The Overhyping of Iran’s Cyberarmy
They said an Iran deal would supercharge Tehran’s hacking brigade. But when they showed their data to U.S. intelligence analysts, they were told to get lost.
A report on Iran’s possible plans to launch devastating cyber attacks in the United States raised eyebrows last month, both for its alarming claims and its unusual combination of authors: a Silicon Valley cybersecurity company and a famously influential neoconservative Washington think tank that has been a prominent opponent to a nuclear deal with Iran. The report warned that if the U.S. lifted sanctions on Iran, the country would pour new money into its burgeoning cyber warfare program.
But before the report—co-authored with the American Enterprise Institute—was ever made public, the security company shared a set of preliminary findings on Iran’s cyber warfare operations with officials in the U.S. military and the intelligence community. There, according to current and former officials, the information was greeted by some with a mixture of puzzlement and outright hostility. Government and outside experts have wondered whether the preliminary findings, as well as the subsequent public report with AEI, was relying on dubious intelligence to stir up fears about pending Iranian cyber attacks, just as U.S. officials were trying to iron out the nuclear deal.
The Daily Beast reviewed a copy of the preliminary report, which was written by the cyber security company Norse in January of this year and shared with officials at the National Security Agency and in the military. Described as a “cyber intelligence bulletin” on “malicious cyber activity originating from the Islamic Republic of Iran,” it states that Norse has data on “more than 500,000 attacks on Industrial Control systems over the last 24 months,” referring to the computers that help to run power grids, hydroelectric facilities, and other so-called critical infrastructure in the U.S.
Norse’s claim of half a million “attacks” is an astonishingly large number. But nowhere in the document does Norse offer specific data to back up the claim, noting that more details are forthcoming in a report that the company will publish “later this year.” The bulletin also alleges that Iran is targeting computer systems and Web sites inside the United States, without offering many technical particulars.
“I specifically told them that they could not publish these claims in their upcoming AEI report because they were absolutely not true,” Robert M. Lee, an active duty Air Force cyber warfare operations officer, told The Daily Beast. Lee said he was shown a copy of the bulletin in February and asked to provide comments to top Norse executives, including the CEO.
Lee said he received calls from two military officers who’d also read the bulletin and wanted to know what to make of Norse’s claims about Iran. Lee said that he tried to “de-hype” Norse’s statements and assured the officers that, based on his expert reading of the bulletin, there was no reason to fear an imminent Iranian attack.
Two former U.S. intelligence officials who have also read the Norse bulletin told The Daily Beast that it was incomplete and made assertions about Iran’s actions without any obvious evidence.
“It looks very amateur to me,” said one former U.S. official with years of experience on foreign government efforts to hack American systems. It seemed that Norse was basing its conclusions that Iran was behind malicious cyber activity largely on traffic emanating from particular Internet protocol addresses located in Iran. But hackers routinely use IP addresses outside their own country to mask their true location. “This alone would make me think it is not Iran,” the former official said. “Any decent actor worth their salt will jump through a few hops or anonymize their IP.”
A second former official said that the bulletin wasn’t specific enough to substantiate Norse’s claims of an Iranian cyber onslaught, and while it was filled with claims that intelligence officials certainly found intriguing, there was little in the way of information for them to follow up on or substantiate Norse’s claims.
Intelligence officials haven’t been shy about publicly identifying Iran as a formidable threat in cyberspace. Director of National Intelligence James Clapper testified before Congress earlier this year that Iran was responsible for a cyber attack on the Sands casino company that destroyed some of the company’s proprietary information. And Iran was behind a 2012 attack on U.S. bank Websites, intelligence officials say. And other security researchers have also concluded that Iran is responsible for intrusions into sensitive computer systems in the U.S. and around the world.
But the Norse document was making some of the most serious claims possible in cyber security—a country hostile to the U.S. targeting industrial control systems. It’s not clear whether Lee’s pushback, coupled with skepticism expressed by some U.S. intelligence officials, led Norse to scale back on its findings when its joint report with AEI was published in April. But the claim of 500,000 attacks is nowhere to be found in that document. The bulletin also says that “Iran specifically targeted Industrial Control Systems in the United States forty-seven (47) times during 2014.” But the final report doesn’t include that assertion, either. And the cases of possible attempts to compromise industrial control systems that are written about in the report are few and caveated, noting that definitively assigning blame to Iran is “difficult.”
Fred Kagan, the co-author of the joint report and the director of the Critical Threats Projects at the American Enterprise Institute, defended the report’s analysis and said it was backed up by 120 gigabytes of technical data that Norse has made public. He acknowledged in an interview with The Daily Beast that the data had limitations, but he said the intent of the report was to present a strategic view of Iran’s capabilities in cyberspace—which many senior U.S. officials have described as growing and dangerous—and not to provide smoking gun evidence on which the U.S. could base some retaliatory action, such as when the Obama administration hacked North Korean computers and imposed economic sanctions after that country’s assault on Sony.
