, we still
need to build up our defensive capabilities but recognize that
the attacker has the advantage here, and we need to always be
in the front edge of this.
Mr. Cravaack. Thank you, sir. I yield back, Mr. Chairman.
Mr. Meehan. Thank you. The Chairman recognizes the
gentlelady, Ms. Richardson.
Ms. Richardson. Thank you, Mr. Chairman and both of our
Chairmen for having this hearing today. First of all, I would
like to ask the question, back in 2008 the CSIS Commission for
Cybersecurity for the 44th Presidency made 25 recommendations
for a National cybersecurity strategy. To my knowledge, those
have not been implemented to this point or at least from a
legislative perspective. Do you have any thoughts on that or
where you would suggest that we go first?
Mr. Caslow. I am glad you mentioned that because I did
reference CNCI and we do have the inability to pull the
trigger. In my previous position, and again I do not represent
those opinions of the Office of Director National Intelligence.
I am a civilian, make sure I am perfectly clear on that, but in
a previous edition I did have a lot of discussion on those.
Unfortunately it was a lot of discussion. Again we are too busy
about trying to measure twice, cut once versus trying to just
pull the trigger in an 80 to 85 percent solution. A lot of
those efforts should be, I believe, my personal opinion, that
they should be enforced from CNCI, 4, 5, 6, 7, 8, all the way
through and we should take a better look at those again, bring
in a group of subject matter experts, find out how we are going
to get it done, potentially craft the legislation that makes it
happen, and then fund that activity, because while we have got
a lot of other battles on our front this is very important. It
is not just important for us but it is important for our
children and grandchildren, lest we don't have an
infrastructure American way of life to share with them later.
Ms. Richardson. Would either of you other gentlemen like to
comment on the specifics of the 25 recommendations?
Mr. Cilluffo. I don't remember all the recommendations, but
it is fair to say in a sound bite, long on nouns, short on
verbs. I mean, we have talked a lot about the challenge. It is
about implementation and execution and I don't want to sound
overly dramatic, but in 1862 President Lincoln came before
Congress with further storm clouds on the horizon and claimed
as our time is anew we must think anew and ultimately act anew.
We are there now. We know what some of the challenges are.
There are great pieces of legislation, many others have put
forward pieces of legislation. Now is the time to actually get
into that, identify what really needs to be done and pass
legislation. This can't be done through the private--first, the
Government has to act to get its own house in order first and
foremost. Then we have to look at what is the right incentive
and other approaches to get the private sector in.
Ms. Richardson. I understand. My question was were there
any specific points that you wanted to make regarding the
recommendations in particular that you felt should have more of
a priority or address?
Mr. Cilluffo. Act.
Ms. Richardson. Okay, got it.
Mr. Caslow. If I could, I'm sorry, but if I could, CNCI 8
which was the education, training, and awareness which I did
speak to, that to me is of the utmost importance. Because if we
are not communicating and training and we are not making sure
we have the right skill sets in place, all the technology in
the world doesn't matter for anything.
Ms. Richardson. My last question for the three of you
gentlemen, are any of you working with any stakeholder groups
within the Department of Homeland Security or any other Federal
agency?
Mr. Caslow. No, ma'am.
Ms. Richardson. So you do your work completely from the
outside? So you are not being sought after to share your
thoughts and ideas of what should be considered?
Mr. Berman. Ma'am, not at the moment, no.
Ms. Richardson. Sir.
Mr. Cilluffo. I stand where I sit, I am not formally
involved, but of course we share our ideas with every entity,
including Congress and the Executive branch.
Ms. Richardson. No, my question is: Is there a specific
stakeholder group that you participate in sharing your ideas
and the information and knowledge that you have?
Mr. Cilluffo. Not anymore.
Mr. Caslow. Not since leaving the Government on February 27
of this year.
Ms. Richardson. Thank you, gentlemen. I yield back.
