December 26-2014
The Obama Administration decided against conducting cyberwarfare against Iran in 2012 when it was attacking the websites of US banks and instead rallied 120 countries to block Iran from using their websites to enter the United States.
The adopted response was much more complex and difficult to organize and perhaps not even as effective, but it avoided starting a cyber counter attack that could have set a precedent for the future, The Washington Post quoted US officials as explaining.
As the Iran Times reported all through the spring of 2012, a dozen large American banks reported that their websites were coming under attack. Hackers traced to Iran were commandeering servers around the world to direct a barrage of Internet traffic toward the banks’ websites.
The attacks did not involve sophisticated technology. They were just distributed denial of service (DDOS) attacks, in which a huge volume of calls are made to a website, overwhelming it so it goes down. What was unique was the scale of the attacks, involving volumes of calls never seen before.
The attacks did not appear to steal any private information or to make financial deductions from accounts. The sole purpose appeared to be to overwhelm the sites and shut them down while the attacks continued. That meant customers could not access their account information. The assaults were disruptive and irritating, but did not cause financial losses.
That was one reason the US government decided against a cyberwar response. The conclusion was that such a response would be an over-reaction that would set a bad precedent.
But the attacks were “a wake-up call,” one official from a large Internet service provider told The Washington Post. “It got our attention in a very serious way.”
The Obama administration decided to appeal to about 120 countries to choke off the debilitating computer traffic at nodes around the world, according to current and former US officials. The attacks did not end, but they subsided, providing what officials described as a template for responses in future such cases.
The attacks on the banks were launched just weeks after President Obama signed into law the vast expansion of US sanctions against Iran that clamped down on Iran oil exports starting July 1, 2012.
By September 2012, financial institutions including Wells Fargo, Bank of America and JPMorgan Chase were grappling with waves of electronic traffic that had crept up from 20 gigabits per second to 40, 80 and ultimately 120 gigabits per second. It was at least three times the volume of traffic that most large banks’ websites were equipped to handle.
In Washington, technical experts from different agencies gathered to discuss possible responses. The option to hack into the adversary’s network in Iran was dismissed as too provocative, the Post reported. But defense officials believed they had another option that would be effective and, as a former senior official put it, “gentle and precise.”
The servers that had been seized by the hackers were constantly listening for commands, such as those that would tell them to aim traffic at certain banks’ servers. A team at Fort Meade in Maryland, the headquarters of both the National Security Agency and the military’s Cyber Command, took action to blunt the attacks.
“It would not affect anything else, not shut down the entire server, not enter property,” said the former official. “It was, simply, take the signal and die.”
The option, put forward by General Keith Alexander, who headed both NSA and Cyber Command at the time, would have deterrent value and be “non-intrusive,” said former officials.
But other administration officials were unsure that the action could be so precise and expressed concern that affecting a server in Iran — even if in self-defense — would represent a violation of its sovereignty.
In the fall of 2012, with the attacks continuing, the White House decided to appeal for help to 120 countries, asking them to sever the traffic locally and to remove the malicious computer code from the servers being used as springboards for the attacks.
Chris Painter, the State Department’s coordinator for cyber issues, told the Post, “The pitch was, ‘We’re making a request of you, and we would really like your help. You have just as much of an interest in taking action because these are compromised machines. Please do what you can to mitigate this threat.’”
Officials in those countries took actions depending on their laws and technical capabilities, recalled Larry Zelvin, director of Homeland Security’s National Cybersecurity and Communications Integration Center.
Armed with Internet protocol addresses, date and time stamps of malicious activity, and computer port numbers, the countries’ computer emergency response teams or CERTs could sink the malicious traffic in what were effectively cyber black holes. They could also patch their systems to close vulnerabilities so the hackers could not control the computers.
Officials said the approach worked to a degree. The barrage of traffic eased. At the same time, the approach did not eliminate the traffic entirely and did nothing, some say, to ensure that the attacker would not try again.
“What was the sanction?” asked a former defense official who favored a more aggressive response. “The effort didn’t hinder the adversary’s objectives in the least.”
Painter conceded that the multinational mobilization was not “a complete silver bullet.” But, he said, it “certainly was very helpful in building that cooperative framework, and many countries were able to help.”