But Kagan said that not all the claims in the original Norse bulletin could be substantiated. “Of course there’s information in here that’s going to turn out to be wrong,” Kagan said. The bulletin was meant to be a “heads up” to the intelligence community, he said, about what Norse thought it had learned about Iran and to ensure that, if the company published its findings, they wouldn’t be disclosing any classified or sensitive information that could jeopardize U.S. intelligence operations.
Kagan noted that the bulletin was not a draft of the report he later wrote with Norse. But Norse’s contribution to that final document was based on research it conducted for the bulletin. Partnering with AEI gave the tech firm’s work the imprimatur of a prominent conservative organization that’s been a leading voice against the Iran nuclear deal. The affiliation also helped the technical findings gain traction in the conservative media. The New York Times first wrote about the report, which helped to rocket Norse and AEI’s work into a national conversation about the threat Iran poses to the U.S. The Daily Beast also reported on the document, noting that its conclusions were broadly in line with statements from Obama administration officials, but that experts were questioning how strongly Norse’s data supported those findings.
Sam Glines, the co-founder and CEO of Norse, told The Daily Beast that the company’s Iran assessment in the earlier bulletin changed as it worked over the data with AEI. “It was continued refinement and continued exploration” of new information from Norse’s technical sources as it came through, he said, noting that until practically the moment the final report was released, Norse and AEI were adjusting their conclusions. “It was a lot of long nights.”
Glines said he wasn’t deterred by the company’s critics. “We 100 percent stand by our intelligence and our data.”
Kurt Stammberger, a senior vice president at Norse, told The Daily Beast that “briefing summaries [such as the bulletin] make hypotheses that sometimes, at the end of the day, aren’t borne out by the data. (This is kind of like a clinical drug trial, you have to posit some causative or curative action in order to prove or disprove it).”
He continued, “If it didn’t end up getting included in the final (larger) report, it’s most likely that we couldn’t corroborate that particular hypothesis in the current datasets. Those hypotheses might, in fact, still be true, and be supported by later data, or further analysis of the data.”
But while the bulletin may have been meant to inform the intelligence community or test ideas, it also has the air of a marketing document meant to hold Norse out as an Iran cyber expert. It advises that further inquiries can be directed to the company’s vice president for sales.
It also uses colloquialisms and evocative terms like “cyber warriors” that current and former U.S. officials said made the work seem sloppy and more of a commercial than a serious work of analysis.
While some of the more frightening claims may not have found their way into the final report, that document is still unnerving in its own right. The joint report says the researchers have found “significant volumes of malicious activity” linked to the Iranian military and “organizations close to the Iranian government,” including some activity that “targets industrial control systems…”
The report concludes, “This activity might be interpreted as an Iranian effort to establish cyber beachheads in US critical infrastructure systems— malware that is dormant for now but would allow Iran to damage or destroy those systems if it chose to do so later.”
Some independent experts have criticized those assertions in the joint AEI-Norse report, and have even accused Norse and AEI of “fear-mongering,” noting that the security company had based its analysis not on evidence that Iran had hacked into actual systems, but on “scans” of dummy locations on the Internet that Norse set up to look like real targets. That’s not an illegitimate form of analysis, but Norse’s critics say that it isn’t definitive enough to say that Iran was certainly trying to target industrial control systems. And it could make Iran seem like more of a threat than it might actually be.
The SANS Institute, a highly respected research and education organization, wrote a public critique of the Norse-AEI report emphasizing its open reliance on those false targets, known as “honeypots.” In response, Norse’s lawyer sent a five-page letter to SANS calling its comments “false and misleading,” adding that they could “give rise to claims for false advertising, trade libel, and tortious interference with prospective economic relations” because they could damage Norse’s business reputation.
A SANS representative told The Daily Beast that it had removed the post from its Web site and is correcting what Norse said were the inaccurate statements.
Even some of Norse’s critics have said their ability to collect huge amounts of technical data is impressive and important. But whatever the company’s expertise may be, it’s apparently not Iran. Kagan, a prominent military analyst who is known as one of the intellectual architects of the United States’ 2007 troop surge strategy in Iraq, said that he was first introduced to executives at the company about a year and a half ago, and that he broached the idea of conducting research on Iran’s cyber capabilities. Norse boasted an impressive technical capacity to gather information from a vast global network of “sensors,” essentially nodes made to look like computers that might be attractive to a hacker. But it was Kagan and AEI that brought the interest in Iran to the table, he said.
The final document is unique, Kagan said, in that it marries the work of technical experts with political and policy analysts from a think tank. But he emphatically denied that it was released in order to influence the U.S. negotiations with Iran. Kagan said the assertion that Iran would spend more money on its cyber warfare programs is “blindingly obvious” since the country has openly discussed its intentions to build a cyber army.
“I don’t think it’s a political document,” Kagan said.
But insofar as it ties potential policy choices to Iran’s cyber operations, and uses technical data to bolster an argument, the report is very much a political document, said Lee, the technical expert who reviewed the original Norse bulletin. He has also publicly criticized the final report for not providing sufficient information to substantiate its claims.
“When you combine a cyber security vendor with a think tank that focuses on politics, that makes it a political document,” Lee said.