Mr. Meehan. Thank you, Ms. Richardson. The Chairman would
be delighted to ask Mr. Green and thank him for his attendance
and his continuing interest in this area and would be delighted
to accommodate any questions you might have if you do.
Mr. Green. Thank you, Mr. Chairman, I thank you for
allowing me to continue to participate. I am an interloper but
I do have great interest in what is going on. While I cannot
``Roger'' what my colleague from the Navy said, I would like to
as a veteran of the ghetto wars ``Right On'' what he said. I
totally agree. I would like to focus if I may for just a moment
on the phrase ``we can't firewall our way out of this.'' I do
understand botnet. I understand Zombie Armies, Trojan horses
programs, and I have done some reading on Stuxnet, but I would
hope that you are saying that while we can't firewall our way
out of it, we can at least use the firewall to get us to that
80 percent that you are talking about and perhaps maybe more at
some point in the future because firewalls are an absolute
necessity in doing whatever we can to prevent this.
So let me just hear more on this question of how firewalls
will help us to produce some degree of salvation.
I would also add this, with reference to the plausible
deniability, I would like someone to give me a comment on how
we will at some point have to use as much empirical evidence as
available to us. I am trying to do as my friend did earlier,
select my words carefully. I want my diction to be superb
because as we move closer and closer to having to deal with
Iran in what may become an unpleasant way, plausible
deniability cannot become a barrier to acquiring enough
empirical evidence to act.
So would you please start with the firewall concept and how
we have to deal with that and then plausible deniability as a
means of preventing us from acting.
Mr. Cilluffo. Sure, and I didn't intend to pick on
firewalls in particular. It was more meant to suggest that
defensive measures alone, while important and we need to get to
that 80 percent solution, in itself you can't expect a
corporation to defend itself against foreign intelligence
services, for example, that are going to use a mix of technical
means, with human means, and an insider. Those are the sorts of
challenges. Technology, while important, is agnostic but won't
take us all the way. Ultimately the people connection is
important and we need to be able to share that information.
So I did not mean to say don't use your firewall. Please
use your firewall. But that in itself is not going to take us
where we need to go. If you think in a counterterrorism
environment, Homeland Security critical, we needed to work the
various issues but if we didn't have that pointy end of the
spear, if we didn't have the days like we had in Abbottabad or
other sorts of actions, we would never be able to ultimately
prevail in some of these sorts of challenges.
So I simply meant to suggest that we need to get, raise the
bar, raise it high, but recognize that anything above and
beyond that you can't incent, you can't expect the corporations
to be able to defend themselves against that. So that was the
purpose of my point.
Also to suggest that we need to start investing and
publicly discussing our offensive capabilities because they are
there.
In terms of plausible deniability, that just makes one of
the challenges in terms of the attacks we are seeing. If I were
to suggest one technical area to invest in, attribution,
attribution, attribution.
Mr. Green. Yes, sir.
Mr. Berman. Sir, if I may jump in quickly, again I am not a
cybersecurity specialist but to sort of to revert back to the
topic of the hearing, I think what is interesting is something
that Mr. Cilluffo alluded to in one of his answers, which is a
cyber deterrent strategy, a strategy that marries concepts of
deterrence with the idea that if someone reaches out and
touches us it wouldn't be good for them, it wouldn't be healthy
for them.
I would point out that over the last 8, 9 years as the
international community has grappled with the Iranian issue we
have had an abject lack of a deterrent strategy for dealing
with Iran in terms of nuclear acquisition, in terms of its
actions asymmetrically in places like Iraq and Afghanistan, and
I would argue that we are now facing an area also that is
crying out for the need for a more robust deterrent strategy so
the Iranian regime understands very clearly that there are red
lines that if they cross in the cyber realm would rebound to
their profound detriment.
