Illustration via Google Earth

Why the Military Can’t Go After Iran for Hacking Your Dam

Seven Iranians have been charged with cyber crimes in a case that reveals the limits of U.S. power.

On Thursday, the Justice Department unsealed an indictment against Hamid Faroozi, a man affiliated with an Iranian company with ties to the Iranian government, for infrastructure hacking and other cybercrimes. Faroozi is accused of breaching the control system of a dam in Rye New York. On multiple occasions, he obtained access to the dam’s supervisory control and data acquisition, or SCADA, system, which would have allowed him to open the sluice gate if the gate hadn’t been manually disconnected from the network for maintenance. The indictment doesn’t say whether the Justice Department believes the intrusion was simple reconnaissance or, more darkly, part of a dramatic cyber-physical attack that didn’t go off as planned.

That ambiguity is common in cases involving hacks by groups connected to states like Iran. Figuring out who ordered the probe and what the attack’s actual objective would be key to any military response. Here’s why not to expect one.

First, some background: Iran has some experience on the receiving end of infrastructure hacking. In 2010, it became the victim of the first cyber-physical attack: the infamous Stuxnet worm, which caused a serious of malfunctions at Iran’s nuclear enrichment site at Natanz. A good amount of evidence points to American and Israeli security researchers as the culprits.

Iran responded with a similarly unprecedented attack on the networks of Saudi oil giant Aramco, wiping the data from 35,000 computers and cause enormous disruption across the entire oil sector. Still, they didn’t actually manipulate dangerous equipment directly via remote access.

The ability to penetrate a SCADA system represents not so much a leap in capability, so much as a willingness to exploit known vulnerabilities.

“An entity can purchase all the security products in the world and acquire the best staff available but if the network has gaping holes in the perimeter, or DMZ machines have unfettered access to the secure side of the network, it is only a matter of time before an attack succeeds. A network needs to first be a defendable position with clear defined borders on which layers of security are built upon.  It is imperative that companies examine their networks from the outside to see what is exposed and what ‘windows’ are left open,” said Lamar Bailey, Senior Director of Security R&D for Tripwire in an email to Defense One.

“Utility infrastructure entities have become prime targets for hacktivists and terrorist so administrators must be even more diligent in securing theses locations. They are softer targets due to the antiquated insecure nature in how internal systems communicate so once the other shell is broken it can be trivial to cause havoc within the network,” he said.

For utility companies, there is at least one simple lesson from the attempt on the dam at Rye: the operator was lucky. If you can’t take a few steps to better secure your SCADA systems, don’t hook your sluice gate up to your outside network.

In all, seven Iranians were named in the indictment, most of which focuses on not-particularly-threatening distributed-denial-of-service attacks against financial firms, essentially, temporarily blocking public-facing bank websites.

But the indictment also shows that U.S. cyber security and deterrence policy must catch up the sorts of threats that the country actually faces. A criminal charge against individuals seems like an insufficient deterrent against hostile, possibly deadly, information-based attacks from adversarial nation-states. Where are the big guns?

Adm. Michael Rogers, the head of U.S. Cyber Command, has said that any U.S. government retaliation against a nation-state or other entity for a big information-based attack would comport with the laws of armed conflict and be “proportional.” So the United States is ready to commit attacks in retaliation for dam hacking. But it’s not that simple. The difference between a possible act of war and a simple hack lies in how much evidence there is linking Firoozi, not just to Iranian leadership but to a specific order.

Firoozi and his co-defendants worked for two companies called ITSecTeam (ITSEC) and the Mersad Company (MERSAD), based in Iran. The Justice Department alleges that those companies performed work on behalf of the Iranian Revolutionary Guard. It’s a bit stronger link than exists between many pro-Russian hacker groups and the Kremlin, but, on its face, that’s not yet enough to call the hack a state-sponsored act of terror, or even reconnaissance, at least not by the standards that the Pentagon currently uses.

The Justice Department’s evidence against Iran is thin, at least as spelled out in the indictment, which simply reads: “Mersad was founded in or about early 2011 by members of Iran-based computer hacking groups Sun Army and Ashiyane Digital Security Team (‘ADST’) … Sun Army and ADST have publicly claimed responsibility for performing network attacks on computer servers of the United States Government, and ADST has publicly claimed to perform computer hacking work on behalf of Iran.”

At a Senate Armed Services Committee hearing in September, committee chairman Sen. John McCain, R-Ariz, wondered what sort of repercussions await state actors who perpetrate big cyber attacks. The specific context was China’s (somehow, still) alleged involvement in the OPM hack.

Deputy Defense Secretary Robert Work discussed the attribution problem from the perspective of the military.  “First, you have to identify the geographic location of where the attack. Then you have to identify the actor. Then you have to identify whether the government of that geographic space was in control,” of that action.

The response could not have been more frustrating for McCain, who responded, “We have identified the PLA, [People’s Liberation Army] the building in which they operate.”

Many in Washington, simply accept that China was behind the OPM hack. But in terms of justifying a military response, the evidence remains too circumstantial. The threshold of proof is higher for the military launching an information-based retaliation than for the Justice Department to issue an indictment.

Even in instances where a hacker who is aligned with a glorified Iranian defense contractor is caught red-handed doing reconnaissance on an American dam, the United States has few options other than an indictment.

The first Justice Department indictment against a foreign state employee for information-based crimes occurred in 2014, a charge against five Chinese army officers for data theft.

The indictments went nowhere.