Experts: Iran and North Korea are looming cyberthreats to U.S.

The two countries may lack some capabilities, but they have strong intentions to do harm, experts say

Cyberattacks supposedly originating from China have raised alarms in recent weeks, but U.S. businesses and government agencies should worry as much about Iran and North Korea, a group of cybersecurity experts said.

China and Russia have significantly more sophisticated cyberthreat capabilities than do Iran and North Korea, but the two smaller countries are cause for concern in international cybersecurity discussions, the experts told a U.S. House of Representatives subcommittee Wednesday.

While China and Russia maintain active diplomatic ties with the U.S., which should discourage them from launching major attacks on the U.S., Iran and North Korea may be driven to attack the U.S. out of desperation to maintain their political regimes in the face of global isolation, said Frank Cilluffo, director of the Homeland Security Policy Institute and co-director of the Cyber Center for National and Economic Security at George Washington University.

Iran still lacks the capabilities of Russia and China, but it has been testing its cyberattack abilities in recent months, Cilluffo said. "The bad news is ... what they lack in capability, they more than make up for in intent," he said. "Whatever [capability] they don't have, they can turn to their proxies or buy or rent."

Iranian attackers can buy botnets that can disrupt U.S. businesses, he told the House Homeland Security Committee's cybersecurity subcommittee. Cybersecurity experts have pinned a series of denial-of-service attacks on U.S. banks early this year, and a 2012 attack on Saudi Arabia's national oil company, Aramco, on Iranian hackers.

North Korea is a "wild card," Cilluffo added. The country is actively seeking cyberattack capabilities, he said.

Hackers in China and Russia are largely focused on espionage and theft, but those two countries have less interest at the moment in damage-causing cyberattacks on the U.S., Cilluffo said. The capabilities of China and Russia make them advanced persistent threats, but "they have some modicum of responsibility and recognize that we can retaliate," he said.

Iran and North Korea are more unpredictable, witnesses at the hearing said. Iran seems to be focusing its cyberattack capabilities on retaliation against the U.S. and Israel if the two countries attempt to shut down its nuclear program, said Ilan Berman, vice president of the American Foreign Policy Council, a think tank. That focus makes Iran "particularly volatile," he said.

Iran's attack on Aramco in mid-2012, causing damage to 30,000 computers, was a warning to the U.S. and other countries about the country's growing capabilities, Berman said. Iran is "outlining how they would act in the event of a breakdown in relations," he said. The Aramco attack "can be seen as a signaling mechanism by which Iran is telegraphing to the international community" its plans to attack critical infrastructure if war breaks out.

Representative Mike McCaul, a Texas Republican, asked when cyberattacks cross the line into warfare. "At what point do we respond?" he said.

Berman said he couldn't answer that question. Instead, U.S. defense and intelligence officials need to make that decision, he said.

Cyberattackers are changing their tactics as large U.S. companies harden their defenses, said Richard Bejtlich, CSO at security vendor Mandiant, which recently pinned responsibility for several espionage campaigns on a Chinese government cyberunit. Attackers are often targeting smaller companies that partner with large organizations, and then working their way in to the larger target, he said.

The attacks are often successful because "there's an imbalance between offense and defense," Bejtlich added. "A single attacker or group of attackers can keep hundreds or thousands of defenders busy."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's e-mail address is

Join the CSO newsletter!

Error: Please check your email address.

Tags Frank CilluffoHomeland Security Policy InstituteMike McCaulIlan BermansecurityGeorge Washington UniversityAramcogovernmentMandiantRichard BejtlichAmerican Foreign Policy Council

More about CSOIDG

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place