Skip to content
Don't miss

Get the daily Cyber Briefing in your inbox

SIGN UP
Podcast

The Cyber Dimension of the Iran Conflict with Cynthia Kaiser & Mark Montgomery

Season 3 Episode 10 •

Show Notes

Cyber is now woven into modern conflict, alongside conventional military force. In this episode, Frank Cilluffo examines how that shift shapes the threat from Iran—especially the risk of cyber retaliation aimed at U.S. critical infrastructure, U.S. businesses, and public confidence.

Rear Admiral (Ret.) Mark Montgomery of the Foundation for Defense of Democracies brings a strategic and military lens to the discussion, explaining how cyber is being built into conflict planning alongside kinetic operations. Cynthia Kaiser, a former FBI cyber leader now with Halcyon, brings an operational view of how Iranian cyber activity can create disruption, spread fear, and produce real effects even without the sophistication of China or Russia.

Main Topics Covered

  • Cyber as an integrated warfighting tool
  • Iran’s cyber posture and likely retaliation paths
  • Critical infrastructure and OT vulnerabilities
  • Disruption, fear, and information effects
  • Gaps in U.S. civilian cyber defense

Key Quotes

“They’re not at the level of capability as Russia and China, but that’s almost irrelevant. They’ve got a drive-by shooting capability.” — Frank Cilluffo

“We’re seeing cyber integrated at the front end of planning. It’s not cyber only or cyber as an afterthought, but it’s cyber as an integrated element.” — Mark Montgomery

“The vast majority of our critical infrastructure doesn’t have a shield.”— Mark Montgomery

“[Iran is] really one of the world’s most malicious and capable cyber actors. They’re not necessarily as good as China or Russia, but they don’t need to be to have an effect.” — Cynthia Kaiser

“The point’s the fear. The point’s the chaos. And the point is the internal messaging for their own people—to say we did something in retaliation.” — Cynthia Kaiser

Relevant Links and Resources

Guest Bio

Mark Montgomery is a senior fellow at the Foundation for Defense of Democracies and former executive director of the Cyberspace Solarium Commission. He brings deep experience in cyber strategy, defense policy, and national security planning.

Cynthia Kaiser is a senior cyber executive at Halcyon and a former FBI leader with extensive experience in cyber investigations and ransomware response. She brings an operational perspective on Iranian cyber activity, disruption campaigns, and cyber risk to critical infrastructure.

Transcript

1
00:00:00,000 –> 00:00:01,000
Frank Cilluffo [00:00:00]: They’re not at the level of capability as Russia and China, but that’s almost irrelevant. They’ve got a drive-by shooting capability. Anyone with a modern military has a cyber capability. Whether they can integrate it into their broader strategy and warfighting is a different set of questions.

2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo [00:00:16]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Cilluffo, and this week we have two guests, both of whom are probably front and center on anything and everything dealing with the biggest issue facing the country right now, and that’s Iran. And privileged to have Mark Montgomery, who is a senior fellow and also leader at the Foundation for Defense of Democracies and former staff director of the U.S. Solarium Commission, and also Cynthia Kaiser, who led a number of major efforts for FBI and is now leading significant ransomware work for Halcyon.

3
00:00:02,000 –> 00:00:03,000
Frank Cilluffo [00:00:55]: Two of the best experts we can have and two that I think can help paint an important picture that all of us are looking at right now. Mark, why don’t I start with you? And I think start with what we’re seeing play out in Tehran itself, the broader military strategy. And I would love to be able to get a little point in there. You’ve heard Chairman of Joint Staff Dan Caine talk about cyber being a first mover and US Cyber Command playing a significant role in our efforts.

4
00:00:03,000 –> 00:00:04,000
Mark Montgomery [00:01:24]: Yeah, thanks. Thanks for having me. Great to be here, Cynthia. So I’ll put my retired admiral hat on, retired, you know, former carrier strike group commander and say that, and former planner and say this is a very well-executed plan. Admiral Cooper and his team at Central Command, along with their Israeli partners, as we called them in the National Security Strategy, a model ally. Israel and the United States are conducting a significant air, maritime, and ground campaign that is servicing 900 targets a day. I think it’s a 4-week campaign. I think if you were to ask me what’s the biggest risk to this campaign, it’s premature termination by the commander-in-chief.

5
00:00:04,000 –> 00:00:05,000
Mark Montgomery [00:01:59]: So 100%, I hope the president, he sounds like he’s on mission right now and on target. He’s got to stay that way for 4 weeks. In 4 weeks, we will remove the IRGC command structure and their facilities. That’s target set 1. We’ll suppress enemy air defense, already completed, target set 2. We’ll get at their nuclear program and continue to set it back and recover the equipment and the fissile materials, 3. Target set 4 is the missiles, the actual missiles, their facilities, and their production. So that’s, there’s 3, 5, 7 years before they can come back.

