Intelligence and security experts say the risk is real. Cyberattacks on American businesses, as retaliation after a U.S. airstrike killed top Iranian Gen. Qassem Soleimani, may be coming. But there’s lots of uncertainty. It’s not exactly clear how and where this new front in warfare could play out.
It might be a big, bold attack on symbolic targets, like government websites or the power grid, for which Iran openly claims responsibility. Or attacks could be much more subtle — damaging, but not immediately apparent.
I spoke with Mark Rasch, a cybersecurity consultant, who said that what we do know is that roughly 80% of what we consider critical infrastructure for keeping the economy going — banks, energy, telecommunication and transport companies — is in the private sector. The following is an edited transcript of our conversation.
Mark Rasch: The most important thing right now for the U.S. government is to share whatever threat intelligence it has with the private sector. If it has specific information about what targets Iran is looking at, what preparatory activities it has, how it intends to launch an attack, from what countries it will launch the attacks — even if that information is highly classified operational information — that information needs to be shared discreetly with the people who are at risk of being attacked. The second thing is that companies need to have continuous monitoring of their threats, continuous monitoring of their infrastructure. They need to make sure that they have robust backups, robust defenses and survivability.
Jack Stewart: How well protected are entities, businesses in the U.S. against this type of attack?
Rasch: Most companies are not really prepared, and it’s unreasonable to expect them to be so. After 9/11, a lot of companies were stationing armed guards outside their facilities. That happened for a few weeks or maybe even a few months. But it’s unreasonable to expect that level of scrutiny and defense all the time. What we focus on now is instead of preventing an attack, what we’ve done a fairly good job of within some sectors, is what’s called resilience. That is recognizing that these entities may be attacked and coming up with mechanisms for them to survive an attack and be a little bit more robust.
Stewart: What is the absolute worst-case scenario here? Do we really want to know?
Rasch: The United States is heavily dependent on its critical infrastructure and its cyber infrastructure. Being able to take out that infrastructure, even for a short period of time, would be tremendously damaging to the United States economy. On the other hand, even the worst cyberattack that we’ve ever had hasn’t been nearly as disruptive as a standard-size blizzard, which costs us hundreds of millions of dollars to respond to, but we survive them every winter.
Stewart: Is there any precedent? What do we know about the way that Iran has acted in the past?
Rasch: Typically in the past when Iran has been attacked, it has responded in a way that directly counters the attack. When U.S. banks impose sanctions on Iran, the Iranian government attacked those financial institutions specifically. When there were questions about Saudi oil, embargoes or failure to buy oil from from Iran, they attacked those particular institutions. These were relatively targeted attacks and identifiable institutions rather than a broad-based disruptive attack.
Stewart: Famously, this has worked the other way. The Americans and allies have targeted Iranian facilities with cyberattacks.
Rasch: The U.S. cyberattacks on Iranian facilities have tended to be aimed at specific results. For example, corrupting centrifuges that are used to enhance nuclear capabilities. They’ve been low and slow and deliberate over a period of time and nonattributable. Those are the attacks that we use our cyber-offensive capabilities for as well.
Related links: More insight from Jack Stewart
The alert put out by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency has some advice on what to do if you are concerned you or your company could be vulnerable, and how to report incidents. There’s also information on that document about previous attacks where Iranian state actors were suspected.
The Stuxnet worm, infiltrating and damaging Iran’s uranium-enriching centrifuges, revealed in 2010, is one of the most sophisticated cyberattacks to date. Forbes has details of how that played out, and why it seems clear that the U.S., or at least a well-developed nation, was behind it.
We also have more on Iran’s cyberattack record, and what businesses are doing to prepare, on “Marketplace Morning Report.“