Mr. Caslow. If I could, too, the concept of firewalls,
let's go to the technical side of this now, unfortunately you
can say you have a firewall. When he said we can't firewall our
way out of this, I understood exactly what he meant. A firewall
is only good as how you establish the firewall. Me, I believe
we should put across the main solutions all over the place
because they are much more active. A firewall is a passive
mechanism and if not established appropriately and properly,
then you can say you have a firewall but I will tell you right
now more than likely if you had a home network I will hack you,
I will get you. If I can't get you, someone else will,
especially if you are not maintaining your firewall and
ensuring the right security controls are in place the right
way.
So it is not only the technologies which you speak of but
it is also the implementation of those technologies to ensure
they are properly implemented and secured in accordance with
the standards that we have to put in place. So again they are
only as good as you use them. Just like a gun, it is only as
good as the person shooting it, right?
Mr. Green. Thank you, Mr. Chairman. I am over my time.
Thank you and I yield back.
Mr. Meehan. Thank you, Mr. Green, and for your presence
here. I know that the panel is ready to conclude, but I am
going use my prerogative as the Chairman to ask one follow-up
which is you have both--all three of you at separate times have
developed this concept of an offensive not just capability but
I am also interpreting if I am getting it correctly as the
utilization of some kind of offensive action in this
environment. I certainly recall the days of assured mutual
deterrence with the nuclear threat, but of course we never
really used a nuclear weapon. So what is the predicate that
would allow us to in a country like ours where we are hesitant
to deliver some kind of an aggressive offensive action unless
and until we believe we have been attacked? So how do we--would
you develop this concept of offense in this world where the
conclusion seems to be we are not going to be able to
exclusively simply defend ourselves from the consistent probes
that may turn into an actual attack from Iran or China or
Russia. What is offense?
Mr. Cilluffo. Mr. Chairman, that is an excellent set of
points, and I think before we lean too forward in this
direction we do need to have the tough doctrinal sets of
questions. We have a lot of strategy, we have a lot of tactics,
but there is nothing pulling these pieces together. In the
midst of that you also need to clearly define rules of
engagement, which have not been done thus far. But I might
suggest there are ways to demonstrate capability, such as
nuclear tests, short of actually delivering such a capability
through various platforms on a particular actor.
I might also note that we do need to start thinking of the
homeland implications. I mean, one of the challenges with cyber
weapons, you use them, you use them once, they can be used
against you. A, you can reverse-engineer it and use it against
you; B, you are compromising your golden bullet potentially
that you may want to use when you really need it. So ultimately
we have got to start embedding computer network attack and
cyber thinking into traditional National security and military
thinking. Right now we treat it a bit as a black art, ooh, ah.
At the end of the day if we start discussing it as we do every
other platform system and TTP that can be deployed, then it
takes some of that out and we are going to want to play to our
strengths, because ultimately the greatest threat is not cyber
unique, it is cyber as a force multiplier to kinetic or
whatever else it may be. That is also what we need to be
worried about defensively in terms of higher-end actors.
My whole point is if we don't create these bright lines in
the silicon or in the sand, there is nothing to dissuade,
deter, or compel people from engaging in the space. We need to
start finding the critical infrastructures. If people are
mapping that there should be consequences. What other reason
could they use to map that other than to potentially use that
as part of a broader attack plan? To me that is where the line
needs to be crossed. In the exploit business, we are all in the
exploit business, so that is a little more difficult, but once
it starts going to some of these critical infrastructures we
need to be thinking about that.
I might also note your committee I think has an obligation
and the responsibility to be involved in these discussions
because there are homeland implications if we start moving
proactively that we need to be ready for defensively. Before we
engage in certain military activities, I want to make sure our
homeland is protected from some of those.
So these are tough questions, cuts across all committee
structure, all Executive branch, and truth is we don't have the
doctrine right now. We need to start developing it and I would
argue discussing it, because right now we are kind of in the
worst of both places.
The Office of Director of National Intelligence, the
National Counterintelligence Executive, NCIX, recently came out
naming names, calling out Russia and China, stealing billions
and tens of billions of dollars of our intellectual property.