6
00:00:05,000 –> 00:00:06,000
Mark Montgomery [00:02:33]: Drones, the same thing, the equipment, the facilities, and the production. And finally, their maritime capability, not just the Navy, which we have done pretty well getting rid of, but their mining and their anti-ship cruise missile capability. We’re really attacking those, but it started on the first night. And like you said, it started with a highly integrated well-planned and executed strike. This is for the second time in a row now, Venezuela as well, now Iran, we’re seeing cyber integrated at the front end of planning. It’s not cyber only or cyber as an afterthought, but it’s cyber as an integrated element. And cyber, when I say cyber here, I mean both cyber espionage conducted by our Title 50 forces, but then cyber attack and disruption practiced by our Title 10 forces and General Caine has made this a priority inside the Joint Staff setting up a specific cyber and non-kinetic cell to deal with these sorts of issues and make sure that they’re integrated, but I promise you Admiral Cooper’s planners had this in from the beginning as well and I think that there’s lots of apocryphal or anecdotal stories now about, you know, cell towers not working so that they couldn’t get a phone call into the meeting that the supreme leader was at, tapping of traffic cameras so that to get a feel of who’s coming to meetings, who’s going from meetings, to get the drumbeat of life for future targeting. We’ve always known the espionage aspect.

7
00:00:06,000 –> 00:00:07,000
Mark Montgomery [00:04:01]: It’s the disrupt and destroy aspect that we’re starting to see better integrated. This is the natural culmination of 20, you know, 17 years of hard work since General Alexander stood up US Cyber Command back in 2011, 2012. So a lot of credit to all the teams that have been there. And I would tell you this is being done despite the fact that the force generation system for Cyber Command still needs work.

8
00:00:07,000 –> 00:00:08,000
Frank Cilluffo [00:04:25]: Well said. And at the end of the day, it’s integrating cyber effects into warfighting strategy and doctrine, right? Which is a little different. It’s not cyber as the end state in itself. It’s where cyber can be integrated into, into both kinetic and non-kinetic approaches, correct?

9
00:00:08,000 –> 00:00:09,000
Mark Montgomery [00:04:44]: That’s right, and I think more and more what we’ll see is sometimes you do that and then you still have the kinetic backup. You know, we’re going to get to the day where there’s a trust factor developed where it’s cyber alone is doing this one effect to enable two other kinetic effects over here. I still think certainly in Venezuela, in the battle damage assessment I saw, it’s clear that we were looking for effects in two different manners, both cyber and non-cyber on the same, some of the same target sets. And I suspect there’s some of that here where it was appropriate. I would tell you, if you’re trying to jam a cell tower system in a way that makes it look like you’re not doing an attack, it can’t be followed up by a kinetic. That’s got to be cyber alone. So there’s a cyber alone, and that’s what we need to see. That’s, that’s when we know we’re culminating as a force employment tool.

10
00:00:09,000 –> 00:00:10,000
Mark Montgomery [00:05:35]: And so all credit to Alexander, to Rogers, to Nakasone, to Tim Hawk, to Hartman.

11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo [00:05:43]: Seeing it all come to-

12
00:00:11,000 –> 00:00:12,000
Mark Montgomery [00:05:44]: All of them come to fruition.

13
00:00:12,000 –> 00:00:13,000
Frank Cilluffo [00:05:44]: Come into play here. And I think Absolute Resolve was another good example where we’re seeing, and it’s also good to see we’re talking about this publicly. In part, you can’t have a deterrent if no one knows you got the doomsday weapon, right? And I’m not suggesting this is a doomsday weapon, but I think the fact that we can talk about this publicly serves as a deterrent to dissuade, deter, and ultimately compel bad behavior.

14
00:00:13,000 –> 00:00:14,000
Mark Montgomery [00:06:12]: General Caine does not appear constrained by the normal business rules.

15
00:00:14,000 –> 00:00:15,000
Frank Cilluffo [00:06:16]: Yeah, well said. And bottom line is more to be told in the days ahead. Cynthia, with all of that activity, where does Iran necessarily have the greatest punch? And clearly cyber is one of those. And before we get into what we’re seeing right now. You’ve looked at this actor historically from, from the FBI and elsewhere. How should we be thinking about the Iranian cyber threat?

16
00:00:15,000 –> 00:00:16,000
Cynthia Kaiser [00:06:45]: So with Iran, they’re really one of the world’s most malicious and capable cyber actors. They’re not necessarily as good as China or Russia, but they don’t need to be to have an effect. And that still makes them like quite a formidable adversary within cyberspace, though it might mean that they don’t have the kind of scale of operations that we would see from someone more sophisticated. So, like, if you take a look at all that, you’ve seen them consistently use destructive cyberattacks to respond to even perceived slights up through attacks. One of the first destructive cyberattacks ever to happen in the US was against the Sands Casino over a decade ago, and Iran had conducted a wiping attack. That means they deleted all the data on the network. And they did it because—

17
00:00:16,000 –> 00:00:17,000
Frank Cilluffo [00:07:35]: Which matters at a casino.

