With the U.S. and allies actively considering military action against the Syrian regime for reportedly using chemical weapons, the U.S. cannot ignore the possibility that Syria, and its ally Iran, will strike back at the U.S. with cyber weapons.
Reuters is reporting that if the U.S. does intervene in Syria, this “will be the first time [the U.S.] strikes a country that is capable of waging retaliatory cyberspace attacks on American targets.” Not only are missile strikes the wrong approach, but such military actions could result in real consequences here in the U.S.
Indeed, the Syrian Electronic Army (SEA), a shadowy hacking collective loyal to the Syrian government with possible connections to Iran, has already proven its willingness and ability to strike at the U.S. Just yesterday, The New York Times and Twitter were supposedly hacked by the SEA, which also claimed responsibility for hacking The Washington Post and various news agencies’ Twitter feeds, most notably spreading false information about explosions at the White House that unsettled stock markets.
While such attacks are mostly directed at media and social media so far, other more damaging attacks are possible and could be used in the event of a U.S. attack on Syria. This is especially true given the connection between Iran and Syria and Iran’s history of striking at critical infrastructure.
Iran is suspected of the attacking the Saudi oil company Aramco and effectively wrecking around 30,000 computers. Iran is also thought to be behind one of the largest coordinated attacks that disrupted or crashed dozens of U.S. banks’ websites last fall.
Furthermore, there is always the possibility of support for Syria from allies such as Russian hackers, who are part of a technologically savvy gray market for hacking and cyber crime.
This threat is not merely the ruminations of a few bloggers or low-level security officials, either. There are reports that the National Security Agency, the Pentagon, and the Department of Homeland Security are all watching this situation carefully and taking defensive measures to prevent a serious attack. While a crippling cyber attack is unlikely in this case, it is not out of the question, and regardless of whether the U.S. strikes Syria, the U.S. should be better prepared to face threats to its critical infrastructure.
Some believe that the only way for the U.S. to solve its cyber ills is to force the private sector to improve its cybersecurity through regulations and mandatory standards. Indeed, the Cybersecurity Act of 2012, the main Senate cyber bill last year, and President’s Obama’s cyber executive order from earlier this year rely on government-developed standards. However, such standards are likely to be incomplete and hard to update, and they create a culture of compliance, not one of true security.
Instead of static rules and a “check the box” mindset, the U.S. can improve its cybersecurity through truly collaborative policies that leverage the strength of the private sector. Information sharing within the private sector and with the government can provide up-to-date information on the latest threats and vulnerabilities. A system of liability and insurance for the private sector can incentivize additional investments in cybersecurity, not merely compliance. Additionally, the U.S. government can and should take a more active role in deterring malicious cyber states that steal information from and attack U.S. organizations.
The reality of cyber attacks means that the U.S. can no longer launch missiles into a country and expect no response. In the case of Syria, as well as future conflicts, the U.S. should be prepared for cyber retaliation.