There's much speculation on Iran's plans in response to heightened world tensions and what it might mean in the cyberspace domain. We've already witnessed an Iranian kinetic response on U.S. assets in Iraq, so it's worth assessing whether we're experiencing cyber fear-mongering or if companies and governments should take steps to help protect themselves if needed.
The key is to ascertain if it is a viable threat. "Threat" is a combination of motivation, willingness and capability. In this case, seemingly, Iran wants to strike back at U.S. interests (motivation); believes they have little to lose, with max sanctions already in place, and much to gain (willingness); and Iran is known to have attack tools at their disposal (capability).
Recall in 2012 the Iranian hacker groups, allegedly working on behalf of the Iranian government, who conducted distributed denial-of-service attacks against dozens of American banks, as well as attempting to seize control of Bowman Dam outside New York City.
Those who raise the threat of an Iranian cyberattack as a possible or likely response in 2020 are not recklessly beating the drum.
Who might the Iranians aim their potential attacks at, and why? National, commercial and local targets would be consistent with Iranian attack history to demonstrate Iran's ability to "slap back."
On the national level, U.S. government systems, ranging from U.S. Government's departmental public-facing web pages to systems that are actually used to communicate or organize the U.S.'s plans to address Iran. This includes the perceived instruments of U.S. government pressure against Iran — for example, defense, finance, commerce and diplomatic systems.
Commercially, though typically not targeted for cyberattack by nation-states (though a favorite of criminals), the U.S. financial sector, such as banks, has been attacked by agents of Iran in the past, so it certainly would seem very possible to be on their target list again. There may be other commercial targets – those that are perceived as instruments of government power — that may serve as motivation for other attacks on commercial entities as well.
Local governments might be targeted as an attempt to directly affect the U.S. population, as it is the easiest way to potentially impact the populations in cities or towns.
Additionally, certain critical infrastructures in such industries as oil and gas and chemicals might be targeted, since Iran has technical expertise in those sectors.
Contrary to popular belief, it's hard to implement an impactful, sustained and scalable cyberattack. While an attacker might be able to achieve one of those goals, accomplishing all three is complex. The most likely techniques that could be executed quickly include:
So if the threat is realistic, what should be done? While it's never a fair fight to expect a private company or local government to defend against a nation-state attack — we need to depend on the Federal government's diplomatic and national defense capabilities to defend the nation — there are commercial techniques that can be employed immediately to become more resilient.
It's often said, correctly, that cybersecurity is a team effort. In the face of a motivated and capable nation-state attacker, that's as true as ever. In the face of heightened international tension, we need to depend on the important and unique national defense capabilities of the U.S. Government, such as CYBERCOM, NSA and the CIA, to make prudent self-defense preparations as noted above and to be prepared to both share indicators of attack with information-sharing brokers and know how to enlist the support of the local FBI office if under duress from a suspected Iranian attack.
— By Phil Quade. Mr. Quade is chief information security officer at Fortinet and a member of the CNBC Technology Executive Council