An opportunity to prepare for the next cyber campaign

With little fanfare, last week House lawmakers overwhelmingly passed two measures to strengthen collaborative cybersecurity research and development (R&D) efforts with Israel. The “U.S.-Israel Cybersecurity Cooperation Enhancement Act of 2016” would establish a grant program at the Department of Homeland Security to promote cooperative R&D between America and Israel on cybersecurity; and the “U.S.-Israel Advanced Research Partnership Act of 2016” would expand pre-existing cooperative homeland security research and counterterrorism programs to include cybersecurity technologies. The bills – sponsored by Reps. John Ratcliffe (R-Texas) and Jim Langevin (D-R.I.) – gained broad bipartisan support and both passed by voice vote.

These initiatives are commendable on their own merits. Israel is a potentially powerful ally in the growing era of cyberwarfare. Israel cultivates its youths’ cyber talent through its educational system, gives its cyberwarfare units the first pick of personnel, and fosters a uniquely entrepreneurial spirit within its elite military units that carries over into their civilian careers. Israel has been dubbed the “Startup Nation” because it has the highest density of startups per capita in the world, and its cybersecurity startups annually produce exports worth approximately $6 billion. Because of this unique talent pool, the world’s most important tech companies have research centers in Israel, including Cisco, Microsoft, Google, Apple, IBM, Oracle, Hewlett Packard, and Facebook. Although America ultimately has more resources, Israel’s smaller size allows it to be more nimble and innovative in the cyber realm.

{mosads}Yet almost immediately real world events conspired to further demonstrate the bills’ urgency. The day after the House votes cybersecurity firm Symantec issued an alert reporting the reemergence of the “Shamoon” virus that wreaked havoc upon the Saudi energy sector in 2012.

Bloomberg reported that thousands of computers at Saudi Arabia’s aviation agency’s headquarters were damaged, “erasing critical data and bringing operations there to a halt for several days,” and the Saudi government confirmed the breaches. Although cybersecurity experts have yet to say who is behind the attacks, Saudi officials acknowledged that they were state-sponsored and staged from outside the kingdom. Sources familiar with the ongoing investigation told Bloomberg that digital evidence suggests the attacks emanated from Iran.

If true, this would merely be the latest example of Iranian cyberattacks against U.S. allies in the region. In 2012, Iranian hackers used the Shamoon virus to attack oil and gas companies in Saudi Arabia and Qatar, destroying 30,000 computers at Saudi Aramco. From 2012-2014, Iran’s “Operation Cleaver” targeted some 50 companies in 16 countries, including oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, defense contractors, and chemical companies. And while Israel is more circumspect in publicizing successful cyberattacks against its networks, Prime Minister Netanyahu has accused Iran of conducting “non-stop” cyberattacks on Israeli networks, and the Israeli state-owned electric company has reported that it experiences 150,000-300,000 computer attacks per day.

As Langevin argues, “A cyber threat against Israel can easily migrate to the United States or vice versa.” Indeed, perhaps nowhere is the growing convergence of security interests between the United States and Israel more evident than in the realm of cyber conflict. Iranian hackers launched an extended campaign in 2012-2013 against American banks including Citigroup, JPMorgan Chase, and Bank of America; infiltrated the U.S. Navy-Marine Corps’ Intranet in 2013; penetrated the control system of a dam in New York in 2013; caused $40 million in damages in a 2014 attack on the Sands Corporation’s computer servers; and hacked the social media accounts of White House officials in 2015, amongst other cyberattacks against U.S. targets. Consequently, in 2015 the State Department issued an unprecedented security report warning U.S. businesses operating abroad of Iran’s rapidly improving cyberwarfare capabilities, and in March the Justice Department indicted seven Iranians linked to the Islamic Revolutionary Guard Corps (IRGC) in connection with the bank and dam cyberattacks. The Pentagon warned in its annual report to Congress on Iranian military power that Tehran has continued to improve its offensive cyber capabilities since the 2015 nuclear agreement. Although Russia and China have greater capabilities for cyberwarfare, they have focused largely on stealing U.S. military secrets or cybercrime. Conversely, Iran’s cyber army – which is controlled by the IRGC, who not coincidentally oversees Iran’s support for terrorism abroad – are targeting critical infrastructure and developing the ability to cause serious damage to the U.S. power grid, hospitals, or the financial sector.

If the incoming Trump administration and the next Congress fulfill their pledges to adopt a harder line against Iran, Tehran will likely conduct new cyberattacks against America and its regional allies as part of an asymmetric response. U.S. policymakers and legislators need to be prepared for this contingency. The Senate should pass matching legislation as early as possible in its next session. The Obama administration – which to its credit has acknowledged the dangers cyberwar poses to America’s interests and allies in the Middle East and signed a cyber defense declaration calling for a real-time operational connectivity with Israel – should explicitly declare that the Ratcliffe-Langevin bills do not fall under the limitations to congressional support for Israel imposed by the new ten-year Memorandum of Understanding it reached with the Netanyahu government. And the incoming Trump administration should proactively seek ways to improve cybersecurity coordination with America’s Gulf Cooperation Council allies as well.

To paraphrase “Game of Thrones”, cyber-winter is coming, as adversaries seek asymmetric means to threaten U.S. and allied interests. The House’s passage of the Ratcliffe-Langevin bills marks an important step toward addressing cyber threats emanating from the Middle East and beyond, but it should not be the last one.

Benjamin Runkle has served as in the Defense Department, as a Director on the National Security Council, as a Professional Staff Member on the House Armed Services Committee, and as a consultant in DHS’s Office of Cybersecurity and Communications. He is currently a Senior Policy Fellow with Artis International.

views expressed by authors are their own and not the views of The Hill.