Congress struggles on rules for cyber warfare with Iran

Congress struggles on rules for cyber warfare with Iran
© Greg Nash

The U.S. and Iran may have walked back from the brink of war, but the potential for a cyber battle looms with no clear rules of engagement.

Lawmakers and military officials say there’s no agreed-upon definition of what constitutes cyber warfare, leaving them to decide on a case-by-case basis how best to respond to individual incidents.

“We've never really gone down the route to define what constitutes an act of war when it comes to cyberattacks,” Sen. Ron JohnsonRonald (Ron) Harold JohnsonSunday shows preview: Coronavirus cases surge in the Midwest; Trump hits campaign trail after COVID-19 Cuomo signs legislation declaring Juneteenth an official holiday in New York Trailing in polls, Trump campaign resurrects Hunter Biden attacks MORE (R-Wis.), chairman of the Senate Homeland Security Committee, told The Hill last week.


Sen. Gary PetersGary Charles PetersOvernight Health Care: Trump takes criticism of Fauci to a new level | GOP Health Committee chairman defends Fauci | Birx confronted Pence about Atlas Government watchdog to investigate allegations of Trump interference at CDC, FDA State of the race: 'Cancel culture' and polling don't mix MORE (Mich.), the top Democrat on the committee, told reporters it’s an issue that “needs some further attention” and one that isn’t going away anytime soon.

“We’re likely to see this not just with Iran, but in the future you are going to see cyber as one of the main domains of warfare going forward,” Peters said. “So it’s important to try to get our arms around how we would define it.”

While Iran has been considered a major cyber adversary, joining the ranks of Russia, China and North Korea, its threat level spiked this month after President TrumpDonald John TrumpNearly 300 former national security officials sign Biden endorsement letter DC correspondent on the death of Michael Reinoehl: 'The folks I know in law enforcement are extremely angry about it' Late night hosts targeted Trump over Biden 97 percent of the time in September: study MORE ordered a drone strike that killed Iranian Gen. Qassem Soleimani.

The Department of Homeland Security (DHS) and FBI subsequently issued a bulletin to law enforcement and briefed lawmakers of the threat of retaliation. The Cybersecurity and Infrastructure Security Agency at DHS issued a separate notification warning of Iranian cyber threats.

But what kind of cyber aggression might spark a return to hostilities remains unclear.

Sen. Richard Blumenthal (D-Conn.), a member of the Senate Armed Services Committee, told The Hill that the Pentagon should be responsible for defining what level of cyberattack constitutes going to war with a nation-state.


“I think the question of what is an act of war in the cyber domain is a serious policy question that needs to be addressed, and Congress so far has failed to address it,” Blumenthal said. “It’s really the Department of Defense that should be providing guidance. Congress should certainly be overseeing the question and addressing it, but we have pressed the Department of Defense to come to us with a proposal on it.”

The Pentagon elevated U.S. Cyber Command to what’s known as “combatant command” in 2018, the same year it released its cyber strategy.

A key priority of that strategy is defending critical infrastructure against debilitating cyberattacks, the type of attack that Johnson said would constitute a red line, despite the lack of consensus around what defines cyber warfare.

“When you start getting into control systems, electrical systems, other critical infrastructure, you start attacking our financial system — to me those certainly would qualify, or certainly should be considered, as something we would require a pretty robust response,” Johnson said.

Sen. Angus KingAngus KingFederal commission issues recommendations for securing critical tech against Chinese threats Push to expand Supreme Court faces Democratic buzzsaw Hopes for DC, Puerto Rico statehood rise MORE (I-Maine), co-chairman of a commission tasked with making recommendations for defending the U.S. government in cyberspace, said Iran poses a “serious risk” of launching a cyberattack.

“It's a serious risk because I think they have the capability and we haven't ... defined what we would consider an attack that would trigger a response,” King told The Hill. “I think that's one of the problems with our policy.”

On the other side of the Capitol, Rep. Cedric RichmondCedric Levon RichmondThe Hill's Morning Report - Sponsored by Facebook - Trump combative, Biden earnest during distanced TV duel Cedric Richmond's next move: 'Sky's the limit' if Biden wins Democrats preview strategy on Barrett's Supreme Court confirmation hearings this week MORE (D-La.), the chairman of the House Homeland Security Committee’s cybersecurity subcommittee, told The Hill that he and full committee Chairman Bennie ThompsonBennie Gordon ThompsonLong-shot Espy campaign sees national boost in weeks before election House chairman asks Secret Service for briefing on COVID-19 safeguards for agents Hillicon Valley: House panel says Intelligence Community not equipped to address Chinese threats | House approves bill to send cyber resources to state, local governments MORE (D-Miss.) would “get together and figure out” whether legislation around defining an act of cyber warfare was needed.

The committee will address Iranian threat concerns this week when members hold a hearing on the homeland security implications of tensions between Washington and Tehran.

The U.S. intelligence community has long been aware of Iran’s ability to target the U.S. through cyberattacks. The most recent Worldwide Threat Assessment, compiled by former Director of National Intelligence Daniel Coats, said Iran is “capable of causing localized, temporary disruptive effects — such as disrupting a large company’s corporate networks for days to weeks.”

“The threat is generally at a persistent level and spikes at various times,” said Annie Fixler, deputy director of the Center on Cyber and Technology Innovation for the Foundation for Defense of Democracies, a Washington-based think tank known for its hawkish views on Iran.

Fixler said the issue of what type of cyberattack would push the U.S. into war was “the million-dollar question.”

“The Pentagon has always said that they reserve the right to respond to cyberattacks with kinetic force and have traditionally said ‘significant cyberattacks’ — and the key is what constitutes significant cyberattacks,” Fixler said. “Given what we’ve seen so far from malicious cyber actors, it would be an attack on critical infrastructure that causes significant damage.”

Iran is likely to focus more of its cyberattacks against U.S. companies that would have a ripple effect on the government or military, providing a certain level of cover that the attack wasn’t directly targeting the government.

“Iran could have an outsize impact by undermining these private sector companies,” Fixler said. “So that is a very potent threat.”

Tom Kellermann, who served on a presidential cybersecurity commission during the Obama administration, told The Hill last week that he saw acts of war in the cyber domain that the federal government would have to respond to as those on the transportation sector, such as trains and airplanes, and on the chemical, pharmaceutical and energy sectors.

Kellermann, who now serves as the head of cybersecurity strategy for cyber group VMware Carbon Black, cited examples of an attack on air traffic control systems causing loss of life or hackers disrupting financial markets on Wall Street.

“Congress must view cyber as a patriotic imperative,” Kellermann said. “It cannot not be ignored merely because it is invisible as the physical world has converged with cyberspace.”