18
00:00:17,000 –> 00:00:18,000
Cynthia Kaiser [00:07:36]: Oh, it matters just anywhere, right? Imagine all your data deleted. But like, they did it because they didn’t like what the casino owner said. And so they were willing to do that kind of destructive attack just because they didn’t like what somebody said. Fast forward to 2022, where they were upset that Albania was hosting an Iranian dissident group. And they decided to turn espionage access at that point. So they’d had espionage access for 14 months into Albanian government networks, the kind of normal espionage you see, stealing emails, etc. They turn that over to a different group inside Iran, and they start doing destructive attacks. They hide behind a fictitious cybercriminal actor, and they use cybercriminal tactics.

19
00:00:18,000 –> 00:00:19,000
Cynthia Kaiser [00:08:19]: They made it look like a ransomware attack. It wasn’t. They did the wiping that I was talking about before, like deleting all the data, just being very destructive. And they took down government services in Albania for quite a large amount of time, just because they didn’t like that a dissident group was being active within the country. And so when you’re looking at an attack scenario like now, I think we’re all going through the, all, our full timeline of what we’ve known Iran has been capable of, where they’ve been able to gain access. And, you know, the truth is they can gain access to a lot of unpatched of operational technology. So think water, think manufacturing.

20
00:00:19,000 –> 00:00:20,000
Cynthia Kaiser [00:09:02]: They also have targeted hospitals before, including through a ransomware attack at Boston Children’s Hospital several years ago. And so they’ve demonstrated this willingness to go after targets that we would see as really quite escalatory. I think they view cyber operations as less escalatory than doing physical attacks. But, you know, a couple of thoughts there is you look at the history of it all. They have the capability to do something. That’s something they’re going to go lie about. They’re going to go out in public and say they did more because the point’s the fear, the point’s the chaos, and the point is the internal messaging for their own people to say we did something in retaliation.

21
00:00:20,000 –> 00:00:21,000
Frank Cilluffo [00:09:42]: So it’s a really good point and that often gets lost. And please disagree with my thinking on some of this. When I think of The Iranian threat, I’m with you. They’re not at the level of capability as Russia and China, but that’s almost irrelevant. They’ve got a drive-by shooting capability. Anyone with a modern military has a cyber capability. Whether they can integrate it into their broader strategy and warfighting is a different set of questions. They have been very active in the region.

22
00:00:21,000 –> 00:00:22,000
Frank Cilluffo [00:10:10]: Israel, UAE, Saudi, they’ve all witnessed, been on the back end of significant attacks by Iran. And I like to say what they lack in capability, they more than make up for with intent. They’ve, and they’ve had very little constraint in terms of turning to cyber weapons. But when I think of the threat, you’ve got sort of the IRGC. You’ve got the more state-sponsored, but you also have proxies. And when you start looking at Lebanese Hezbollah and some of the other sorts of entities, they are at a higher scale than I think the average organization would be. And then you’ve got sympathizers and hacktivists who there’s very little connection to Tehran, but they’re acting on behalf of or thinking they’re acting on behalf of. Is that fair? Am I missing something there?

23
00:00:22,000 –> 00:00:23,000
Cynthia Kaiser [00:11:02]: I think that’s really fair. What you see from Iranian cyber operations, they often come out of a murky blend of state-sponsored operations, personal profiteering, and then cyber criminal groups, which I’d include hacktivists like within there. So it’s not one or the other. They’re using this blend and they know it’s a wink nod, right? Like strategic ambiguity, okay, everyone knows probably that it’s Iran. If there is a big attack against operational technology in the US in the next few weeks, who are we going to think it is? But when they start hiding behind these either fictitious groups or using these proxies, it buys them some time. They know that you can’t necessarily turn on a dime in the US government and say, yes, it’s Iran. But they also might be miscalculating because I think the long attribution process we went through a few years ago, it’s going to be a lot quicker.

24
00:00:23,000 –> 00:00:24,000
Frank Cilluffo [00:11:52]: And plausible deniability is not as easy as it once was.

25
00:00:24,000 –> 00:00:25,000
Cynthia Kaiser [00:11:55]: Absolutely. Absolutely. And I think that you’re getting a little more into this walks like a duck, talks like a duck, like we’re going to call it a duck analysis and allow ourselves the policy response for it.

26
00:00:25,000 –> 00:00:26,000
Frank Cilluffo [00:12:04]: And for both of you, I mean, when you start thinking, so I like to say that what they’ve, we’ve seen overseas could be coming to a theater near you. It’s a movie that we can be seeing. These are previews. Historically, I think they’ve been pretty discriminate in terms of targeting energy, oil, gas. I think of Saudi Aramco. I think even here in the United States, water facilities in Israel, same thing. But I think that now it’s changing from any target of convenience becomes a target of opportunity. What does that mean for U.S. critical infrastructure owner-operators here, both with operations overseas, which I think raises the, the risk, but also domestically? Cynthia, first you and then Mark, I’d love to get your thoughts on that.

