It is time to protect our frontline institutions from cyber attacks
Trump's action deterred Iran — now we must do so in cyberspace
A few months ago, in these pages, we advocated for the United States to extract significant costs from Iran for its provocative activities in the Middle East. Earlier this month, President Trump did just that. In a single airstrike, the United States made clear to Iran that it was prepared to take action in response to the killing of Americans and the ransacking of the U.S. embassy. And, notwithstanding the overreaction from various quarters - particularly on Capitol Hill - about the consequences of the president's action, the Iranian response thus far has been fairly muted, with a few missiles striking U.S. facilities in Iraq and no casualties.
While we cannot assume these strikes are the sum total of the Iranian response, Iran's actions to date demonstrate that they understand a more serious attack likely would have elicited an overwhelming response from the United States. This is proof positive that deterrence works. Although some might say that the risk of a larger conflict wasn't worth the risk of taking the strike against Qassem Soleimani, the reality is that for the better part of a decade, the U.S.'s decision to leave Iranian aggression in the region largely untouched is what led the Iranians to believe they could operate with relative impunity.
Given our prior posture, and our new effort to reestablish deterrence, one must still consider whether the Iranians will be tempted once again to test our boundaries. They may conduct additional responses because internal constituencies within the revolutionary government are unsatisfied with their nation's response thus far, or may simply do so in a return to their prior efforts. But in either circumstance, the notion that Iran will quietly cease its regional activities - including those focused on undermining U.S. influence and seeking to convince us to cede the region to them and their erstwhile allies such as Russia - is simply unrealistic.
On the contrary, it is significantly more likely that the Iranians will, at some point soon, once again try to go up against the United States. These efforts might take a variety of forms - from overseas terrorist attacks, aggression against our allies in the region, attacks on tankers in the Arabian gulf, and the like - but the most likely scenario is a return to Iranian provocation in cyberspace. The reason cyber attacks are the most likely refuge of an asymmetric actor such as Iran, particularly as the United States seeks to reestablish deterrence, is that such attacks have attributes that Iran might find attractive.
First, activities in cyberspace have the benefit of being dynamically scalable. Unlike missile attacks, bombings, or targeted terrorism - efforts that are fairly binary in impact - cyber attacks can be rapidly, and fairly easily, scaled up and down. As such, given that Iran is clearly on notice of the U.S. willingness to punch back, cyber attacks may be an area where they estimate the U.S. might not respond, or at a minimum where they can adjust the nature and scale of their attacks while avoiding a stiff U.S. response.
Second, the use of cyber attacks provides some measure of plausible deniability for Iran, which might want to be seen as responding, but to do so in a way that provides some cover. In many ways, this is the reason Iran uses proxies for many activities around the globe. While no one is confused about Iran's role in supporting groups such as Kata'ib Hezbollah, the organization that killed hundreds of American soldiers in Iraq using Iranian-provided explosive formed penetrators over the course of nearly a decade, the fact that Iran had a plausible claim to not directly be involved in those activities protected it from American retaliation, at least at some level.
Indeed, the U.S. response against Soleimani, the head of the Islamic Revolutionary Guard Corps' Quds Force, to an attack ostensibly conducted by Kata'ib Hezbollah came only in the aftermath of Soleimani playing a much more visible, active role in the region. For much of his time leading the IRGC-QF, Soleimani was a wraith, pulling the strings of Iran's proxies from behind the scenes. In more recent years, however, he became something of a media star, representing the more open role of Iran in manipulating politics in the region.
Assuming that Iran does choose to return to a more aggressive cyber posture, the key question the American government and our companies - the most likely targets of Iran of cyber action - must answer is how to prepare for this scenario. As we've previously argued, the right approach is clear. First, we must be willing to enforce deterrence as we now have in the physical realm - that is, we must be prepared to respond and deter further cyber action, particularly if it rises to the level of a significant attack.
Specifically, Iran (and others) must understand that we are willing to respond strongly to a serious cyber attack - particularly on our critical infrastructure - and that we will do so in a manner of our choosing, whether in cyberspace or another domain of warfare. This has worked in the more traditional arena and there is no reason to think it won't work in cyberspace.
On the defensive side, we also must be prepared for potential attacks. In particular, companies in key targeted industries such as financial services, energy, oil and gas, and health care, as well as the government, must work together if they are to effectively stave off a nation-state actor that has significantly greater economic and human resources to dedicate to a cyber attack. In particular, they must work together at the speed and scale at which the enemy operates. Companies, industries and governments need to collaborate in real time, with interoperable systems working together and preparing ahead of time through joint training and exercises.
Finally, we should help the Gulf states create a better defended and more resilient cyber infrastructure and work with them to create their own NATO-like structure for collective cyber security based on the Gulf Cooperation Council. To date, our allies have borne the brunt of Iran's attacks. If the United States and our NATO allies are willing to work with these countries as they join together on cyber, we could demonstrate to them (and our mutual rivals) that we are in this effort together.
At a time of continued heightened threats from Iran and others in the cyber realm, it is all the more important that American industry, the U.S. government and our allies work with one another to prepare for attacks that are likely to come. If we do not, and there is a significant incident, the American people will reasonably ask what we were doing as the threat gathered.
Gen. (Ret.) Keith B. Alexander is the former director of the U.S. National Security Agency and the founding commander of United States Cyber Command. He currently serves as chairman and co-CEO of IronNet Cybersecurity, a startup technology company focused on network threat analytics and collective defense.
Jamil N. Jaffer is the former chief counsel of the Senate Foreign Relations Committee and a former associate counsel to President George W. Bush. He currently serves as vice president for strategy, partnerships and corporate development at IronNet Cybersecurity. Follow him on Twitter @jamil_n_jaffer.