Now we are saying: They are doing it, what is the disincentive
for them to continue doing that? What would an Iran interpret
if they see we say it is happening and we are not doing much to
visibly defend ourselves. So I think we need to start having
these conversations.
Mr. Berman. Sir, one parenthetical point, sort of going
back to the topic of the hearing, I think it is important and
both of my colleagues alluded to it as part of their remarks,
is that not all threat actors are created equal. In this
context, specifically in the Iranian context, politics matter.
In fact they matter a lot. In order for us to have a predictive
cyber strategy that marries defense and offense, that includes
deterrence, we have to not only think about the operational
capabilities of these threat actors but also what is happening
in the real world that might incentivize them to act whereas
others would not. I think whether you look at, specifically
thinking about the military, when you look the at the
Pentagon's recent work on developing something resembling a
cybersecurity blueprint, they have been grappling with
precisely this question: At what point do you draw a red line
that would activate sort of a cascading series of events that
might end up in a real military conflict? This may be a
peripheral issue or a conceptual issue for dealing with Russia
or China, at least at the moment, it may be a much more actual
one with regard to Iran because of what is going on in the real
world.
Mr. Caslow. Sir, if I might add to that, let's go to the
establishment of U.S. Cyber Command, darn good idea, great
function. DIRNSA, its great leader, I have much respect for the
man. Unfortunately, there is one bad aspect of that, something
called posse comitatus. The U.S. military cannot exert their
arm over domestic United States. Right? We all know this, this
is the law, that is the way it is. The Department of Homeland
Security has that purview. Homeland Security and NSA as U.S.
Cyber Command have integrated in some aspects, but that is a
relationship integration, it is not a formal integration. To my
knowledge there is no area where this thing has been crossed.
While we can do all we can to defend the National security
systems, both unclassified all the way to the TS/SCI, the fact
still remains it is our partners who are outside of those
realms that are sitting on the regular networks, our friends of
Boeing, Lockheed, wherever all this intellectual property is
being stolen from, Microsoft, Google, you name it, they are
just as at risk. There is no way for Cyber Command to exert
their force and what their ideas are to help that other than
the fact that if the Google SISO, Information Security Officer,
goes to NSA and says: Hey, we would like your input on this,
how do you recommend we do it? But there is no massive, as my
colleagues stated, this strategy, this deterrent strategy could
articulate some of these things and put those in place so we
could show these relationships. We could make sure we put
things out, that we enforce these to make sure.
Again we can protect the U.S. Government's infrastructures.
I have no doubt about that. However, they are going to get us
somewhere else. They are going to get us on the back side, they
are going to get us on our weak spot. You don't--you attack the
bear from the belly, you don't attack it from the teeth, and
that is what is going to happen. So I would encourage the look
at, and not too long of a dialogue, as in some cases have
occurred, but the look at and the discussion with subject
matter experts in all relevant arenas, not just the Government
personnel and CEO and SISOs of these companies, to get together
to try to dialogue and discuss how to do it. Again not just one
vector, we need to address all the potential vectors. Because
it very well may come from another side that we are not
looking. We are treating against termites and all of a sudden
it is those darn little fire ants from Florida that gets us
instead. Oh, what do we do now? So we need to ensure that we do
take precautious action to ensure that we address as many as
possible. In order to do that we have to dialogue, we have to
put it in writing, put it down, tap it down, and to discuss it.
Then we start moving the flag. Once we put the flag in the
sand, then we can start moving it around to somewhere we all
can agree on and then we take action.
Mr. Meehan. Your testimony has been compelling. I thank you
not only for your presence here today and the work you have
done but for your continuing work of each of you in this
critically important area. I think I speak for all of my
colleagues on both sides of the aisle by virtue of the
attention that we are trying to pay into this issue too that we
value and gain a great deal from your perspective and look
forward to working with you in the midst of what is a very real
and a very genuine, not just challenge, but threat to the
safety and security of the United States and its interests.
