Risk
4/26/2012
01:59 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Congress Raises Alarm On Iranian Cyber Threat

United States should pay attention to threat of Iranian cyber-attacks, say members of Congress and panelists.

Top 10 Open Government Websites
Top 10 Open Government Websites
(click image for larger view and for slideshow)
The Iranian cyber threat to the United States is on the rise, lawmakers and foreign policy observers warned in a House Homeland Security Committee hearing Thursday.

"There should be little doubt that a country that kills innocent people around the world, guns down its own people, and threatens Israel would not hesitate to carry out a cyber-attack against the U.S.," said counterterrorism and intelligence subcommittee chairman Patrick Meehan, R-Pa., whose subcommittee held a joint hearing with the cybersecurity, infrastructure protection, and security technologies subcommittee.

Warnings about the threat of an Iranian attack came from all angles during the hearing, but the hearing did not include participation by a single intelligence or military official. Director of National Intelligence James Clapper recently testified to Iran's improvement in the cyber arena.

[ Cybersecurity tops the list of concerns for federal IT professionals. See Federal IT Survey: Hacktivists, Cybercriminals Are Top Threats. ]

Meehan called Iran's growing cyber capabilities a "real and genuine challenge and threat to the United States and its interests," noting the recent attack of a pro-Iranian group called the Iranian Cyber Army on the government news agency Voice Of America. A Meehan-penned op-ed titled "Iranian Cyber Threat Cannot Be Underestimated" appeared on the website of Congressional news site The Hill on Thursday.

Panelists called to attention recent media reports about Iranian diplomats involved in planned cyber-attacks against nuclear power plants and other targets. The country also recently claimed that the downing of a drone inside the country was thanks to a hack of the drone's GPS signals.

"They're taking their gloves off right now in the cyber environment," said Frank Cilluffo, associate VP and director of the Homeland Security Policy Institute and a former Bush administration homeland security official.

Panelists at the session were quick to point out that Iran does not yet pose the same level of technical threat as Russia and China, but said that Iran's intentions help make it dangerous. "As yet, Iran has not shown itself to be a similarly advanced or persistent threat" as Russia and China, Cilluffo said. "The bad news is that what they lack in capability, they make up for in intent and are not as hesitant as other countries may be."

Ilya Berman, VP of the hawkish and conservative American Foreign Policy Council, agreed with Cilluffo's assessment, adding that Iran poses a potentially significant threat in the asymmetric world of cyberspace. "Cyberspace is a field that advantages asymmetric actors," he said. "As a result, the capabilities are an issue, but intent is even more of an issue. Unlike in Russian and China, where conflicts exist but at least we have diplomatic relations with those countries, there are a number of threats on the table with Iran."

Berman recommended that the United States government create a stronger deterrence strategy against Iranian cyber-attacks. "We have had an abject lack of a deterrent strategy in facing Iran, and [the cyber world] is crying out for a deterrence strategy so that the Iranian regime recognizes that there are redlines that they can't cross," he said.

Hacktivist and cybercriminal threats concern IT teams most, our first Federal Government Cybersecurity Survey reveals. Here's how they're fighting back. Also in the new, all-digital Top Federal IT Threats issue of InformationWeek Government: Why federal efforts to cut IT costs don't go far enough, and how the State Department is enhancing security. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2009-5142
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb 1.09 and earlier, as used in Mimbo Pro 2.3.1 and other products, allows remote attackers to inject arbitrary web script or HTML via the src parameter.

CVE-2010-5302
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in timthumb.php in TimThumb before 1.15 as of 20100908 (r88), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via the QUERY_STRING.

CVE-2010-5303
Published: 2014-08-21
Cross-site scripting (XSS) vulnerability in the displayError function in timthumb.php in TimThumb before 1.15 (r85), as used in multiple products, allows remote attackers to inject arbitrary web script or HTML via unspecified vectors related to $errorString.

CVE-2014-3562
Published: 2014-08-21
Red Hat Directory Server 8 and 389 Directory Server, when debugging is enabled, allows remote attackers to obtain sensitive replicated metadata by searching the directory.

CVE-2014-3577
Published: 2014-08-21
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.