27
00:00:26,000 –> 00:00:27,000
Cynthia Kaiser [00:12:53]: It’s well documented the types of vulnerabilities that Iran is going after. And so I think you only have to look at the advisories that have come out from the US government in the last few months to see what do I need to patch. That what people don’t understand is that’s not as simple in operational technology. Sometimes you patch one piece of equipment and there’s a ripple effect across the entire system and it goes down, right? There’s so much legacy systems and technology going on across some of these.

28
00:00:27,000 –> 00:00:28,000
Frank Cilluffo [00:13:23]: So OT is top of your list?

29
00:00:28,000 –> 00:00:29,000
Cynthia Kaiser [00:13:24]: Yeah, OT really is top of my list. And this is once again that mix of doing an operation, but then lying and saying they did more. So take CyberAvengers attacks against water infrastructure that was both in Israel and the US just a few years ago. What they did is they got on, they defaced one machine at these facilities, that’s not going to stop operations at a water treatment facility, but they can lie and say it did. And it feels like it, right?

30
00:00:29,000 –> 00:00:30,000
Frank Cilluffo [00:13:49]: And they project.

31
00:00:30,000 –> 00:00:31,000
Cynthia Kaiser [00:13:51]: Right. Exactly. And so that’s really top of mind is what can they get into now. What do they already have access? Because they’ve demonstrated they don’t go out and create a whole new operation to do in 2 weeks. They’ll be patient if they want to, and they’re around enough in a few months to a year to be able to reply to this, to respond. They’ll wait. They’ll wait for their big operation later. But right now it’s about taking whatever access they have and pivoting that to be more destructive. But what we’d like, are likely going to see, it’s that what I just talked about, defacements, things like that. Very small organizations.

32
00:00:31,000 –> 00:00:32,000
Frank Cilluffo [00:14:26]: Graffiti in cyberspace.

33
00:00:32,000 –> 00:00:33,000
Cynthia Kaiser [00:14:27]: Yeah, graffiti in cyberspace. Or I would say a lot of denial of service. And that’s what we’re seeing across the region.

34
00:00:33,000 –> 00:00:34,000
Frank Cilluffo [00:14:33]: Mark.

35
00:00:34,000 –> 00:00:35,000
Mark Montgomery [00:14:35]: I agree.

36
00:00:35,000 –> 00:00:36,000
Frank Cilluffo [00:14:35]: And I want to get to who’s surfing in their wake in a second.

37
00:00:36,000 –> 00:00:37,000
Mark Montgomery [00:14:37]: And I think, I think Iran is, look, if Iran had real skills, they would have used them against Israel after October 7th for those 2 years when their surrogates were getting hammered hard by the Israelis.

38
00:00:37,000 –> 00:00:38,000
Frank Cilluffo [00:14:49]: And they think a lot of their leadership was probably taken out that had that capability. Right?

39
00:00:38,000 –> 00:00:39,000
Mark Montgomery [00:14:53]: And yeah, and they just were not able to do it. So I do think they still put a lot of effort into harassing their expatriates, particularly activists against them overseas. But I really don’t think they have it. But I do want to say something about us. Like when I hear like Shields Up or whatever the current advisory says, I have to say to myself, well, the vast majority of our critical infrastructure doesn’t have a shield. So, you know, if you’re reading this advisory and you think you need to take defensive actions, you’re probably in trouble because if you already had the defensive capability and capacity, you had the right team telling you to take action ahead of that advisory and you’re in trouble. It’s a reminder to us that, what I like about this is it’s a reminder to us that there are more compelling and concerning adversaries right around the corner, China and Russia. And we should be taking defensive measures based on them right now that would probably exceed the defensive measures for the Iranian threat we face today because it’s a lower threat.

40
00:00:39,000 –> 00:00:40,000
Mark Montgomery [00:15:55]: Having said that, that doesn’t mean they can’t pull something off. I just, I’m more of the belief at this point that it will be hacktivism vice true critical infrastructure disruptions that impact US warfighting or economic prosperity.

41
00:00:40,000 –> 00:00:41,000
Frank Cilluffo [00:16:11]: Would you agree with that statement?

42
00:00:41,000 –> 00:00:42,000
Cynthia Kaiser [00:16:12]: I think so, but I do think there’s some things organizations can do right now, and it’s a lot more in the dust off the incident response plan, make sure you’ve looked at it, make sure you’ve integrated the right people. And the one thing I’ve really been telling everyone is look, bring in your PR and marketing teams for this. Like, if you’re looking at a scenario where it’s not as bad, right, but they’re just going to go out and lie and say it’s worse, you should really be integrating and making sure you’re thinking about what your public messaging is going to be if you come under attack.

