The US military strike that killed Qassim Suleimani, the head of the Iranian Revolutionary Guard Corps’ Quds Force, a US-designated foreign terrorist organization, resulted in heightened tensions between the two countries this week, with American officials warning of retaliatory measures. Although Iran has said that physical forms of attack—such as missile strikes executed against US military bases in Iraq—have “concluded proportionate measures against the United States,” cyberattacks and disinformation campaigns may very well be in the offing. Potential targets include the US government, infrastructure, and private-sector companies.
If anything, a clandestine war may be more in keeping with how Iran has historically lashed out against the United States. Previously, Iran was suspected of cyberattacks on the Bowman Avenue dam in New York and the Atlanta government systems. Looking at damage done in the private sector, Iranian hackers were alleged to have attacked at least 46 US financial institutions, forcing their computer networks offline in 2013, and to have destroyed data controlled by the Las Vegas Sands Corp. in 2015. The US Department of Homeland Security in June saw signs that Iran was targeting computer networks tied to the US government as well as oil and gas providers. And while their capabilities may not be as formidable as those of, say, Russia or China, Iran’s network of hackers is considered more unpredictable and willing to act without the approval from Iran’s Revolutionary Guard Corps.
As of this writing, Iran’s known cyber response in the last week has encompassed defacing of US government websites and issuing anti-US statements on social media platforms. Nevertheless, on January 3, Christopher C. Krebs, director of the US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, reminded companies and local and state governments to back up data and be on alert for abnormal activities or incursions into their computer systems.
Implications for Boards: When political tensions escalate, companies are at risk for becoming retaliation targets—and an attack may be virtual, not physical in nature. As a result, boards need to be aware of how the company stores and protects its virtual assets, and what known gaps exist in their company’s cybersecurity systems. In addition, boards should know how the company plans to respond in the event of a cyberattack, including how long the business could function without access to the Internet. Having strong relationships between management and the board and with third-party cyber experts who are ready to assist in an instant would create a line of communication and greater confidence that the company would be able to respond quickly to a cyber threat and assure resiliency.
Key Questions Directors Should Ask:
The Cyber-Risk Oversight Certificate program, developed by NACD alongside Carnegie Mellon University’s CERT division, is designed to bolster directors’ cyberliteracy and help them cultivate a culture of cybersecurity within their organization. The Cyber-Risk Oversight Resource Center collects all of NACD’s research, tools, and upcoming events that are designed to help directors oversee cyber threats. In addition, the blog post “Keeping Up with Breaches: What Your Board Can Learn from Proxy Disclosures” explores how boards can use other companies’ disclosures to inform how to successfully responded to cyberattacks.