Cyberattacks supposedly originating from China have raised alarms in recent weeks, but U.S. businesses and government agencies should worry as much about Iran and North Korea, a group of cybersecurity experts said.
China and Russia have significantly more sophisticated cyberthreat capabilities than do Iran and North Korea, but the two smaller countries are cause for concern in international cybersecurity discussions, the experts told a U.S. House of Representatives subcommittee last wek.
While China and Russia maintain active diplomatic ties with the U.S., which should discourage them from launching major attacks on the U.S., Iran and North Korea may be driven to attack the U.S. out of desperation to maintain their political regimes in the face of global isolation, said Frank Cilluffo, director of the Homeland Security Policy Institute and co-director of the Cyber Center for National and Economic Security at George Washington University.
Iran still lacks the capabilities of Russia and China, but it has been testing its cyberattack abilities in recent months, Cilluffo said. "The bad news is ... what they lack in capability, they more than make up for in intent," he said. "Whatever [capability] they don't have, they can turn to their proxies or buy or rent."
Iranian attackers can buy botnets that can disrupt U.S. businesses, he told the House Homeland Security Committee's cybersecurity subcommittee. Cybersecurity experts have pinned a series of denial-of-service attacks on U.S. banks early this year, and a 2012 attack on Saudi Arabia's national oil company, Aramco, on Iranian hackers.
North Korea is a "wild card," Cilluffo added. The country is actively seeking cyberattack capabilities, he said.
Different intentions and goals
Hackers in China and Russia are largely focused on espionage and theft, but those two countries have less interest at the moment in damage-causing cyberattacks on the U.S., Cilluffo said. The capabilities of China and Russia make them advanced persistent threats, but "they have some modicum of responsibility and recognize that we can retaliate," he said.
Iran and North Korea are more unpredictable, witnesses at the hearing said. Iran seems to be focusing its cyberattack capabilities on retaliation against the U.S. and Israel if the two countries attempt to shut down its nuclear program, said Ilan Berman, vice president of the American Foreign Policy Council, a think tank. That focus makes Iran "particularly volatile," he said.
Iran's attack on Aramco in mid-2012, causing damage to 30,000 computers, was a warning to the U.S. and other countries about the country's growing capabilities, Berman said. Iran is "outlining how they would act in the event of a breakdown in relations," he said. The Aramco attack "can be seen as a signaling mechanism by which Iran is telegraphing to the international community" its plans to attack critical infrastructure if war breaks out.
Representative Mike McCaul, a Texas Republican, asked when cyberattacks cross the line into warfare. "At what point do we respond?" he said.
Berman said he couldn't answer that question. Instead, U.S. defense and intelligence officials need to make that decision, he said.
Cyberattackers are changing their tactics as large U.S. companies harden their defenses, said Richard Bejtlich, CSO at security vendor Mandiant, which recently pinned responsibility for several espionage campaigns on a Chinese government cyberunit. Attackers are often targeting smaller companies that partner with large organizations, and then working their way in to the larger target, he said.
The attacks are often successful because "there's an imbalance between offense and defense," Bejtlich added. "A single attacker or group of attackers can keep hundreds or thousands of defenders busy."