43
00:00:42,000 –> 00:00:43,000
Mark Montgomery [00:16:43]: No, I agree that I, I would just, I would say that it, I would never let a, you know, as Rama Mauji say, never let a crisis go to waste. So if, if we can use this to get people to do appropriate patching, appropriate incident response review, exercise and practicing. And if somehow an IT administrator can convince his team to do something they wouldn’t have done before, I’m all for it. I just recognize that cyber defense is not a game day issue.

44
00:00:43,000 –> 00:00:44,000
Frank Cilluffo [00:17:11]: Yeah, you don’t just push the button.

45
00:00:44,000 –> 00:00:45,000
Mark Montgomery [00:17:13]: Despite what, you know, Allen Iverson used to say, it is about practice. And you got to practice, practice, practice. And then you don’t get your butt kicked.

46
00:00:45,000 –> 00:00:46,000
Frank Cilluffo [00:17:21]: But the one thing I would say, please go ahead.

47
00:00:46,000 –> 00:00:47,000
Cynthia Kaiser [00:17:23]: No, yeah, I just want to know-

48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo [00:17:24]: OT is different.

49
00:00:48,000 –> 00:00:49,000
Cynthia Kaiser [00:17:25]: Well, OT is different. But I think right now what I’m heartened by is, which is such a weird thing to say for what I’m about to say, but is that just like cyber operations are being integrated as a part of our own offensive operations, it’s not a surprise to most people that I’ve talked to in the last week that there’s probably going to be something cyber going on on the side of this conflict. I don’t think that’s where the public was 5 years ago. So I do think there’s a little bit more awareness that that’s what I’m seeing within this, which means business risk calculus is changing. That’s long-term. It’s not next week, but hopefully really understanding something can change in a minute and that changes your whole risk posture and like, how are you positioned to defend?

50
00:00:49,000 –> 00:00:50,000
Frank Cilluffo [00:18:12]: And Cynthia, you’ve spoken about others that are surfing in their wake. Do you want to, and that’s my terminology, not yours, but if you want to expound on that a little bit.

51
00:00:50,000 –> 00:00:51,000
Cynthia Kaiser [00:18:23]: Absolutely. So our team at Halcyon has been monitoring the situation in the Middle East in particular where that targeting is. And it’s been a lot of this denial of service. You can’t get onto a website or hacktivists. What we’ve really seen in the last 24 hours is more Russian hacktivist groups. And I say that very loosely because I hate that term. They were created by the GRU. Like, we should be thinking these as Russian state-sponsored sabotage operations.

52
00:00:51,000 –> 00:00:52,000
Cynthia Kaiser [00:18:54]: And they’ve gotten more active in both Israel as well as some European countries in the last 24 hours. So, and then that’s concerning where maybe they’re taking advantage of the moment. We can do more, we can position more. You know, they might be testing the waters, like, what are we going to be able to get away with? What are people going to take notice of? But it’s something we’re going to have to grapple with. I don’t think I’ve fully centered myself on what that means other than that’s significant. And I’m not sure I would have anticipated that this soon.

53
00:00:52,000 –> 00:00:53,000
Frank Cilluffo [00:19:24]: Not to mention just traditionally the fog of war in the midst of crisis. Eyeballs are focused in one area. Others will seize opportunities, won’t they?

54
00:00:53,000 –> 00:00:54,000
Cynthia Kaiser [00:19:35]: They will. They will seize those opportunities. And I, you know, there’s one aspect we haven’t talked about that I think is also a risk that businesses weren’t thinking about going into last weekend, which is how some of the kinetic attacks against data centers in the region actually did affect U.S. business operations, global business operations. You know, it delays our-

55
00:00:54,000 –> 00:00:55,000
Frank Cilluffo [00:19:58]: First time that we’ve known, at least I know of publicly, that data centers have been targeted.

56
00:00:55,000 –> 00:00:56,000
Cynthia Kaiser [00:20:05]: Absolutely. Absolutely. And that’s a, that’s a big deal for operations. It delays, it stops operations going on in the region and you have to pivot, you have to change. Other areas of the world get stressed because of it. We need to take note and think more about that, like, as this is really a change.

57
00:00:56,000 –> 00:00:57,000
Frank Cilluffo [00:20:22]: That’s a great point. I actually just highlighted that in one of my director’s notes on that. Mark, your thoughts on Russian hacktivists, because I mean, you’ve done some phenomenal work in Ukraine as well. Are you seeing some of that?

58
00:00:57,000 –> 00:00:58,000
Mark Montgomery [00:20:34]: Yeah. So first, good reminder, we’re fighting, there are 4 aggressors in the axis of aggressors or authoritarians, how you look at it: China, Russia, North Korea, and Iran. All of them, by the way, probably the 4 horsemen of the cyber apocalypse.

59
00:00:58,000 –> 00:00:59,000
Frank Cilluffo [00:20:51]: Well said. Yeah.