Thank you so much. I thank the witness for their testimony
and the Members for their questions. The Members might have
some follow-up additional questions and if they do and they
forward those, I will ask if you could be responsive within the
10 days.
So without objection, the committee stands adjourned. Thank
you.
[Whereupon, at 11:45 a.m., the subcommittees were
adjourned.]
A P P E N D I X
----------
Questions From Chairman Michael T. McCaul for Frank J. Cilluffo
Question 1a. Although Iran is the world's largest state sponsor of
terrorism, it is difficult to fully assess Iran's ability to carry out
attacks on-line. However, over the last 5 years it has become
increasingly clear that Iran's cyber capabilities are becoming more
sophisticated and rank among the best in the world.
How likely is it that Iran's leaders would collaborate and/or fund
their developing cyber capabilities with foreign states like North
Korea that are antagonistic to the United States, or pass on offensive
cyber capabilities to terrorist proxies like Hezbollah?
Answer. Those countries that have the United States in their cross-
hairs--including Iran, Cuba, North Korea, and Venezuela--and their
proxies (notably Hezbollah, in the case of Iran) are assuredly of
concern in the cyber context. However, there is a need to think
differently about cyber, instead of simply invoking traditional frames
of reference for military cooperation. Models for joint or combined
defense planning and cooperation must be adjusted to the cyber context.
Where cyber is concerned, tools and techniques, exploits, lessons
learned, reconnaissance results, and information on targets and
vulnerabilities may be (and are) shared frequently between and among
states and groups--but that does not necessarily signal formal
sanctioned cooperation. Nevertheless, this type of informal
collaboration, particularly among parties whose posture is antagonistic
to the United States, is an issue of significant concern.
By contrast, formal cooperation in the stricter sense of the term
is a less likely prospect. Indeed, there are several reasons that Iran
may not seek that type of cooperation to develop their cyber
capabilities jointly with other states hostile to the United States.
Perhaps the most compelling is that there is little need to do so
because there is a convenient alternative: The equivalent of a cyber
arms bazaar already exists. Many individuals and organizations stand
ready to rent or sell sophisticated cyber attack capabilities,
including bots that could be used to steal information or shut down key
elements of physical infrastructure. Moreover, the type of
collaboration proposed would require a level of trust between the state
parties that would seem difficult to achieve, if not unattainable. (The
most sensitive information is unlikely to be shared though sharing in
more general terms is likely, as outlined above). Keep in mind that
each party could potentially turn the capabilities in question on or
against the other. Further, neither party could prevent the other's use
of the capabilities against a third entity, and once used the value of
the weapon drops or may even evaporate, as targets will be able to
craft defenses. The significance of each of these potential hurdles
should not be underestimated.
Sharing capabilities with proxies like Hezbollah is an even more
likely scenario. The exchange could also run in both directions, as
Hezbollah has shown itself to be an innovative organization, and
because cyber capabilities are of special interest to sub-state actors,
since these tools can help level the playing field. In June 2011,
Hezbollah established the Cyber Hezbollah organization; and Hezbollah
is deftly exploiting social media tools such as Facebook to gain
intelligence and information. It is worth underscoring that Iran has a
long history of demonstrated readiness to employ proxies for terrorist
purposes, drawing on kinetic means. There is little, if any, reason to
think that Iran would hesitate to engage proxies to conduct cyber
strikes against perceived adversaries.
Question 1b. A hacker group identified as the Iranian Cyber Army
(ICA) has received credit for a number of hacking incidents over the
last few years. According to reports, the Iranian Cyber Army has used
social engineering techniques to obtain control over internet domains
and disrupt the political opposition in Iran.
What is the command-and-control relationship between the Iranian
Revolutionary Guards Corps and this Iranian Cyber Army?
How does the Iranian Cyber Army fund, train, and recruit hackers?
