4 August 2019

Is The Cyber War With Iran Every Man For Himself?

By Shimrit Tzur-David 

The U.S. retaliation for the Iranian downing of a U.S. surveillance drone came in a new form; a cyberattack against Iran’s revolutionary guard.

Christopher C. Krebs, Director of the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency, said in an official statement that his organization was “aware of a recent rise in malicious cyber activity directed at United States industries and government agencies by Iranian regime actors and proxies.” 

What was particularly concerning about the DHS warning was that recent attacks did not follow the typical pattern of hackers seeking data for financial gain. Rather, Krebs announced that Iranian actors and their proxies were after much more than money - they were using “destructive wiper attacks.” “What might start as an account compromise, where you think you might just lose data,” Krebs said, “can quickly become a situation where you’ve lost your whole network.”


Most hackers either want to steal data or encrypt it (ransomware). Completely erasing it is a whole new ball game. Air, sea, land, and cyber are the frontiers now, which comes as no surprise to anyone in the cybersecurity community. Back in 2011, then CIA Director Leon Edward Panetta said, “The potential for the next Pearl Harbor could very well be a cyber-attack.”

What’s particularly unusual and unsettling about the DHS statement is that it continued: “In times like these, it’s important to make sure you’ve shored up your basic defenses, like using multi-factor authentication, and if you suspect an incident - take it seriously and act quickly.”

Here, the DHS expertly shifts the role of cyber defense from the government to its citizens. But nation-state attacks should be defended by the government and enforced by regulations. If you lived in an area with constant gun violence and the police suggested residents buy bulletproof vests, it would be reasonable to question the responsibility and effectiveness of the police. At a time when the line between physical identities and virtual identities has begun to blur (an understatement), it’s time for governments to treat cyberattacks in the same fashion that they treat any type of crime; legislation, regulation, and enforcement.

Multi-Factor Authentication should be the default, not an option

Car manufacturers are required to follow safety regulations, drug manufacturers are required to pass FDA guidelines, and financial institutions must follow banking regulations.

Software manufacturers, on the other hand, are not required to protect users. Many offer users an option to integrate a second factor for authentication, with some even providing this second factor (Google Authenticator, for example), but none invest resources in consumer education. Consequently, single-factor authentication is still a popularly-selected option.

If Ford came out with a car that had a switch to turn off the airbags, the government would intercede. If airlines offered the option of a cheaper flight with no oxygen mask, the government would intercede. Here, millions of people are vulnerable to imminent threats from Iran, and the government is telling them to consider their own protection.

A person works at a computer during the 10th International Cybersecurity Forum in Lille, France, Jan. 23, 2018. Photo: PHILIPPE HUGUEN/AFP/Getty Images

We have the technology to fix this

“Ultimately, we wanted to heighten the level of awareness of an increase in activity and encourage a more proactive defense posture at all levels of organizations,” said Krebs previously.

The government is telling us to be aware of a threat that they can easily rectify. How, you ask?

Remember when Google enforced SSL certificates on the entire internet? They gave us a few months to migrate to SSL, and companies who didn’t fall in line were displayed as unsecured sites.

This move has made the internet much more secure by all accounts.

While the question of who’s more powerful, the U.S. government or Google, has valid points for both sides (Google doesn’t have an army… yet) it’s time for the government to step up and regulate the software market and make multi-factor authentication a requirement for doing business with its citizens.

How will I, a citizen, use a multi-factor authenticator?

For now, anyway, it seems that the U.S. is leaving your cybersecurity up to you. So what can you do while you wait for the government to recognize their responsibility to protect you?

According to Newzoo's Global Mobile Market Report, as of 2018, the U.S. had a 77% adoption rate for smartphones, and it’s reasonable to assume it has not decreased.

Your smartphone has an enclosed secured memory (enclave), biometric verification capabilities, and is the most secure consumer device.

There are many different apps that can turn your phone into a mobile multi-factor authenticator, and if you don’t want to use your phone, a hardware token is also a good option. The choice is yours and should be presented to you upon enrollment to any application.

You would not buy a car without seatbelts, and you should not sign up for an application that does not take your security seriously. It’s past time to graduate from the awareness stage and move to the enforcement stage. The world isn’t waiting for us to catch up.

(Shimrit Tzur-David is CTO and Co-founder of Secret Double Octopus. She’s also a lecturer at the Jerusalem College of Engineering. Her research areas primarily focus on PKI, cryptography, anomaly detection, web attacks, DDoS and intrusion detection.)

No comments: