Iran has threatened “revenge” on the United States for the killing of General Qassem Soleimani, leader of Iran’s Quds forces, the Revolutionary Guards Corps. Soleimani was frequently cited as second in power in Iran, after Iran’s Supreme Leader, the Ayatollah Ali Khamenei.
It is still unknown what kind of retaliation the U.S. can expect from the Islamic Republic for the Jan. 2 assassination. The Department of Homeland Security (DHS) released a terrorism threat bulletin, stating that there is no “information indicating a specific, credible threat to the Homeland”. But, the bulletin continued, “Iran and its partners, such as Hizballah, have demonstrated the intent and capability to conduct operations in the United States. Previous homeland-based plots have included, among other things, scouting and planning against infrastructure targets and cyber enabled attacks against a range of U.S.- based targets.”
But if Iran does decide to launch retaliatory cyber attacks, the U.S. is not prepared for a sustained cyber war, and is a cause for great concern, according to some cyber security experts. Such attacks are costly: according to a 2018 report from the Council of Economic Advisors, cyber attacks cost the United States up to $109 billion in one year.
“If you put all the countries on the table and look at who is the most prepared and who is the least prepared, the U.S. has done the most,” said former director of the National Security Agency (NSA) and commander of the U.S. Cyber Command, General Keith Alexander.
“Are we ready and could we sustain [an attack]? I don't think any country is prepared,” he said. “The reason is that it's the offense. It's easier to be on the offense than on the defense.” Alexander is also the founder and chief executive of cyber security firm IronNet.
The Cybersecurity and Infrastructure Security Agency of DHS on Jan. 6 released a warning to businesses, urging companies to “assess and strengthen your basic cyber and physical defenses” against potential threats such as disruptive and destructive cyber attacks, cyber-enabled spying, IP theft, as well as physical attacks against American citizens and interests.
Alexander said it's likely the Ayatollah will consider options like physical attacks that can be attributed to proxies, and cyber attacks, to avoid a large response from the United States.
Michael Daniel, former cyber security coordinator under President Obama and president and CEO of the Cyber Threat Alliance (CTA), says that when it comes to cyber warfare, it’s a tool that the Iranians have used before.
“They have continued developing their cyber capabilities over the last few years,” Daniel told Yahoo Finance. “However, I can't say one way or another if Iran was contemplating a cyber attack before the U.S. strike. What I can say is that the U.S. and other western countries should also be prepared for the Iranians to use their cyber capabilities as part of a retaliation effort.”
Banks at risk
But if Iran decides to launch cyber attacks against the United States, where would they hit? DHS has warned that “Iran and its proxies” might conduct cyber operations against “strategic targets, including finance, energy, and telecommunications organizations.”
Alexander echoed the concern.
“Finance, energy and government activities,” he said. “Because that's what they've done in the past, and what they've done in large part in the Middle East. It's reasonable to expect they'll go after the military networks if they can. They'll go after energy-related or financial-related networks.”
An attack, Daniel said, “could happen soon,” but “the Iranians could take time to set up an attack, so we should also be prepared for a lag in the response.”
Previous Iranian attacks on the U.S. have targeted financial institutions, costing “tens of millions” of dollars to mitigate, according to the FBI. The DDos attacks, the FBI wrote, “overwhelmed servers and thereby denied Internet access to legitimate users.”
“The attacks began in December 2011, and by September 2012 were occurring on nearly a weekly basis,” the FBI stated. “On certain days, hundreds of thousands of customers were cut off from online access to their bank accounts.”
Seven Iranians were later charged with hacking roughly 50 banking institutions.
In its fiscal year 2020 budget the U.S. allocated $17.4 billion to cyber security — an increase of $790 million from the year prior’s estimate. The uptick represents a 5% boost. But the Office of Management and Budget (OMB) noted, “this amount does not represent the entire cyber budget.”
And while the U.S. does prepare to take on cyber threats, Alexander said that the U.S. needs to do more and spend more, but not necessarily to throw more money at the problem. With the increasing number of applications and devices connecting to the internet and the “change in the biome of communications,” such efforts are required, he said.
“We have to train better. We have to crowdsource,” he said. “That's a part of that collective strategy. This is where the federal government plays a role and industry plays a role. We need to make sure the federal government is prepared to do that collective defense mission.”
Kristin Myers is a reporter at Yahoo Finance. Follow her on Twitter.