Answer. Certainly there is a desire, as manifested in attempts
referenced and seen in recent reporting and trends, to assert a degree
of centralization. However Iran is not monolithic. Command-and-control
there is somewhat murky, even within the Iranian Revolutionary Guard
Corps (IRGC), let alone what is outsourced. The attribution challenge
associated with cyberspace--a domain made for plausible deniability--is
therefore all the more complicated where Iran is concerned. Yet,
elements of the IRGC have openly sought to pull hackers into the fold;
and the Basij, who are paid to do cyber work on behalf of the regime,
provide much of the manpower for Iran's cyber operations. There is
evidence that at the heart of IRGC cyber efforts one will find the
Iranian political/criminal hacker group Ashiyane. The high visibility
of attacks seen to date (including the Iranian Cyber Army's strike
against Twitter, the Chinese search engine Baidu, and websites managed
by the opposition Green Movement) suggests that the Iranian Cyber Army
and similar groups might be used as proxies by the IRGC. Though fluid,
hacker groups are being cultivated and guided, if not always directly
controlled, by the IRGC.
Question 2a. The Iranian government recently held a conference in
Tehran announcing the creation of the Iranian Cyber Defense Center
within their military forces. The head of Iran's Passive Defense
Organization, Brigadier General Gholam Reza Jalali, indicated that the
new center may be responsible not only for defensive cybersecurity, but
also for offensive cyber attacks.
How likely is it that this center will begin to coalesce the
various hacking groups (such as the ICA) into a single entity
controlled by the IRGC? What are the known priorities of the new
Iranian Cyber Defense Center and how are they developing their cyber
workforce?
Answer. As outlined in my prepared remarks, we have seen efforts on
the part of elements of the IRGC to pull hackers into the fold to do
work on behalf of the Iranian regime. The likelihood of these expedient
partnerships coalescing into a (single) cohesive, coherent, and
effective unit is questionable, however, particularly if Iran's history
offers any guide to the country's future.
Open source reporting on the Iranian Cyber Defense Center is quite
scant. Stated priorities include countering threats (of cyber attack),
training, ``controlling access to computer networks and establishing
cyber defense centers in institutions.''\1\ Workforce development in
the cyber domain could prove challenging for Iranian authorities.
Monetary inducements have proved useful for enlisting the skills of the
Basij, but the supply of talent within the country may well have
important limits. The young, clever, creative people that truly thrive
in this domain may, on balance, not be sympathetic to the regime or its
aims. This problem is exacerbated by the fact that Iran simply does not
have the numbers (population base and potential recruitment pool) that
say, China does.
---------------------------------------------------------------------------
\1\ http://forum.internet-haganah.com/showthread.php?399-The-woods-
are-lovely-dark-and-deep and http://www.mehrnews.com/en/
newsdetail.aspx?NewsID=1472234.
---------------------------------------------------------------------------
Question 2b. Iran's leaders have made concerted efforts to develop
friendships with other foreign leaders antagonistic to the United
States. What is the likelihood that foreign countries such as Cuba,
Venezuela, North Korea, and others, might collaborate with Iran in
developing cyber warfare capabilities?
Answer. Cuba, Venezuela, and North Korea undoubtedly constitute a
troika of concern. As detailed above in my reply to Question 1,
however, there are several reasons that Iran may not seek to formally
develop their cyber capabilities jointly with other states antagonistic
to the United States--but friendships between and among these parties
could increase the likelihood of cooperation or coordination, designed
to execute attack(s). As detailed in my written testimony, press
reports have alleged ``that Iranian and Venezuelan diplomats in Mexico
were involved in planned cyber attacks against U.S. targets, including
nuclear power plants.'' U.S. officials are investigating, but media
reports have indicated that the hackers who briefed the Iranian and
Venezuelan diplomats on the planned attacks ``sought support and
funding from the diplomats,'' who in turn pledged ``to pass information
to their governments.'' Iran has also shown itself to be ready and
willing to partner with non-state entities on kinetic plots, such as
the recently thwarted one to assassinate Saudi Arabia's ambassador the
United States, drawing on the assistance of a Mexican drug cartel.
