The nightmare of America under cyberattack is happening now and it is not going to stop anytime soon. Foreign adversaries and criminal gangsters alike are hammering all aspects of society from hospitals to schools to government offices.
In December alone, a ransomware attack on human resources software disrupted operations for some hospitals operated by Ascension Healthcare, the timekeeping system of New York City’s Metropolitan Transit Authority, and the government of Prince George’s County in Maryland, among others.
That ransomware attack was far from December’s worst events, however, as private cybersecurity companies said they saw hackers backed by China, Iran and other countries exploiting a widely used piece of software, the open-source logging platform Apache Log4j.
People have warned of a cyber Pearl Harbor and 9/11 style cyberattack for decades, but the U.S. has thus far avoided suffering a major surprise cyberattack that costs lives and spreads to other realms of society. But considering what happens if a cyberattack causes a war to break out is something professionals in business and government have prepared for.
“I hate to say it, I do think about it, it’s a pretty scary thing, [and] I hope that we never experience a cyberattack that’s considered a declaration of war,” said Charles Carmakal, senior vice president at cybersecurity firm Mandiant. “And I don’t know that we have in the United States, I don’t know that I’ve seen anything that I would say should have been declared as an act of war, but there have been some situations in general, in other parts of the world that have been declared acts of war.”
Mr. Carmakal pointed to a 2017 cyberattack, NotPetya, by Russia against Ukraine as the sort of thing that would be considered an act of war in the U.S. The NotPetya attack leveraged accounting software to infect computers in Ukraine and wreck networks that ultimately did $10 billion of damage globally, according to the Brookings Institution.
The rules for war in cyberspace are less clearly established than in other domains.
National Cyber Director John C. Inglis told the House Oversight and Reform Committee in November that a cyberattack is typically considered an act of war when it achieves the same amount of damage as a kinetic weapon, including things like the “loss of health safety, national security of a significant nature.”
Some cyberattacks have come dangerously close to Mr. Inglis’ generic definition of cyber warfare.
The Biden administration said in November it had evidence of Iran-backed hackers exploiting vulnerabilities at hospitals. The Cybersecurity and Infrastructure Agency alert on the hacks, however, said CISA, the FBI and their partners in the U.K. and Australia determined the hackers were focused on exploiting known vulnerabilities over picking specific targets in the healthcare and transportation industries.
The Biden administration also has accused Iranians of attempting to interfere in the 2020 elections, particularly aimed at Republican lawmakers, Democratic voters and news outlets. Last month, the Justice Department charged two Iranians with computer fraud and voter intimidation while the Treasury Department imposed sanctions on six Iranian people and one Iranian entity.
Such cyber operations are nothing new for the Iranians, but wading into politics, particularly efforts to influence voters through intimidation beforehand and sowing distrust afterward, is a new tactic for Iran, said Jonathan Couch, senior vice president at risk intelligence company ThreatQuotient.
“I think they’ve learned from the Russians. It’s one of those things where, despite a lot of the rhetoric that goes on, actually hacking elections at scale is an incredibly difficult thing to do just because of how we run our elections and how those things go about,” said Mr. Couch, who formerly served in the Air Force. “One of the things the Russians successfully exploited back in 2016 and now the Iranians are getting involved with it, it’s more what I’ll call ‘influence operations’ to where if I can’t go in and change the votes themselves, let me try to influence the voters to change their vote.”
America has narrowly missed suffering major catastrophes caused by cyber problems in the last year. Homeland Security Secretary Alejandro Mayorkas recently told USA Today’s editorial board that a February hack on a water treatment plant in Oldsmar, Florida, “should have gripped our entire country.”
A hacker who sought to change the drinking water’s level of sodium hydroxide, the liquid drain ingredient lye, was prevented from doing so by a plant operator in the town near Tampa.
According to Mr. Mayorkas, the hacker did not have a financial motivation and just wanted to do harm.
The crush of cyberattacks on America has made predictions for the future look grim and caused lawmakers to consider an unusual solution resembling vigilante justice — empowering private companies to legally hack back against attackers.
Sens. Sheldon Whitehouse, Rhode Island Democrat, and Steve Daines, Montana Republican, proposed a hack-back bill directing the Department of Homeland Security to study the benefits and risks of allowing private groups the authority to take offensive action.
“The status quo has failed to protect the American people from cyberattacks. That’s why I’m challenging federal officials to think outside the box and put all options on the table,” Mr. Daines said in a statement to The Washington Times.
Giving private groups the authority to legally fight back is a proposal that may find fans in the private sector and among victims. Mr. Carmakal said he was not familiar with the senators’ proposal but he believed there was an opportunity for the government to entrust a few commercial entities with the ability to take aggressive action against attackers.
He stressed that not anyone should have the legal ability to strike back because not everyone has the knowledge necessary to do so and it could cause a conflict to escalate.