United States Secretary of State Mike Pompeo delivered the keynote address at the Claremont Institute's 40th Anniversary Gala as this year's recipient of the Institute's Statesmanship Award.
The Mullahs Declare Cyberwar
Iran’s nuclear threat is real, but the acute danger is digital.
Though the Communist Party of China is a major threat to the United States, perhaps the biggest threat of all, other threats exist. The Islamic Republic of Iran, for example, poses a significant threat to U.S. security and infrastructure. Last month, the Biden administration hit the Iranian government with a fresh set of sanctions. The new penalties, according to ABC News, targeted two high-ranking members of the foreign terrorist organization Iran’s Revolutionary Guard Corps and “two affiliated companies for supplying lethal drones and related material to insurgent groups in Iraq, Lebanon, Yemen and Ethiopia.”
The U.S. and Iran have resumed nuclear negotiations, but with little expectation of progress. As Council on Foreign Relations president Richard Haass recently noted, “there’s no reason to believe that Iran would ever sign on to a ‘longer, stronger’ nuclear deal,” one that places “more severe constraints on its nuclear program for a longer period. Nor is there reason to believe that Iran a decade hence will be fundamentally different in its political makeup or in what it seeks.” Iran, like China and Russia, is ruled by a belligerent dictator with little interest in democratic norms or human decency. In the first week of November, Iran’s president, Ebrahim Raisi, warned the U.S. that he was unwilling to accept “excessive demands” in the forthcoming nuclear talks, language that signals that any deal is unlikely to happen.
Though Iran is most definitely a nuclear threat, there is a stark difference between having the potential to launch a nuclear attack and actually launching a nuclear attack. In fact, the biggest threat Iran poses to the U.S. is to target its cyber infrastructure. According to Kevin Mandia, the CEO of Mandiant, a U.S.-based cybersecurity firm, the Iranian government has been “upping its cyber-offensive capabilities for years to take advantage of U.S. weaknesses.” Those weaknesses are numerous, and are well known to our adversaries.
In August of this year, cybersecurity protections at four federal agencies received grades of D; three got Cs; only one received a B. A 47-page report, issued by the Senate Committee on Homeland Security and Governmental Affairs, stated the following: “As hackers, both state-sponsored and otherwise, become increasingly sophisticated and persistent, Congress and the executive branch cannot continue to allow PII and national security secrets to remain vulnerable.” This has been a problem for decades, according to earlier government reports.
Microsoft, which suffered a vicious cyber-attack a few months ago, recently issued a statement concerning Iranian state-sponsored cyber hacking. “Iranian threat actors are increasing attacks against IT services companies as a way to access their customers’ networks. This activity is notable because targeting third parties has the potential to exploit more sensitive organizations by taking advantage of trust and access in a supply chain.” Last year, these types of attacks were virtually non-existent; this year, according to Microsoft, there have been at least 1,500. Even more worryingly, according to Mandia, Iran has the potential to hit the U.S. with a “zero-day attack,” which is when a flaw, such as a software vulnerability, is exploited before a developer has a chance to address the weakness. What would a zero-day attack look like?
The United States has at least 10 key critical infrastructure sectors, including energy and utilities, finance, food, transportation, government, information and communication technology, health, safety, water, manufacturing. According to the Cybersecurity and Infrastructure Security Agency, the “incapacitation or destruction” of any one of these ten sectors “would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” The United States is the number one target for cyberterror. In 2020, the U.S. was the victim of a staggering 65,000 ransomware attacks; that works out to 170 attacks every single day.
By the end of this year, the number of attacks is expected to be even greater in number, especially now that Iran has upped its cyber capabilities. To make matters worse, a report authored by SecurityScorecard, a New York-based cybersecurity firm, found 75 percent of U.S. states and territories to be particularly vulnerable to cyber-attacks. Most states scored a cyberhealth rating of “C” or below, with North Dakota, Illinois, and Oklahoma scoring the worst of all. States, like federal agencies, are desperately underprepared for future attacks.
As attacks increase in frequency, so too will the amount of carnage they inflict. Bad actors now have the power to hack the U.S. power grid, plunging the entire country into darkness. If you think looting and violence are a problem now—and they very much are—imagine the United States in a state of prolonged darkness. So, while the nuclear threat from Iran is indeed a concern, the cyber-threat posed by the theocracy is actually much more immediate.
Congress’ $2 billion cybersecurity investment is a start toward addressing the issue. But throwing money at a problem is not a feasible long-term solution. Going forward, cyberattacks will only increase in both frequency and severity. The United States needs qualified people to detect and neutralize future threats. Cybersecurity needs to be incorporated into curriculums across the country so talented youth can be equipped with the tools to pursue the appropriate STEM fields. There is no short-term fix here. The United States must put a long-term plan in place sooner, rather than later.