Congress struggles on rules for cyber warfare with Iran

Congress struggles on rules for cyber warfare with Iran
© Greg Nash

The U.S. and Iran may have walked back from the brink of war, but the potential for a cyber battle looms with no clear rules of engagement.

Lawmakers and military officials say there’s no agreed-upon definition of what constitutes cyber warfare, leaving them to decide on a case-by-case basis how best to respond to individual incidents.

“We've never really gone down the route to define what constitutes an act of war when it comes to cyberattacks,” Sen. Ron JohnsonRonald (Ron) Harold JohnsonGraham vows Biden, Ukraine probe after impeachment trial GOP warns of 'drawn out' executive privilege battle over Bolton testimony  Senate Republicans confident they'll win fight on witnesses MORE (R-Wis.), chairman of the Senate Homeland Security Committee, told The Hill last week.

ADVERTISEMENT

Sen. Gary PetersGary Charles PetersHillicon Valley: Biden calls for revoking tech legal shield | DHS chief 'fully expects' Russia to try to interfere in 2020 | Smaller companies testify against Big Tech 'monopoly power' Bipartisan group of senators introduces legislation to boost state cybersecurity leadership The Hill's Morning Report — President Trump on trial MORE (Mich.), the top Democrat on the committee, told reporters it’s an issue that “needs some further attention” and one that isn’t going away anytime soon.

“We’re likely to see this not just with Iran, but in the future you are going to see cyber as one of the main domains of warfare going forward,” Peters said. “So it’s important to try to get our arms around how we would define it.”

While Iran has been considered a major cyber adversary, joining the ranks of Russia, China and North Korea, its threat level spiked this month after President TrumpDonald John TrumpKaine: Obama called Trump a 'fascist' during 2016 campaign Kaine: GOP senators should 'at least' treat Trump trial with seriousness of traffic court Louise Linton, wife of Mnuchin, deletes Instagram post in support of Greta Thunberg MORE ordered a drone strike that killed Iranian Gen. Qassem Soleimani.

The Department of Homeland Security (DHS) and FBI subsequently issued a bulletin to law enforcement and briefed lawmakers of the threat of retaliation. The Cybersecurity and Infrastructure Security Agency at DHS issued a separate notification warning of Iranian cyber threats.

But what kind of cyber aggression might spark a return to hostilities remains unclear.

Sen. Richard Blumenthal (D-Conn.), a member of the Senate Armed Services Committee, told The Hill that the Pentagon should be responsible for defining what level of cyberattack constitutes going to war with a nation-state.

ADVERTISEMENT

“I think the question of what is an act of war in the cyber domain is a serious policy question that needs to be addressed, and Congress so far has failed to address it,” Blumenthal said. “It’s really the Department of Defense that should be providing guidance. Congress should certainly be overseeing the question and addressing it, but we have pressed the Department of Defense to come to us with a proposal on it.”

The Pentagon elevated U.S. Cyber Command to what’s known as “combatant command” in 2018, the same year it released its cyber strategy.

A key priority of that strategy is defending critical infrastructure against debilitating cyberattacks, the type of attack that Johnson said would constitute a red line, despite the lack of consensus around what defines cyber warfare.

“When you start getting into control systems, electrical systems, other critical infrastructure, you start attacking our financial system — to me those certainly would qualify, or certainly should be considered, as something we would require a pretty robust response,” Johnson said.

Sen. Angus KingAngus KingSenators ask FDA to crack down on non-dairy milks, cheeses Collins walks impeachment tightrope The Hill's 12:30 Report: House managers to begin opening arguments on day two MORE (I-Maine), co-chairman of a commission tasked with making recommendations for defending the U.S. government in cyberspace, said Iran poses a “serious risk” of launching a cyberattack.

“It's a serious risk because I think they have the capability and we haven't ... defined what we would consider an attack that would trigger a response,” King told The Hill. “I think that's one of the problems with our policy.”

On the other side of the Capitol, Rep. Cedric RichmondCedric Levon RichmondCongress struggles on rules for cyber warfare with Iran Election security, ransomware dominate cyber concerns for 2020 Trump nominates DHS senior cyber director MORE (D-La.), the chairman of the House Homeland Security Committee’s cybersecurity subcommittee, told The Hill that he and full committee Chairman Bennie ThompsonBennie Gordon ThompsonHillicon Valley: Trump turns up heat on Apple over gunman's phone | Mnuchin says Huawei won't be 'chess piece' in trade talks | Dems seek briefing on Iranian cyber threats | Buttigieg loses cyber chief House Democrats request briefings on Iranian cyber threats from DHS, FCC Democrats sound election security alarm after Russia's Burisma hack MORE (D-Miss.) would “get together and figure out” whether legislation around defining an act of cyber warfare was needed.

The committee will address Iranian threat concerns this week when members hold a hearing on the homeland security implications of tensions between Washington and Tehran.

The U.S. intelligence community has long been aware of Iran’s ability to target the U.S. through cyberattacks. The most recent Worldwide Threat Assessment, compiled by former Director of National Intelligence Daniel Coats, said Iran is “capable of causing localized, temporary disruptive effects — such as disrupting a large company’s corporate networks for days to weeks.”

“The threat is generally at a persistent level and spikes at various times,” said Annie Fixler, deputy director of the Center on Cyber and Technology Innovation for the Foundation for Defense of Democracies, a Washington-based think tank known for its hawkish views on Iran.

Fixler said the issue of what type of cyberattack would push the U.S. into war was “the million-dollar question.”

“The Pentagon has always said that they reserve the right to respond to cyberattacks with kinetic force and have traditionally said ‘significant cyberattacks’ — and the key is what constitutes significant cyberattacks,” Fixler said. “Given what we’ve seen so far from malicious cyber actors, it would be an attack on critical infrastructure that causes significant damage.”

Iran is likely to focus more of its cyberattacks against U.S. companies that would have a ripple effect on the government or military, providing a certain level of cover that the attack wasn’t directly targeting the government.

“Iran could have an outsize impact by undermining these private sector companies,” Fixler said. “So that is a very potent threat.”

Tom Kellermann, who served on a presidential cybersecurity commission during the Obama administration, told The Hill last week that he saw acts of war in the cyber domain that the federal government would have to respond to as those on the transportation sector, such as trains and airplanes, and on the chemical, pharmaceutical and energy sectors.

Kellermann, who now serves as the head of cybersecurity strategy for cyber group VMware Carbon Black, cited examples of an attack on air traffic control systems causing loss of life or hackers disrupting financial markets on Wall Street.

“Congress must view cyber as a patriotic imperative,” Kellermann said. “It cannot not be ignored merely because it is invisible as the physical world has converged with cyberspace.”