Just last week a report claimed that Cyber Command and the U.S. military took advantage of those new powers by ramping up a secret programme that inserted malware into Russia's power grid, but didn’t brief President Trump over concerns that he might shutter the programme or leak information about it to foreign governments.
"The digital strike against Iran is a great example of using #CyberCommand as a Special Ops force, clearly projecting US power by going deep behind enemy lines to knock out the adversary’s intelligence and command-and-control apparatus," said Phil Neray, vice president of industrial cyber-security for CyberX.
Dave Weinstein, CSO at Claroty felt that this was a great example of when and how cyber operations should be deployed in response to kinetic operations. "It is both proportionate and limiting from a collateral damage perspective. Furthermore, it serves deterrence value because it demonstrates not only to Iran but to other adversarial observers that the US is both capable and willing to project cyber-force in a tailored fashion. It's also noteworthy that the US reportedly targeted what can be considered a strictly military target. As international norms of cyber-space evolve, it's important to demarcate military from civilian targets, particularly as it relates to dual-use infrastructure. Finally, this operation illustrates the advantages of cyber-space as an attractive alternative military domain to sea, air, or land -- especially for conducting retaliatory strikes."
But it is not clear if civilian facilities will be kept out of retaliation. Henry Harrison, CTO and co-founder of Garrison, told SC Media UK that the good news is that UK and US national security organisations have comparatively strong cyber-defences for their weapon systems and we would not expect Iran to be able to carry out comparable attacks in reverse.
Earlier this month the US reintroduced the Active Cyber Defense Certainty Act (defeated in 2017) to amend the US Computer Fraud and Abuse Act and allow use of "limited" defence measures by private companies to monitor, identify, and stop hackers.
Active defence techniques that would be allowed include beaconing technology to "follow the bread crumbs" back to the source of an attack. Defence techniques would need to be reviewed in advance by the US Federal Bureau of Investigations.
At that time (prior to the recent US government attacks) Alex Rice, CTO of HackerOne, said in an email to SC Media UK about the hack-back proposals: "This section is worrying: "Congress holds that active cyber-defence techniques should only be used by qualified defenders with a high degree of confidence in attribution, and that extreme caution should be taken to avoid impacting intermediary computers or resulting in an escalatory cycle of cyber-activity."
"Attribution is hard, and any legislation that assumes it can be done at scale with a high degree of confidence is suspect.
"Until we can agree on terms like "qualified defender," "high degree of confidence," and "extreme caution" hacking back will inevitably lead to collateral damage and misguided defenders could wind up facing jail time for an inadvertent misstep over an invisible line. We can't wait for legal precedent to be established here.
"This proposed vigilantism doesn’t work in any other societal structure for a reason. Today, the best digital offence for companies is a good defence, and this is where American companies should invest their resources."
Another issue highlighted by Sam Curry, chief security officer at Cybereason, is that nothing can be definitively proven in cyber. "Even if cyber activities produce kinetic effects, like disrupted pipelines, sabotaged uranium enrichment or interrupted communications. Both sides can claim victory regardless of outcomes and appear strong. Now we’re learning how cyber will get used in more hostile conflicts for the theatre of diplomacy.
"Iran claims a firewall stopped 33 million attacks, which is a useless claim because real attacks aren’t stopped by firewalls. The US claims that the President stopped a retaliation because 150 lives would be at stake, which translates to either a "look at my big gun that I didn’t use" style of threat or realisation that shooting down a drone regardless of air space isn’t really an act of war.
"Regardless of the rhetoric and duel of press releases, both the US and Iran are actually top cyber-powers. The posturing over who did what in the Straights of Hormuz is really only a reflection of failures on other fronts and high tension. Rest assured conflict is happening, but nothing either nation has said at this point is pointing to anything new or significant happening in the cyber-domain."
There has been a history of cyber-attacks between the US and Iran. In 2010, the Stuxnet virus interrupted a uranium enrichment facility in Iran. In 2012, Iranian hackers unleash a virus on 30,000 computers owned by state-owned oil company Saudi Aramco that deleted data.