A recent report by the Wall Street Journal claims Iran is aggressively hacking US officials. This raises new questions about the ultimate goals of the Iranian regime, particularly in cyberspace.
While America faces much more advanced cyber adversaries in China and Russia, Iran represents a unique and in some ways more concerning threat.
Its attacks appear less restrained and more intent on causing harm to US institutions, rather than merely targeting them for cyber espionage purposes. And as the Syrian conflict expands it is creating more opportunities for confrontation with Iran.
How will this play out in cyberspace, and how far might Iran go in digitally attacking the US?
Several factors are key to understanding the future potential of the Iranian cyber threat:
- The Syria Effect. Despite the increasing normalization in our relationship with Iran, the US and Iran have a long history of conflict and continue to face off across many areas of the Middle East, including Syria, Iraq, Israel and Yemen. These conflicts are unlikely to end any time soon.
- The Stuxnet Effect. Iran remains largely dependent on its allies and adversaries for the technology it uses. This includes both critical infrastructure and computer/software systems.
- The Sony Pictures Effect. The US has repeatedly broadcast its own vulnerability in Congressional testimonies and the press – and North Korea and Iran have both gotten the message.
These three “effects” are key to our understanding of how Iran is likely to use its offensive cyber capabilities against the US going forward. The Iranians are keenly aware of the information security community in the States. They read our industry mailing lists, watch our conference videos, and examine closely the results of any real-world cyber attack to see how it affects us (for example, the Sony Pictures breach). They know what works, and what doesn’t.
What type of online attack is Iran most likely to use against us?
Iran is most likely to take a more quiet and strategic posture against the US for the time being. Specifically, they will be looking to penetrate key financial and government systems where they can plant backdoors but not cause any immediate damage or disruption.
Like other countries such as China and Russia, Iran will be thinking long-term. Should a future conflict arise with the US, they want to know they have enough capabilities in cyberspace to have a deterrent effect or the ability to disrupt and hurt their enemy.
In military terms this is called “preparing the battlefield.” But it also will provide key intelligence on economic and military activity.
That doesn’t mean we won’t see more attacks. Clearly, the Iranian government will use cyber methods as a way of furthering its own intelligence-gathering activities, as we recently saw in the attacks on State Department email accounts. We’re likely to see more of these attacks down the road, in a pattern similar to China and Russia.
U.S. Air Force/Technical Sgt. Cecilio Ricardo
Would Iran cause a power outage?
A common question is, “Could Iran shut down the power grid?” The answer is, “Only through a horrible mistake.”
The US is busy crafting the norms for cyberspace, part of the reason for President Barack Obama’s recent agreement with Chinese President Xi Jinping. These norms include leaving critical infrastructure alone. The US thinks Chinese, Russian and Iranian teams may both up their efforts to infiltrate sensitive systems and damage them without realizing it. That kind of irresponsible targeting could lead to what the US Navy calls a “kinetic reaction.”
Iran is not as advanced as the US or other members of the cyber-war club, so they will use their cyber assets differently. Unless the US-Iran dynamic changes dramatically, Iran is likely to follow a more strategic cyber espionage path similar to China and Russia.
While analysts may cite the devastating 2012 wiper malware attack on Saudi Aramco as an example of Iran’s willingness to do harm to energy infrastructure, it actually shows just the opposite. If Iran had the moxie to target the US in this way, it would not have telegraphed its capabilities to us ahead of time. Saudi Aramco was a warning to the US, a demonstration of Iran’s growing cyber prowess while at the same time an attack on a regional rival.
However, that’s not to say temporary cyber flash points may still won’t occur during occasional diplomatic disputes. But these flash points won’t culminate in destructive attacks on the grid (unless Iran believes war is imminent) – instead they will be limited to low-level attacks on high-profile targets.
This is Iran’s M.O. It targets institutions that may not have strategic value, but are well-known by the public. A few examples are the 2012-2013 distributed denial-of-service attacks on US banks; 2013 Twitter hacks of The Associated Press, The Onion and ITV; and the 2013 Outbrain hack which affected CNN, Time and The Washington Post.
This methodology allows Iran to gain maximum propaganda value for relatively minor attacks due to the ensuing media coverage.
Ibraheem Abu Mustafa/Reuters
Who else would benefit from Iranian hacking?
Iran has long been a supporter of Hamas. Hamas has a tiny cyber team and is in no way able to protect itself from the advanced and highly experienced Israeli military and intelligence apparatus.
But here is where Iranian expertise can, and likely will, change things: While Iran is outmatched by the US, China and Russia, its cyber capabilities are on an equal footing with Israel’s. Iran has the ability to target Israel in a number of ways, such as disrupting its news organizations, financial system, energy infrastructure and military or law enforcement communications.
In the future, if we see cyber attacks purportedly coming from Palestine which attack key Israeli institutions, it’s likely to be the work of Iranian groups. I would expect these attacks to grow in intensity over the coming years and perhaps eventually achieve an Israeli version of the Sony Pictures hack.
Rather than asking, how far will Iran go to hack the US, we should probably be asking instead: How far will it go to hack its neighbors? Iran’s key foreign policy goal right now is to become the dominant power in the Middle East. As part of this objective, look for Iran to leverage its cyber capabilities to bully, intimidate or disrupt its regional adversaries — like Israel, but also Saudi Arabia and Jordan.
What holds the Iranians back?
First and foremost, the Iranians will not do anything that jeopardizes their nuclear deal with the West. Likewise, Iran is not North Korea, able to attack at will in cyberspace without fear of similar retribution.
Iran understands that in many cases when it comes to defensive matters in cyber (non-military) areas, they are still very dependent on their allies like Russia or even indirectly on American or European firms.
The 2010 Stuxnet incident, in which an Israeli and US-engineered computer bug infected the country’s nuclear program, was a wake-up call for the Iranian government, which began to realize its lack of resources in the cyber-domain. Even though the country has since made many large investments to boost its capabilities, it still does not have any mature defensive solutions to replace hardware and systems developed by countries they cannot trust.
Dave Aitel is CEO of Immunity Inc., a leading offensive security firm that serves major financial institutions, industrials, Fortune/Global 500s and US government/military agencies. He is a former NSA computer scientist and DARPA contractor.