UPDATE: This story and headline was updated Jan. 18 to include a clarification from Chris Krebs on Twitter.
The top cybersecurity official at the Department of Homeland Security said that if Iranian cyber actors were to attack the United States in retaliation for a drone strike that killed an Iranian general Jan. 2, it would have already happened.
He later clarified that he was discussing an immediate attack, which would depend on if Iran had pre-existing access to U.S. networks.
In an interview with the National Security Law podcast released Jan. 16, Bobby Chesney, associate dean for academic affairs at the University of Texas law school, asked Chris Krebs, the director of the Cybersecurity and Infrastructure Security Agency, how concerned people should be about a cyber response and if anything was different with this cyber threat.
“The truth here is that if the Iranians were going to do something, they would probably — it was already too late," Krebs said in response. “If they were going to do something cyber — cybery — they would probably already be in a position and take the shot. We saw that they really didn’t."
Because of the abrupt timing of the strike, the Iranians “didn’t have time to strategically position against energy or natural gas," Krebs said.
Krebs later clarified his remarks on Twitter.
“Let me jump in, my point in the podcast was that immediate cyber retaliation would likely depend on existing access, in part, as you said, new access takes time," Krebs said in a tweet Jan. 18. “Didn’t say Cyber was off the table longer term, that’s why the @DHSgov [National Terrorism Advisory System] Iran bulletin remains in place.”
Krebs’ comments come about two weeks after the United States killed Iranian Gen. Qasem Soleimani. In congressional testimony and interviews with Fifth Domain, experts said to expect a delayed response from Iran.
“Iran could achieve strategic surprise in cyberspace, and we would not know it until they hit us,” said Tom Warrick, a non-resident senior fellow at the Atlantic Council, said in prepared remarks at a House Homeland Security hearing Jan. 15.
“They will include cyberspace operations as a key component of their asymmetric response to the killing of Soleimani,” Vincent Stewart, the former deputy commander of Cyber Command, said at the same hearing.
Another reason Iran may not have immediately responded is that cyberattacks take time to prepare, Jon Bateman, a former senior expert on Iranian cyber forces at the Defense Intelligence Agency.
“Cyberoperations sometimes can take time to develop and that all depends on the intent of the operation and how well it matches up with your pre-existing contingency planning,” Bateman said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.