The Department of Defense remains on alert for retaliation in cyberspace for a U.S. attack that killed a top Iranian general. But security experts and federal officials warn that Iran could target the military another way — through potentially vulnerable defense contractors.
Weak cybersecurity practices in the complex DOD supply chain could make those companies attractive targets if Iran wanted to strike a measurable blow against the U.S., experts said at a panel Tuesday on Iranian cyberattacks hosted by the Institute for Critical Infrastructure Technology. Nation-states like China already have shown such is possible, siphoning billions of dollars from the defense industry through the digital theft of intellectual property.
“In the cyber realm, Iran is more likely to act out now,” said Jamil Jaffer, vice president of strategy at IronNet Cybersecurity and a former Department of Justice official. Iran is on the short list of countries known for harboring or sponsoring advanced persistent threat (APT) groups tied to sophisticated cyber-operations.
Two officials from the Department of Defense Cyber Crime Center, Ronnie Obenhaus and Christopher Burke, stressed that businesses that do work with the DOD could be targets, along with the financial, health and energy sectors. The Cyber Crime Center is the organization that contractors report to when they are breached.
The threat to private businesses — defense contractors or not — is not new, with senators from both parties warning small businesses of potential attacks.
“We are concerned that small businesses may not have the information and tools necessary” to implement cybersecurity practices recommended by the Department of Homeland Security in the wake of the U.S. attack that killed Iran’s top general, Sens. Marco Rubio, R-Fla., and Ben Cardin, D-Md., wrote in a letter to the Small Business Administration in January.
So far, the the only publicly reported retaliation for the Jan. 3 airstrike that killed Gen. Qassem Soleimani was a missile attack five days later on a U.S. military facility in Iraq.
‘Tune your sensors to the proxies’
The complexity of the threats and avenues for an attack only makes things more dangerous. For instance, Iran could retroactively claim responsibility for an attack carried out by a rogue group, proxy or even other nation-states, warned Gregg Kendrick, U.S. Marine Corps Forces Cyberspace Command executive director.
“The risk is pretty high,” Kendrick said proxies getting involved. “Iranian proxies are going to feel the need to draw attention to themselves.”
Further muddling attribution, other countries could even mask their own attacks to look like Iran, particularly Russia and its “wiley cat” leader, Vladimir Putin, Kendrick said.
“They are not going away anytime soon,” Kendrick said of proxy attacks. “Tune your sensors to the proxies.”
Meanwhile, the warning comes as the DOD is trying to ramp up the cybersecurity standards for the defense industry to prevent exactly this scenario. The department published the Cybersecurity Maturity Model Certification (CMMC) standards Friday to place new information security requirements on defense contractors that handle the Pentagon’s sensitive information.
It is a major step to securing the military’s complex supply chain that makes for a vast attack surface. Contracts should start to contain CMMC accreditation requirements later this fall, and if contractors don’t meet them, they won’t be able to bid on those contracts.
“Know what your company makes and who wants it,” said Obenhaus, deputy chief of analytics for the DOD Cyber Crime Center.