The U.S. is planning for a possible wave of computer attacks against companies by hackers connected to Syria or Iran in retaliation for any military strike against the government of Bashar al-Assad, according to a person familiar with the planning.
The National Security Agency has tapped hackers’ computers in the Middle East to assess their ability to disrupt power grids, financial systems or other critical infrastructure, according to another person familiar with those operations.
The preparations, part of wide-ranging plans by the Pentagon, took on added urgency after this week’s attack on the New York Times’ website by the Syrian Electronic Army, a pro-Assad hacker group. That group previously hacked the Associated Press’s Twitter Inc. account to falsely report an explosion near the White House, triggering a drop in the Standard & Poor’s 500 Index that temporarily wiped out $136 billion in market value.
“Welcome to the new world,” Michael Chertoff, former secretary of the Department of Homeland Security, said in an interview.
“The line between national security and private security is eroding,” said Chertoff, founder of a Washington consulting company. “It is a reasonable concern to be prepared for the possibility of some kind of retaliation — asymmetric retaliation — if we take action in Syria.”
While U.S. intelligence reports say the capability of the Syrian hackers is limited, state-linked hackers in Iran, an Assad ally, have been probing U.S. critical infrastructure companies in recent months, finding vulnerabilities to be exploited later, said James Lewis, a fellow in cybersecurity at the Center for Strategic and International Studies.
The Homeland Security Department “is closely following the situation and actively collaborates and shares information” with companies and other agencies in response to evolving cyberthreats, Peter Boogaard, a DHS spokesman, said in an e-mailed statement.
Retaliation will probably consist of nuisance attacks on media, banking and other high profile websites rather than anything reaching the scale of a “cyber 9/11,” Chertoff said.
President Barack Obama said today in an interview with PBS’s “NewsHour” program that he hasn’t made a decision yet to use U.S. military forces against Assad.
National security planners now must consider threats posed by many potential actors, from military hackers in Iran to hackers-for-hire who can boost the expertise and sophistication of Syrian cyberforces, he said.
“The only thing now that stands between us and a big attack is the goodwill of the Iranian Revolutionary Guard,” Lewis said in a phone interview.
Despite the heightened intelligence gathering, little information — which is highly classified — is being passed directly to businesses, many of which are on “hyper alert,” said Jim Harvey, a partner at the international law firm Alston & Bird, who advises companies on cyberthreats.
“This is something that businesses are screaming out for,” Harvey said in a phone interview. “Businesses are getting caught up in something that is being driven by international events and sometimes the perception is that they are left on their own.”
U.S. banks are watching for unusual activity directed against their networks, said Doug Johnson, senior adviser of risk management policy for the American Bankers Association, a Washington-based trade group.
“We have not formally raised the threat level based upon the current potential for attacks,” Johnson said in a phone interview.
Bank of America Corp., JPMorgan Chase & Co. (JPM), Citigroup Inc. and other U.S. financial institutions have been the targets of distributed denial-of-service attacks since last September. That type of attack overwhelms bank websites with traffic, temporarily knocking them offline and preventing customers from access.
Banks now operate their networks with heightened security and share information about attacks, Johnson said.
“We are watching events on a continual basis because we’ve been subjected to a series of fairly substantial denial-of-service-attacks since September of last year,” he said.
JPMorgan Chase spends $200 million a year on data security, a number that “will grow dramatically over the next three years,” Chief Executive Officer Jamie Dimon wrote in an April 10 letter to shareholders.
Representative Mike Rogers, a Michigan Republican and chairman of the House intelligence committee, has said Iranian-based hackers are behind the bank attacks.
The probability that cyber-attacks will become a major weapon of countries whose militaries are outmatched by the U.S. has been growing for several years.
“One of the risks is that you’ve got Iran talking to Russia, you have Iran talking to North Korea, you’ve got the Syrians talking to Iran,” Lewis said. “This last hit against the Times had some similarities to things the Iranians have done.”
Along with Iranian attackers, proxy groups like Hezbollah probably have hackers they either employ or can pay, Chertoff said.
Pro-Iranian hackers were responsible for an Aug. 15 attack on the state-owned Saudi Arabian Oil Co., which destroyed at least 30,000 computers, Chertoff said.
The Syrian Electronic Army claims to be a group of young hactivists, not all of whom are inside Syria. Recent attacks, including taking over Twitter accounts of the AP and Britain’s ITV, require relatively limited skills while producing significant effects.
The latest attack on the websites of the New York Times and Twitter showed higher sophistication, indicating a growing expertise, said Carl Herberger, a vice president for the network-security company Radware Ltd. (RDWR), based in Tel Aviv with offices in New Jersey.
After a strike, the group could also be used as a front for far more skilled hackers, including Iranian military attackers.
The U.S.’s own cyber-attack capabilities are matched by only a few other nation-states. Among them is Russia, which has little incentive to get directly involved in retaliatory strikes, Lewis said.
Companies know they’re not spending anything close to what’s needed to make their networks invulnerable to attack, according to a 2012 study by Bloomberg Government.
To achieve the highest level of security that experts believe is attainable — stopping 95 percent of all attacks — the 172 companies surveyed would have to increase spending by 774 percent on average, the study found.
The government’s most sophisticated defensive capabilities reside with the NSA and U.S. Cyber Command, which are restricted in how they can help companies inside the U.S., Chertoff said.
“Cyber creates a much broader battlefield, if you will, for people who want to retaliate,” Chertoff said.
While U.S. banks have fortified computer defenses, “there is a heightened sense of urgency to batton down the hatches” in other sectors including utilities, telecommunications and transportation services, Herberger said.
“It’s sort of like a coming storm,” he said. “You can see different cities being hit up and down the coast with a hurricane coming and wonder if you are in its tracks.”