60
00:00:59,000 –> 00:01:00,000
Mark Montgomery [00:20:53]: But they have different skill sets. We acknowledge China and Russia particularly in this. But I think Russia and Iran do share a shared, Russia and Iran are the two that mix the state-sponsored, clearly state-sponsored intelligence and military organizations with either moonlighting slant, fully funded criminal activity. Certainly, at a minimum, they are abetted by Putin and his state. At a maximum, they’re guided. And so I think at this point, we’re talking about, look, I think it’s a mix. The United States is attacking a country that they sort of like, Iran. So the hacktivists might just naturally come.

61
00:01:00,000 –> 00:01:01,000
Mark Montgomery [00:21:37]: But if they weren’t moving fast enough, there’s a hand in their backside saying, yeah, that’s the target set. Go down there. And one thing I do want us to think about is Iran hasn’t had a lot of really successful attacks. But one, cyber one, was the Aramco attack on an OT system. And so, I think that’s not out of the realm. And the reason I say that is they’re probably not going to be allowed to, I think China’s calling them right now saying, hey boys, you’re not mining the Straits of Hormuz. That’s all our, our oil is 40% of the oil and LNG on the other side of the straits.

62
00:01:01,000 –> 00:01:02,000
Mark Montgomery [00:22:14]: But, so now they’re looking for ways, how can they harm the Arab states while not pissing off China? One of the ways, and they can’t do a physical attack against Saudi Aramco, because I’m pretty sure the next thing they’d see is a weapon hitting Kharg Island, which would really put them in extremis and again, piss off the Chinese. So, one of the things they might do is cyberattacks on the, if their drones fail to get through, and their missiles fail to get through against the, and they’re attempting that right now. And they’ve had marginal success. They’ve hit things, but not hit things.

63
00:01:02,000 –> 00:01:03,000
Frank Cilluffo [00:22:51]: But the data centers was a pretty significant—

64
00:01:03,000 –> 00:01:04,000
Mark Montgomery [00:22:55]: Data centers, but I’m talking here about the oil and natural gas production. Then they’re going to, from my perspective, they’ll then, they’ll try cyber. Now, I will say the Saudis have invested. Saudi Aramco uniquely has invested. Both in physical security and cybersecurity, because they’ve been hit both by, Iran has hit them both physically and cyber-wise over the last decade. So that’s something to keep an eye on, not just Saudi Aramco, but all of the LNG and oil production and distribution facilities throughout the Middle East for cyberattacks there. And clearly, they do have some of the tools because they used them in the past. Now, that very specific attack they used in, against Saudi Aramco has been corrected by the OT company involved. So I think we’re in better shape.

65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo [00:23:42]: But the broader theory being sort of cyber-enabled economic warfare, right? Where it not just has potential kinetic outcomes, but—

66
00:01:05,000 –> 00:01:06,000
Mark Montgomery [00:23:50]: Dr. [Samantha] Ravich would appreciate you—

67
00:01:06,000 –> 00:01:07,000
Frank Cilluffo [00:23:52]: Yes, I wrote a paper for her on that, on Iran, actually.

68
00:01:07,000 –> 00:01:08,000
Mark Montgomery [00:23:57]: You know, frankly, this shouldn’t surprise us. It’s what China practiced against Taiwan. Russia now calls it new generation warfare, but it’s basically cyber-enabled economic warfare. With a Russian panache of we’ll do some actual terrorist sabotage on the side. And then, and I don’t think North Korea practices it per se, but I think, in the same way, but Iran is working on it. So, just something to keep an eye on there. They are limited in exactly how they shut down the Straits right now by their linkage to China. So, cyberattacks might be a reasonable expectation.

69
00:01:08,000 –> 00:01:09,000
Cynthia Kaiser [00:24:36]: Well, and you’re seeing that across the region with the hacktivist groups. They are targeting the oil, natural gas, the critical infrastructure targets.

70
00:01:09,000 –> 00:01:10,000
Frank Cilluffo [00:24:44]: And always have.

71
00:01:10,000 –> 00:01:11,000
Cynthia Kaiser [00:24:45]: Right. And yes, they’re claiming that, especially the ones that are larger. And I think I don’t want to, I want to foot stomp a point you made in talking about some of these groups are created by the states. Some of them are just like tolerated. Really, what a state has to do is create one really good hacktivist group and then you have wannabes who start following in their wake, right? But you need the one leader out there doing that. And you’re seeing that in this conflict. You have one large hacktivist group that’s connected somehow with Iran, and it was created right after the Gaza conflict began. And that’s the one doing a lot of this.

72
00:01:11,000 –> 00:01:12,000
Cynthia Kaiser [00:25:24]: And then the other things are a little more, a little more minor.

73
00:01:12,000 –> 00:01:13,000
Frank Cilluffo [00:25:26]: And it’s hard. I mean, it’s just like in the physical world with, with, uh, the homegrown threat. It’s individuals radicalized. I don’t love the term lone wolf because I think wolves hunt in packs, but at the end of the day, that is, uh, really hard to get on a radar screen. Sorry, Mark. Go ahead.

