On Thursday, the Justice Department unsealed an indictment against Hamid
Faroozi, a man affiliated with an Iranian company with ties to the
Iranian government, for infrastructure hacking and other cybercrimes.
Faroozi is accused of breaching the control system of a dam in Rye New
York. On multiple occasions, he obtained access to the dam’s supervisory
control and data acquisition, or SCADA,
system, which would have allowed him to open the sluice gate if the gate
hadn’t been manually disconnected from the network for maintenance. The
indictment
doesn’t say whether the Justice Department believes the intrusion was
simple reconnaissance or, more darkly, part of a dramatic cyber-physical
attack that didn’t go off as planned.
That ambiguity is common in cases involving hacks by groups connected
to states like Iran. Figuring out who ordered the probe and what the
attack’s actual objective would be key to any military response. Here’s
why not to expect one.
First, some background: Iran has some experience on the receiving end
of infrastructure hacking. In 2010, it became the victim of the first
cyber-physical attack: the infamous Stuxnet worm, which caused a serious
of malfunctions at Iran’s nuclear enrichment site at Natanz. A good amount of evidence points to American and Israeli security researchers as the culprits.
Iran responded with a similarly unprecedented attack on the networks of Saudi oil giant Aramco, wiping the data
from 35,000 computers and cause enormous disruption across the entire
oil sector. Still, they didn’t actually manipulate dangerous equipment
directly via remote access.
The ability to penetrate a SCADA system represents not so much a leap in capability, so much as a willingness to exploit known vulnerabilities.
“An entity can purchase all the security products in the world and
acquire the best staff available but if the network has gaping holes in
the perimeter, or DMZ machines have unfettered
access to the secure side of the network, it is only a matter of time
before an attack succeeds. A network needs to first be a defendable
position with clear defined borders on which layers of security are
built upon. It is imperative that companies examine their networks from
the outside to see what is exposed and what ‘windows’ are left open,”
said Lamar Bailey, Senior Director of Security R&D for Tripwire in
an email to Defense One.
“Utility infrastructure entities have become prime targets for
hacktivists and terrorist so administrators must be even more diligent
in securing theses locations. They are softer targets due to the
antiquated insecure nature in how internal systems communicate so once
the other shell is broken it can be trivial to cause havoc within the
network,” he said.
For utility companies, there is at least one simple lesson from the
attempt on the dam at Rye: the operator was lucky. If you can’t take a
few steps to better secure your SCADA systems, don’t hook your sluice gate up to your outside network.
In all, seven Iranians were named in the indictment, most of which
focuses on not-particularly-threatening distributed-denial-of-service
attacks against financial firms, essentially, temporarily blocking
public-facing bank websites.
But the indictment also shows that U.S.
cyber security and deterrence policy must catch up the sorts of threats
that the country actually faces. A criminal charge against individuals
seems like an insufficient deterrent against hostile, possibly deadly,
information-based attacks from adversarial nation-states. Where are the
big guns?
Adm. Michael Rogers, the head of U.S. Cyber Command, has said that any U.S.
government retaliation against a nation-state or other entity for a big
information-based attack would comport with the laws of armed conflict
and be “proportional.” So the United States is ready to commit attacks
in retaliation for dam hacking. But it’s not that simple. The difference
between a possible act of war and a simple hack lies in how much
evidence there is linking Firoozi, not just to Iranian leadership but to
a specific order.
Firoozi and his co-defendants worked for two companies called ITSecTeam (ITSEC) and the Mersad Company (MERSAD),
based in Iran. The Justice Department alleges that those companies
performed work on behalf of the Iranian Revolutionary Guard. It’s a bit
stronger link than exists between many pro-Russian hacker groups and the Kremlin,
but, on its face, that’s not yet enough to call the hack a
state-sponsored act of terror, or even reconnaissance, at least not by
the standards that the Pentagon currently uses.
The Justice Department’s evidence against Iran is thin, at least as
spelled out in the indictment, which simply reads: “Mersad was founded
in or about early 2011 by members of Iran-based computer hacking groups
Sun Army and Ashiyane Digital Security Team (‘ADST’) … Sun Army and ADST have publicly claimed responsibility for performing network attacks on computer servers of the United States Government, and ADST has publicly claimed to perform computer hacking work on behalf of Iran.”
At a Senate Armed Services Committee hearing in September, committee
chairman Sen. John McCain, R-Ariz, wondered what sort of repercussions
await state actors who perpetrate big cyber attacks. The specific
context was China’s (somehow, still) alleged involvement in the OPM hack.
Deputy Defense Secretary Robert Work discussed the attribution
problem from the perspective of the military. “First, you have to
identify the geographic location of where the attack. Then you have to
identify the actor. Then you have to identify whether the government of
that geographic space was in control,” of that action.
The response could not have been more frustrating for McCain, who responded, “We have identified the PLA, [People’s Liberation Army] the building in which they operate.”
Many in Washington, simply accept that China was behind the OPM
hack. But in terms of justifying a military response, the evidence
remains too circumstantial. The threshold of proof is higher for the
military launching an information-based retaliation than for the Justice
Department to issue an indictment.
Even in instances where a hacker who is aligned with a glorified
Iranian defense contractor is caught red-handed doing reconnaissance on
an American dam, the United States has few options other than
an indictment.
The first Justice Department indictment against a foreign state
employee for information-based crimes occurred in 2014, a charge against
five Chinese army officers for data theft.
The indictments went nowhere