Given this history, it would not be a stretch for Iran to collaborate
with other parties hostile to the United States, whether state or non-
state entities, with the intent of causing harm to the United States.
Even a limited goal, meaning an attack intended to inflict harm short
of defeat of the United States, could still have serious repercussions.
For example, a cyber attack (or worse, multiple cyber attacks) executed
against U.S. targets at the same time as one or more of our adversaries
make a move in the physical world, such as a push to seize key land or
shipping lanes, could slow or complicate U.S. response so that we are
unable to marshal our power fully and effectively. The result could be
``a fait accompli'' in the adversary's favor.
The ability to achieve synergy between the physical and cyber
dimensions, and to embed that capability into political/military
strategic planning, would take Iran to the next level. Moving forward,
therefore, the United States should pay special attention to discerning
and appreciating developments in this area.
Questions From Chairman Michael T. McCaul for Ilan Berman
Question 1a. Although Iran is the world's largest state sponsor of
terrorism, it is difficult to fully assess Iran's ability to carry out
attacks on-line. However, over the last 5 years it has become
increasingly clear that Iran's cyber capabilities are becoming more
sophisticated and rank among the best in the world.
How likely is it that Iran's leaders would collaborate and/or fund
their developing cyber capabilities with foreign states like North
Korea that are antagonistic to the United States, or pass on offensive
cyber capabilities to terrorist proxies like Hezbollah?
Answer. The full extent of Iranian capabilities is, by its nature,
difficult to ascertain. So, too, is the question of whether the Islamic
Republic is currently actively collaborating with foreign partners on
the development of its cyber potential. However, it is worth noting
that Iran has in the past worked with countries such as North Korea on
a number of strategic programs (to include nuclear testing and the
development of ballistic missiles). As well, Iran's efforts to isolate
its population from the world wide web are consonant with China's
attempts to limit access to internet content on the part of its
citizenry. As such, at least some degree of cooperation in the cyber
arena can be expected to be taking place between Iran and its strategic
partners.
Similarly, Iran is the chief sponsor of Hezbollah, and has aided
the Lebanese militia in its armament, its political activities, and its
expansion beyond the Middle East. Iranian assistance to Hezbollah in
the development of cyber capabilities thus cannot be ruled out,
although little is as yet known about Hezbollah's cyber warfare
potential.
Question 1b. A hacker group identified as the Iranian Cyber Army
(ICA) has received credit for a number of hacking incidents over the
last few years. According to reports, the Iranian Cyber Army has used
social engineering techniques to obtain control over internet domains
and disrupt the political opposition in Iran.
What is the command-and-control relationship between the Iranian
Revolutionary Guards Corps and this Iranian Cyber Army?
How does the Iranian Cyber Army fund, train, and recruit hackers?
Answer. The command-and-control relationship between the Iranian
Cyber Army (ICA) and the IRGC is not presently clear. Formally, the ICA
has depicted itself at least in part as a self-organizing group--akin
to patriotic ``hacktivists'' present in places such as China. However,
the ICA's operations closely mirror regime objectives, and its targets
are overwhelmingly those out of favor with the Iranian regime,
suggesting tacit official sanction and possibly direction.
I do not have knowledge about the methods with which the ICA
carries out its training or recruitment. With regard to funding,
however, the connections with official regime entities (such as the
IRGC) suggests that at least a portion of the ICA's funding is derived
from governmental sources.
Question 2a. The Iranian government recently held a conference in
Tehran announcing the creation of the Iranian Cyber Defense Center
within their military forces. The head of Iran's Passive Defense
Organization, Brigadier General Gholam Reza Jalali, indicated that the
new center may be responsible not only for defensive cybersecurity, but
also for offensive cyber attacks.