74
00:01:13,000 –> 00:01:14,000
Mark Montgomery [00:25:42]: No, no, it’s perfect. But you remind me that actually, having watched Ukraine over the last 3 years, they have evolved through the IT army, uh, the Ukraine IT army, into now realizing they needed a formal cyber force. And this isn’t an argument about cyber force because in their country—

75
00:01:14,000 –> 00:01:15,000
Frank Cilluffo [00:25:59]: We’ve had that conversation.

76
00:01:15,000 –> 00:01:16,000
Mark Montgomery [00:26:00]: It could be only one, you know, they could be only one unit for this, but they are effectively trying to create a Unit 8200 type force because they need to maintain, they realize one of the hard things here is you want to maintain escalation management, you want to maintain control, integration with forces. So as long as Iran’s doing what they’re doing, they’re going to be unintegrated. It’ll be spasmodic and ad hoc. However, it’ll also introduce escalation management issues. I mean, one of the things that happened after, we haven’t talked about it much, but after the 12-day war, we now know, it’s now been revealed by our intelligence community that the IRGC pushed down orders that said, hey, operate independently. Should we be under attack, I don’t think they imagined the Supreme Leader and 5 of his closest associates, you know, taking a bullet. But if should we be attacked, you are to operate independently. The problem with that, of course, when you push down to cyber people is, you know, they are, you don’t know exactly what they’re going to do.

77
00:01:16,000 –> 00:01:17,000
Mark Montgomery [00:27:01]: The other elements of the Iranian command structure don’t actually understand cyber. So they’re going to have escalation management issues because they have to be, again, they may appear to be on the ropes, but they do have to answer to people. They have to answer to China. To a smaller degree, they have to answer to Russia, because these are the countries that are going to help them rebuild. Right now, I’ll tell you, China is nervous. A significant amount of Chinese economic productivity is trapped inside the Gulf right now, and they’re trying to figure out how to get it out.

78
00:01:17,000 –> 00:01:18,000
Frank Cilluffo [00:27:30]: Cynthia, anything you want to respond on that? Because in addition to the actors themselves, everyone is watching everything play out and getting a sense of either resolve or what capabilities or what they can get away with.

79
00:01:18,000 –> 00:01:19,000
Cynthia Kaiser [00:27:46]: And it’s interesting to see some of the groups do these calls to action. And I’m not sure those groups had more than 5 people, but they’re starting to, you know, we’re thinking about them in the news because we don’t know in cyberspace what could end up blowing up into these larger threats. A good example of that is at the beginning of the weekend, we had this new group, ransomware group called Sakari. They’re going to say, we’re going to encrypt everything. And by encrypt, they mean destroy because they used AI to make the ransomware and it doesn’t work. So you can’t actually decrypt it. So, uh, right?

80
00:01:19,000 –> 00:01:20,000
Cynthia Kaiser [00:28:20]: Uh, but they went out there, everyone do everything. And like 3 days later, they’re like, oh, we’re really overwhelmed. Uh, we’re going to turn this over to this other group, uh, BQT Locker. And you’re like, well, that’s bold claims coming from a group that’s posted 5 victim names since January. So you know, that probably not as big of a threat as the noise they were making. Hard to parse out a little.

81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo [00:28:46]: And signal to noise is a challenge, especially in cyberspace. Are we ready here domestically? FBI, CISA, what are, what are your thoughts on that? I’ll start with you Mark.

82
00:01:21,000 –> 00:01:22,000
Mark Montgomery [00:28:59]: I’ll start with CISA, and you can do FBI. So CISA, you know, when we were working the Solarium Commission, you and I, I think our force structure assessment was that CISA should probably be about 4,500. I think the Biden administration got it up to 3,300, for which I routinely complained. The Trump administration came in, cut it to 2,200. I think they transferred 500 or 600 to nonstandard roles within DHS, down to 1,700, and now in a shutdown, they’re at 800. So are you asking me if the nation’s civil cyber defense agency manned at 20% of the assessed force structure, needed force structure, leaves us ready? I would say emphatically no. Now, does that mean US industry is not ready for Iran? I’m not going to say that because Iran is probably one of our less sophisticated threats. Doesn’t mean they can’t damage things, but less sophisticated.

83
00:01:22,000 –> 00:01:23,000
Mark Montgomery [00:29:50]: So do I wish we were at 3,300 or 4,500? Yes. Do I think we’d be in better shape? Undoubtedly. Every time I heard a senior CISA leader tell me we’re in fantastic shape is we’ve shed missions we didn’t need and did that, you know, they shed a 50-person mission and cut 1,100 people. So, no, we are, the government is not ready, and it’s willful and they need to fix it. I think if we could get Sean Planky in there, we’d get this fixed. I think Sean Cairncross knows it needs to be fixed, but that’s different than actually hiring the people they need to get hot on it. The good news is the Congress has given them all the money they need. The Congress gave them 91%, 92% of the previous year’s budget, more than enough for all the contracts to be restored and all the personnel to be rehired. So they can fix this. Maybe this war will be an impetus. I just hope there’s not an event associated, a cyber event associated with this war that demonstrates their feebleness and causes us to do it. But instead they do it out of good judgment.

