In the most dramatic chapter yet of escalation
between the United States and Iran, the United States killed Major General Qasem Soleimani, head of the Islamic Revolutionary
Guard Corps (IRGC)-Quds Force, in a drone strike on January 3.
The attack has raised questions of when and how
Iran might respond and the role that cyber capabilities might play in any
retaliation. Soleimani’s death rips an influential figure in Iran’s history of
international terrorism and support for foreign military activities from the world
stage. The Islamic Republic is a regional power with influence beyond its
territorial borders, and the IRGC is a well-developed institution outside of
the figure of Soleimani. Nonetheless, his influence shaped the domestic political
activities of Lebanon, Syria, Iraq, and other neighboring states; his death
marks a major inflection point for the IRGC and Iran’s activities in the
Iran’s government will feel the need to retaliate against the United States, but it does not wish to ignite a prolonged war with the United States. The regime’s near-term aim is to demonstrate to its domestic and regional constituencies that it has the capability and the resolve to avenge Soleimani’s killing and, more strategically, to drum up support for hardliners ahead of legislative elections next month. While Iran has a number of options available, its cyber toolkit not one to be overlooked.
Tehran’s cyber capabilities
Iran’s offensive cyber capabilities trace back a
decade in response to the US-led Operation
Olympic Games, which targeted industrial control systems for
a nuclear enrichment equipment, including the now famous facility at Natanz. One
prominent attack, later dubbed Stuxnet, represented a new form of counter-proliferation
and harmed the country’s still developing nuclear program.
In response, the Iranian government made serious
new investments in an offensive cyber program. Progress was rapid and by 2013,
one Israeli think tank asserted that Iran was “one of
the best and more advanced nations when it comes to cyberwarfare,” following on
a speech by then Prime Minister Benjamin Netanyahu that decried Iran’s “non-stop” attacks on critical infrastructure. Iran was
also the source of the Shamoon malware which, in 2012, infected the computer systems of Saudi Aramco, a popular regional target,
resulting in the destruction or disabling of more than 35,000 computers. The cyberattack
was one of the most debilitating ever to target a private company despite not
impacting oil extraction or refining systems.
Iran’s appetite for cyber operations continued to grow apace with the country’s capabilities. From 2011 to 2013, Iranian groups targeted forty-six different US banks with denial-of-service attacks, taking down websites and temporarily blinding online infrastructure. In 2014, the Sands Casino was attacked with another strain of destructive malware, destroying thousands of computers and extracting sensitive customer information including credit card data and Social Security numbers. More recent activity has been less destructive but even more concerning, as security researchers discovered a sustained Iranian campaign to break into the manufacturers and operators of industrial control equipment across industries, potentially laying the groundwork for future attacks.
Advantages vs. disadvantages of strategic ambiguity
Cyber capabilities can be an asset for Iran and
the country has exhibited a predilection for utilizing cyberattacks in response
to perceived US provocations, with examples as recent as June 2019,
after the US announced new sanctions and military deployments to the region. Tehran is widely believed to have shifted
its focus of late toward targeting and gaining access to industrial control
systems (ICS) in the United States and close allies with a January 2 tweet from Department of Homeland Security (DHS)
leadership warning listeners to “…pay close attention to your critical
systems, particularly ICS.”
Cyber capabilities, however, can obscure attribution of the source of an attack and make it difficult to identify a perpetrator. This can be an advantage if the intent is to avoid a response. As exhibited by the United States in October 2019 in response to an Iran-backed attack on Saudi oil facilities, cyber operations can allow a state to demonstrate action while providing an escalatory off ramp.
This same feature of ambiguity is a disadvantage if the purpose of the attack is to signal national resolve or make a public response. Inherent questions surrounding attribution of cyberattacks place limitations on Tehran’s ability to execute public shows of force in cyberspace. This same difficulty impairs the observation of cyber capabilities and limits their use as a “loud weapon,” the same issue raised by then Vice-Chairman of the Joint Chiefs of Staff Gen. James Cartwright. Now a board member with the Atlantic Council, Gen. Cartwright argued, “You can’t have something that’s a secret be a deterrent. Because if you don’t know it’s there, it doesn’t scare you.”
To cyber or not to cyber?
Tehran must consider its cyber capabilities and
their utility to collect future intelligence against the desire to create
momentary fireworks. Iran’s ability to integrate cyber operations into a
retaliation depend on if, and where, it has access to computer systems and
networks it wishes to target. While software may only take seconds to execute, developing
cyber capabilities, gaining access to targets, and positioning those
capabilities for maximum effect is a time- and cost-intensive process. This
access is also a valuable source of intelligence, leading to a cost-benefit
analysis for the attacker; is executing destructive malware, such as a
ransomware, for short-term gain worth exposing—and therefore losing—access for
espionage in the long-term?
This is not to say that Iran will not continue
to employ cyber operations, but that these methods will likely be only part of
a broader strategy that is likely to involve additional asymmetric means such
as proxy forces. The choice to use offensive cyber capabilities will likely
depend on the immediate options available to Iran, the cost-benefit of losing
access to targeted computer networks, and the anticipated US response.
For US policymakers, in industry and the public
sector, there are two imperatives: get the basics right and consider the larger
regional strategy. Regardless if Iran decides to employ cyber capabilities as
part of a response, companies and government agencies can do a better job
securing their systems against attacks. The outbreak of ransomware infections in the United States across 2019 demonstrate the need for broad improvement in basic security
hygiene. DHS can step up efforts to provide capacity to state and local
entities, existing information sharing and analysis centers (ISACs) can leverage
their membership to hold each other accountable to best practices, and efforts
like the National Security Agency’s Cybersecurity Directorate can use this
opportunity to demonstrate value to new stakeholders.
The White House must consider its
action in response to an Iranian retaliation. Is the answer to pursue greater
deterrent action against the Iranian regime in a way that sharpens the US administration’s
maximum pressure campaign, while managing further instability in the Gulf?
A lot depends on Iran’s next steps, but the answer may not be to counter-punch. The United States has already demonstrated it is not only capable of deterrence, but willing to use its military on the ground, through offensive cyber capabilities, and economic heft against the Islamic Republic. Perhaps the pressure campaign has reached a point where there is a path towards de-escalation that serves the goals of preventing a nuclear armed Iran, further constrains Iranian regional destabilizing activities, and strengthens US alliances in the Gulf. The prospect of negotiation with Iran may still feel far off, but continuing an escalatory path could push that possibility even further into the future.
Simon Handler is a program assistant with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and national security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.
Will Loomis is a program assistant with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and national security with cyberspace. Follow him on Twitter @loomisoncyber.
Katherine Wolff is associate director for Middle East security in the Atlantic Council’s Middle East programs, where her current and past research focuses include regional security, economic transformations in the Arab Gulf, and security challenges in North Africa. Follow her on Twitter @kawolff_.