How likely is it that this center will begin to coalesce the
various hacking groups (such as the ICA) into a single entity
controlled by the IRGC? What are the known priorities of the new
Iranian Cyber Defense Center and how are they developing their cyber
workforce?
Answer. Such organization is a real possibility. To the extent that
the Iranian regime would see benefit to uniting various hacker groups
and exerting even greater control over their activities, a
``consortium'' may be the logical end-result. Such a grouping would, by
its nature, lend itself most closely to the activities and direction of
the IRGC.
Question 2b. Iran's leaders have made concerted efforts to develop
friendships with other foreign leaders antagonistic to the United
States. What is the likelihood that foreign countries such as Cuba,
Venezuela, North Korea, and others, might collaborate with Iran in
developing cyber warfare capabilities?
Answer. Such collusion is already taking place, at least on a low
level. A documentary by the Spanish-language television channel
Univision late last year exposed efforts by the former Venezuelan
consul to Miami, Livia Antonieta Acosta Noguera, to recruit hackers for
attacks on U.S. targets--an initiative that was carried out at least
partly with Iranian assistance. The incident suggests that Iran's
efforts to find common cause with anti-American regimes (including in
the Americas) extend to the cyber realm--and that Tehran and its allies
are actively contemplating cyber attacks on targets within the U.S.
homeland.
Questions From Chairman Michael T. McCaul for Roger Caslow
Question 1a. Although Iran is the world's largest state sponsor of
terrorism, it is difficult to fully assess Iran's ability to carry out
attacks on-line. However, over the last 5 years it has become
increasingly clear that Iran's cyber capabilities are becoming more
sophisticated and rank among the best in the world.
How likely is it that Iran's leaders would collaborate and/or fund
their developing cyber capabilities with foreign states like North
Korea that are antagonistic to the United States, or pass on offensive
cyber capabilities to terrorist proxies like Hezbollah?
Question 1b. A hacker group identified as the Iranian Cyber Army
(ICA) has received credit for a number of hacking incidents over the
last few years. According to reports, the Iranian Cyber Army has used
social engineering techniques to obtain control over internet domains
and disrupt the political opposition in Iran.
What is the command-and-control relationship between the Iranian
Revolutionary Guards Corps and this Iranian Cyber Army?
How does the Iranian Cyber Army fund, train, and recruit hackers?
Answer. The likelihood of the nation-states collaborating could be
measured by the current analysis available through the intelligence
community assessments on proliferation. While most counter-
proliferation has been focused on CBRNE efforts this could be used as a
gauge for overall technology transfer. With respect to the non-state
actors such as Hezbollah, the best litmus for this may reside in HUMINT
reporting. Computer network attack capabilities are for the most part
known, within one circle or another. To gain a better understanding of
these I would highly recommend that further discussions, behind closed
doors, be had with organizations such as the Open Information Security
Foundation.
I have no unclassified knowledge of the command-and-control,
funding, training, or recruiting for the Iranian Cyber Army.
I wish that I could be of more assistance but given that I still
maintain a TS/SCI I am reluctant to discuss any of these issues via
this media.
Question 2a. The Iranian government recently held a conference in
Tehran announcing the creation of the Iranian Cyber Defense Center
within their military forces. The head of Iran's Passive Defense
Organization, Brigadier General Gholam Reza Jalali, indicated that the
new center may be responsible not only for defensive cybersecurity, but
also for offensive cyber attacks.
How likely is it that this center will begin to coalesce the
various hacking groups (such as the ICA) into a single entity
controlled by the IRGC? What are the known priorities of the new
Iranian Cyber Defense Center and how are they developing their cyber
workforce?
Question 2b. Iran's leaders have made concerted efforts to develop
friendships with other foreign leaders antagonistic to the United
States. What is the likelihood that foreign countries such as Cuba,
Venezuela, North Korea, and others, might collaborate with Iran in
developing cyber warfare capabilities?
Answer. Response was not received at the time of publication.
