Cybersecurity

Congress struggles on rules for cyber warfare with Iran

The U.S. and Iran may have walked back from the brink of war, but the potential for a cyber battle looms with no clear rules of engagement.

Lawmakers and military officials say there’s no agreed-upon definition of what constitutes cyber warfare, leaving them to decide on a case-by-case basis how best to respond to individual incidents.

“We’ve never really gone down the route to define what constitutes an act of war when it comes to cyberattacks,” Sen. Ron Johnson (R-Wis.), chairman of the Senate Homeland Security Committee, told The Hill last week.

Sen. Gary Peters (Mich.), the top Democrat on the committee, told reporters it’s an issue that “needs some further attention” and one that isn’t going away anytime soon.

“We’re likely to see this not just with Iran, but in the future you are going to see cyber as one of the main domains of warfare going forward,” Peters said. “So it’s important to try to get our arms around how we would define it.”

While Iran has been considered a major cyber adversary, joining the ranks of Russia, China and North Korea, its threat level spiked this month after President Trump ordered a drone strike that killed Iranian Gen. Qassem Soleimani.

The Department of Homeland Security (DHS) and FBI subsequently issued a bulletin to law enforcement and briefed lawmakers of the threat of retaliation. The Cybersecurity and Infrastructure Security Agency at DHS issued a separate notification warning of Iranian cyber threats.

But what kind of cyber aggression might spark a return to hostilities remains unclear.

Sen. Richard Blumenthal (D-Conn.), a member of the Senate Armed Services Committee, told The Hill that the Pentagon should be responsible for defining what level of cyberattack constitutes going to war with a nation-state.

“I think the question of what is an act of war in the cyber domain is a serious policy question that needs to be addressed, and Congress so far has failed to address it,” Blumenthal said. “It’s really the Department of Defense that should be providing guidance. Congress should certainly be overseeing the question and addressing it, but we have pressed the Department of Defense to come to us with a proposal on it.”

The Pentagon elevated U.S. Cyber Command to what’s known as “combatant command” in 2018, the same year it released its cyber strategy.

A key priority of that strategy is defending critical infrastructure against debilitating cyberattacks, the type of attack that Johnson said would constitute a red line, despite the lack of consensus around what defines cyber warfare.

“When you start getting into control systems, electrical systems, other critical infrastructure, you start attacking our financial system — to me those certainly would qualify, or certainly should be considered, as something we would require a pretty robust response,” Johnson said.

Sen. Angus King (I-Maine), co-chairman of a commission tasked with making recommendations for defending the U.S. government in cyberspace, said Iran poses a “serious risk” of launching a cyberattack.

“It’s a serious risk because I think they have the capability and we haven’t … defined what we would consider an attack that would trigger a response,” King told The Hill. “I think that’s one of the problems with our policy.”

On the other side of the Capitol, Rep. Cedric Richmond (D-La.), the chairman of the House Homeland Security Committee’s cybersecurity subcommittee, told The Hill that he and full committee Chairman Bennie Thompson (D-Miss.) would “get together and figure out” whether legislation around defining an act of cyber warfare was needed.

The committee will address Iranian threat concerns this week when members hold a hearing on the homeland security implications of tensions between Washington and Tehran.

The U.S. intelligence community has long been aware of Iran’s ability to target the U.S. through cyberattacks. The most recent Worldwide Threat Assessment, compiled by former Director of National Intelligence Daniel Coats, said Iran is “capable of causing localized, temporary disruptive effects — such as disrupting a large company’s corporate networks for days to weeks.”

“The threat is generally at a persistent level and spikes at various times,” said Annie Fixler, deputy director of the Center on Cyber and Technology Innovation for the Foundation for Defense of Democracies, a Washington-based think tank known for its hawkish views on Iran.

Fixler said the issue of what type of cyberattack would push the U.S. into war was “the million-dollar question.”

“The Pentagon has always said that they reserve the right to respond to cyberattacks with kinetic force and have traditionally said ‘significant cyberattacks’ — and the key is what constitutes significant cyberattacks,” Fixler said. “Given what we’ve seen so far from malicious cyber actors, it would be an attack on critical infrastructure that causes significant damage.”

Iran is likely to focus more of its cyberattacks against U.S. companies that would have a ripple effect on the government or military, providing a certain level of cover that the attack wasn’t directly targeting the government.

“Iran could have an outsize impact by undermining these private sector companies,” Fixler said. “So that is a very potent threat.”

Tom Kellermann, who served on a presidential cybersecurity commission during the Obama administration, told The Hill last week that he saw acts of war in the cyber domain that the federal government would have to respond to as those on the transportation sector, such as trains and airplanes, and on the chemical, pharmaceutical and energy sectors.

Kellermann, who now serves as the head of cybersecurity strategy for cyber group VMware Carbon Black, cited examples of an attack on air traffic control systems causing loss of life or hackers disrupting financial markets on Wall Street.

“Congress must view cyber as a patriotic imperative,” Kellermann said. “It cannot not be ignored merely because it is invisible as the physical world has converged with cyberspace.”