[tptacek]

This is all pretty silly, isn't it? For the dollar figures involved in pulling off a highly-sophisticated attack (one that chains multiple zero days, including some in obscure products that imply the commissioning of vulnerabilities and not just their purchase off the black-market shelf as well as some in mainstream products with a real bidding interest), you're still talking about amounts of money so low that Cape Verde could be a _very_ competent cyber-actor if they wanted.

[lovedswain]

Seems we're both triggered by this emphasis on "_very_", or even use of that word at all. Obviously Iran has a variety of technical capabilities, such as evidenced by their national firewall and internal infrastructure, but are there any documented offensive campaigns successfully mounted against a foreign target?

The only attacks I know of are low brow phishing, DoS and web site defacements.

[tptacek]

Again, I think it's very silly to point at any country, and particularly a country as huge as Iran, and suggest that they're somehow limited to "low-brow phishing, DoS, and website defacements". Iran can pull a million dollars out of their couch cushions any time they want. Do you know how much offensive cyber capability 1MM buys? When it comes to the stuff we use on HN as a measure of sophistication, the answer is: a lot.

North Korea can't even feed its own people or keep the lights on in 2/3rds of the country. But nobody suggests they're unsophisticated cyber actors; that would be a demonstrably silly statement. Meanwhile: people routinely travel in and out of Iran; if you're not an American, it remains a major tourist destination. They have trade relationships around the world. They're not a hermit kingdom. If they want a world-class "APT" team, or 15 of them, all they have to do is decide to have them. (I assume they decided that a long time ago).

If you think Iran is unsophisticated or has minimal capabilities, I'd suggest you just look at a map, and, for bonus points, a GDP ranking, and consider that whatever evidence you personally may have collected on Iran's capabilities, you're seeing what they've allowed you to see.

Myself, I wouldn't even pick a fight with Kiribati.

[petra]

So most countries can acquire a world class cybersecurity capabilities.

What's the difference between what they can do, and what the leading countries in cybersecurity (US, Israel) can do(offensively and defensively)?

Is there a significant difference?

[tptacek]

It's a big open question. There likely are things that only the G7+N can accomplish; when you see cryptographic advances in implants and exploits, that's a good sign; hardware implants and deep OEM supply chain attacks are another. But nuts and bolts CNE? It's hard to say, and hard to say how much damage any country could do if motivated.

The other big question is how much this stuff applies to defense. The US presumably has better defensive capabilities than Iran could hope to have, by far. But better enough to matter? Open question.

[ajcp]

Took quite a few decades, if not centuries, for defensive capabilities to gain parity with/negate offensive ones after the introduction of gunpowder. I think the approach to cybersecurity thus far has been to try and protect against the projectile, instead of the instrument from which it's deployed. Buckle up.