The federal agency charged with supporting small U.S. businesses should take “immediate action” to ensure that such firms are adequately protected from cyberthreats emanating from Iran, a bipartisan pair of senators said Wednesday.
“We are concerned that small businesses may not have the information and tools necessary” to implement cybersecurity practices recommended by the Department of Homeland Security in the wake of the U.S. killing of Iran’s top general, Sens. Marco Rubio, R-Fla., and Ben Cardin, D-Md., wrote in a letter to the Small Business Administration.
The advisory from DHS’s Cybersecurity and Infrastructure Security Agency warned of Iran’s history of “disruptive and destructive cyber operations against strategic targets” and advised U.S. organizations to consider whether they make an attractive target for the Iranians. According to the FBI, those potential private-sector targets include cleared defense contractors.
Security experts have also advised organizations not to overreact to potential cyberthreats from Iran. Ned Moran, a researcher at Microsoft who tracks Iran-linked hackers, said that basic security practices will go a long way in guarding against the threat.
5 Defenders should focus on the basics of security. Block and tackle and the rest will take care of itself. Dont let hype create confusion
— Ned Moran (@moranned) January 10, 2020
In that vein, CISA recommended that organizations implement sound security practices like backing up their data, having an incident response plan in place, and “whitelisting,” or approving, trusted applications on their network.
But Rubio and Cardin, the chairman and ranking member of the Senate Committee on Small Business and Entrepreneurship, are worried that resource-strapped companies might not be able to follow through with some of those recommendations.
“As you know, limited resources and technical expertise leaves many small businesses vulnerable to cyberattacks,” wrote Rubio and Cardin, the chairman and ranking member of the Senate Committee on Small Business and Entrepreneurship.
There is evidence that Tehran has previously used cyberspace to retaliate against American companies for U.S. government actions. In 2012 and 2013, Iranian hackers conducted a series of distributed denial-of-service attacks on U.S. banks’ websites, reportedly in response to U.S. sanctions. Many of those attacks were on big banks that have since invested heavily in fortifying their networks, but smaller businesses have nowhere near the same resources.
The senators told SBA Administrator Jovita Carranza, who was only sworn in earlier this week, that her agency should use “increased outreach efforts, practical guidance, and accessible resources” to help companies secure their systems.
The SBA offers free cybersecurity training courses and other resources for small businesses. The senators asked for a briefing from the SBA for further information on its cybersecurity efforts.
The SBA declined when CyberScoop asked whether the agency plans to dedicate more resources to cybersecurity in light of U.S.-Iran tensions.
You can read the full letter from Rubio and Cardin to Carranza below.