84
00:01:23,000 –> 00:01:24,000
Frank Cilluffo [00:30:49]: Cynthia.

85
00:01:24,000 –> 00:01:25,000
Cynthia Kaiser [00:30:50]: So I’m going to disagree a bit, but I think you’re going to agree with me in the end, which is the CISA, FBI, U.S. government as a whole is really good at marshaling everyone together to try to handle a crisis. So right now they’re pulling people off other things, right? And having them handle—

86
00:01:25,000 –> 00:01:26,000
Frank Cilluffo [00:31:08]: And I just have to add CCC [Cybersecurity Collaboration Center], NSA, and others.

87
00:01:26,000 –> 00:01:27,000
Cynthia Kaiser [00:31:11]: Yes, exactly.

88
00:01:27,000 –> 00:01:28,000
Frank Cilluffo [00:31:12]: That’s the triad.

89
00:01:28,000 –> 00:01:29,000
Cynthia Kaiser [00:31:13]: Exactly. And but like my biggest concern whenever we were going through these scenarios when I was in the FBI is what are we missing now that we pulled off this person, this person, this person from something else? Because you’re normally only 1 or 2 deep on the threats when you’re looking at that. And so I worry more so about how, and this is to say, like, FBI has not reduced the amount of cyber people in near the same way as we’ve seen at CISA. So I think they’re positioned probably in the same way they would have been for other crises. But I’ve lived through those other crises. They don’t have enough people. They should have more people to be able to do multiple things at once.

90
00:01:29,000 –> 00:01:30,000
Frank Cilluffo [00:31:55]: So we’re ready for game day, but we need to be ready every day. Is that fair?

91
00:01:30,000 –> 00:01:31,000
Mark Montgomery [00:31:59]: And let me, let me, as we wrap this, let me bring it back to my experience as an admiral in the Navy. I’d never had in 35 years had a subordinate come up and say, sir, the key to success for me is to reduce my manpower to 80, you know, down to 20% of what I need and see if I can succeed. And I think that’s what we’ve done. So I recognize, I acknowledge that the government workers are great Americans who will do their best and they will pull together in the interagency, but when the civilian cyber defense agency starts at that low a percent, it’s unhealthy. Now part of this is on Congress and the shutdown. I get that. That’s 20% more. They’d be up to 40% if they got that back.

92
00:01:31,000 –> 00:01:32,000
Mark Montgomery [00:32:37]: Hopefully this experience, what’s going on right now, will force the Congress to get together and get the DHS budget, the Department of Homeland Security budget appropriated, and we can get back up to 40%, and then we can work on them about how we get to 60%, 80%, 100% over the next 3 years, because I do believe Sean Cairncross believes that we need a strong civilian cyber defense agency.

93
00:01:32,000 –> 00:01:33,000
Frank Cilluffo [00:33:04]: And net-net, and I’ve been a broken record on this, I’ve always said we’re never going to firewall our way out of this problem. I am excited to see recognition on the proactive and offensive approach. And resources are coming extensively there. But that alone is insufficient. It’s gonna take a solid mix of offense, defense, and I think that that comes out in the new national strategy. Final words, any last words, Cynthia, Mark?

94
00:01:33,000 –> 00:01:34,000
Cynthia Kaiser [00:33:36]: I really wanna emphasize again the idea that any cyber attacks, cyber operations against the United States, whatever you see in the press, or in social media coming out that’s not from an authoritative source is probably wrong. It’s probably exaggerated. And part of our defense is this defense of our minds and making sure that we’re really not panicking and we’re not feeding into what the Iranian regime wants to accomplish through these hybrid cyber PR operations.

95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo [00:34:10]: Well said. Mark, final word.

96
00:01:35,000 –> 00:01:36,000
Mark Montgomery [00:34:12]: My last thing would be on the offensive side and just say again, congratulations to Cyber Command for positioning, getting themselves in a position to be the appropriate force employers over the last 15 years, and to General Caine and his team and Admiral Cooper and their team for properly integrating cyber into the beginning stages of this combat.

97
00:01:36,000 –> 00:01:37,000
Frank Cilluffo [00:34:28]: Cynthia, Mark, thank you. Incredibly informative, could have gone an hour longer, and thank you for joining us today, and thank you for being Senior Fellows, and thank you for your service for so many years. Appreciate it.

98
00:01:37,000 –> 00:01:38,000
Mark Montgomery [00:34:42]: Go Tigers.

99
00:01:38,000 –> 00:01:39,000
Cynthia Kaiser [00:34:42]: Thank you.

100
00:01:39,000 –> 00:01:40,000
Frank Cilluffo [00:34:44]: Thank you. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.

Related Content