It’s Labor Day, September 4, 2017, and the National Security Agency has just intercepted communications between the senior leadership of the Iranian Revolutionary Guard Corps, the militant purveyors of the 1979 Iranian Revolution, and employees of the Iranian companies ITSecTeam and Mersad. The communications reveal future disruptive cyber attacks against U.S. public and private institutions, including the Federal Aviation Administration (FAA) and the Federal Reserve, as well as a other cryptic targets in the financial sector.
The intercepted communications also mention Iranian command and control servers with Internet Protocol (IP) addresses in Turkey, France, South Korea, and Russia. The attack is scheduled to take place later in the month at an unspecified time and date, but little else is known. The New York Times has gotten wind of the crisis, publishing a story that the President of the United States has been briefed on the imminent threat.
This hypothetical scenario was presented to the audience of The Cipher Brief’s Annual Threat Conference in Sea Island, Georgia last week as part of a cyber wargaming exercise run by Dmitri Alperovitch, the co-founder and CTO of the cybersecurity firm Crowdsrike, and Michael Sulmeyer, the Director of the Belfer Center’s Cyber Project at Harvard University. The audience was separated into five teams representing the intelligence community, Defense Department, State Department, the private sector, and the media, and instructed to be prepared to brief the President (deftly played by General Michael Hayden, former director of both the CIA and NSA).
The exercise displayed how the country might react to an unfolding crisis posed by a hostile nation with advanced cyber capabilities and a demonstrated intent to use them. While the scenario above was merely a thought exercise, the cyber threat posed by countries such as Iran is real. In 2012, Iran-linked hackers hit Saudi Aramco and Qatar’s RasGas with disc-wiping malware known as Shamoon, destroying data on tens of thousands of machines and interrupting business during the religious holiday of Eid.
From 2011 to 2013, Iranian affiliated actors targeted U.S. financial institutions with denial of service attacks, temporarily knocking their operations offline. The U.S. responded in March 2016 with indictments against seven Iranian citizens – employed by the companies ITSecTeam and Mersad, but working on behalf of the Iranian government – for their role in the denial of service attacks against Wall Street and intrusions into a small dam in New York.
The conference’s wargame scenario provoked important policy questions about how the U.S. should react to such threats. Can such an attack be deterred? How can the networks of public and private targets become more resilient? What is the government’s responsibility to the private sector? What are the roles of each of the different components of the U.S. government? How should the country engage with other countries – whose infrastructure is at play – both friendly, and not so friendly?
Hayden, playing the role of the president, posed these questions to the teams, asking the intelligence community to verify and measure the threat more specifically, the Pentagon to weigh preemptive action, and State Department to craft an appropriate diplomatic response both to Iran and the countries housing the IP addresses.
Hayden also told those in the press, “I understand that we both have the responsibility of defending American security and liberty, but the way you are about to go do your task, I think, is going to make it harder to do my task. Lets talk.” He clarified that his question was not if the press could say something, but rather when something should be said. “What it is you say, what you make public, could have a real effect on the course of this crisis,” Hayden said.
After a short period of deliberation, those in the audience playing the role of the U.S. intelligence apparatus briefed the president on their progress, suggesting the government liaise with foreign counterparts in countries with command and control servers, tailoring the level of information sharing to U.S. relationships with each while emphasizing mutual interests of mitigating cyber attacks. To Iran, the U.S. should emphasize consequences for malicious behavior. In this regard, those representing the Defense Department proposed signaling resolve through scrambling of air and naval capabilities and having the Secretary of Defense send a message through the media.
The question then became whether the U.S. should take preemptive action against Iran – risking escalation outside the cyber realm – or simply signal intent to respond aggressively to any malicious behavior, thereby deterring future attacks. “Given the uncertainties that remain,” cautioned the exercise’s Pentagon spokesman, “I am not quite sure a preemptive attack is necessarily a good option at this point.” Complicating the issue further was the thought that any response would need to be proportionate to the effects, not the capabilities, of an Iranian cyber attack.
But then the story changed. A week later in the hypothetical scenario – September 11, 2017 – a new version of the Shamoon malware hit the New York Stock Exchange causing it to shut down operations for an entire day, with similar attacks disrupting the back office networks of the FAA and U.S. airline companies. Despite claims of responsibility by a group calling themselves the Cyber Al Qaeda Brigade, the intelligence community determined with “high-confidence” that the attacks emanated from the two Iranian companies, with “moderate-confidence” that it was done at the direction of senior leadership within the Iranian government. To complicate matters further, the Israeli energy sector had also been hit by a similar attack, which the Israeli government has attributed to Iranian-linked actors.
President Hayden is seeking answers. How should the government discredit claims of responsibility by a previously unheard of al Qaeda affiliate? After all, such diversionary tactics have been used in the past to create just enough plausible deniability to dilute political will to respond. Should attribution be made public? How should the U.S. handle the possibility of Israel independently retaliating for the attacks – potentially escalating tensions in the Middle East?
The attacks against the private sector were “far from catastrophic,” according to Hayden. “The problem is, they telegraphed it, we demarched – we said not to do it – and they did. Therefore, what now must we do?”
While the State Department and intelligence community teams focused on reining in the potential damage of diplomatic fallout and escalation between Israel and Iran – as well as leveraging sanctions against Iran – the Defense Department offered responses ranging from cutting off Iranian access to financial, aviation, and internet infrastructure all the way to a potential kinetic strike against the Iranian Revolutionary Guard Corps.
Looking at the crisis as an opening for the future, the State Department spokesman suggested “this would be a terrific opportunity to have a global dialogue for a new round of discussions on cyber norms – what is acceptable behavior – and use this incident as a point of departure to launch a diplomatic offensive to achieve those goals to raise the standards of behavior from where we have been.”
A reporter on the media team also notified government officials that they would be running a feature on Operation Nitro Zeus, a historical U.S. cyber operation that implanted malware throughout Iranian infrastructure as a hedge in the case they did not follow through on the Joint Comprehensive Plan of Action, also known as the Iranian nuclear deal. When asked if this could complicate U.S. efforts, Hayden responded with “hit send” as doing so would be strategically helpful by sending a message to Iran of U.S. capability to effectively respond.
“I am reminded of North Korea 20 years ago,” said Hayden. “We refused to make tough choices with hard options and let the trajectory go in a very predictable path.” Hayden went on to say that “as hard as it is to respond to the Iranians today, it will be even harder when one, three, five, seven, ten or any number of other actors taking this kind of action against what is an incredibly vulnerable infrastructure in the United States.”
The challenges presented in the cyber wargame reflect many of the dilemmas the Obama administration faced in responding to and deterring Russian cyber operations during last year’s presidential election. Both the hypothetical Iranian operation and Russian election interference may not clearly meet the threshold of an act of war, and the fear of escalation as well as an inability to foster political will due the misunderstandings of what goes into attribution create a complicated atmosphere in determining how to respond to aggressive cyber behavior.
Sulmeyer points out “deterrence…is really difficult to do with a lower level threat.” It is not just about taking practical steps “to deter, but also to preempt or prevent something like that from happening. That is the thorniest part of it,” according to Sulmeyer.
Alperovitch concluded the exercise by pointing out that one of the most important aspects of such a crisis is the public relations perspective – particularly the role of the press and the State Department’s efforts to navigate a public response. “While you are taking certain actions, things will become public, whether you like it or not,” he said. “That is going to be very important as we think about the various response options the U.S. government is going to take.”
Levi Maxey is the Cyber and Technology Analyst at The Cipher Brief.