Iran’s Growing Cyber Capabilities in a Post-Stuxnet Era

From right: Andretta Towner, Senior Intelligence Analyst at CrowdStrike; JD Work, Research Director at the Cyber Conflict Documentation Project; and Barbara Slavin, Nonresident Senior Fellow in the Atlantic Council’s South Asia Center, participated in a discussion on “The Future of Iranian Cyber Threat” at the Atlantic Council April 8. Paul Kurtz (left), CEO of TruSTAR Technology, moderated the discussion.

Cyber attack on Iran served as an ‘awakening’ for Tehran

Iran has vastly ramped up its cyber capabilities transforming itself from a “Tier 3” country to one that poses a significant global threat in the years following a massive cyber attack on its nuclear facilities, panelists said at the Atlantic Council April 8.

“Iran is definitely not a Tier 3 country any more,” said Andretta Towner, Senior Intelligence Analyst at CrowdStrike, a provider of security technology. 

Over the past three years, Iran’s budget for cyber security has increased 1,200 percent, said Towner.

“They’re building this up as they would any other capability, but it seems that when we look forward we want to know are they building it up specifically to use it or are they just building this up in case they need it,” she added.

Iran’s focus on cyber security appears to have been driven, at least in part, by a massive cyber attack on its nuclear facilities five years ago. In 2010, the United States and Israel used the Stuxnet computer virus to disable centrifuges Iran was using to enrich uranium at its facility in Natanz.

“Stuxnet was kind of an awakening for them in cyber security matters… so the country decided that building the national cyber capability was just the next natural step,” said Towner.

Iran has since been suspected in cyber attacks on Saudi state oil company Aramco and the Qatari natural gas firm RasGas in 2012, and the Sands casino in 2014. Iranian hackers were also accused of attacking US banks in 2012.

“We have learned from Stuxnet that there are consequences to our actions and that we should be very careful before we attack the infrastructure of other countries because they have an ability to respond,” said Barbara Slavin, Nonresident Senior Fellow in the Atlantic Council’s South Asia Center. “Iran’s response to Stuxnet cost millions of dollars to our financial sector and presumably they could wreak worse havoc if provoked.”

Slavin co-authored an issue brief—Iran: How a Third Tier Cyber Power Can Still Threaten the United Stateswith Jason Healey, Director of the Atlantic Council’s Cyber Statecraft Initiative in July of 2013. The brief evaluated Iran’s cyber warfare capabilities and US vulnerabilities to such attacks.

Slavin and Towner were part of a panel on “The Future of Iranian Cyber Threat” that was part of the Atlantic Council’s Cyber Risk Wednesday series. Paul Kurtz, CEO of TruSTAR Technology, moderated the discussion.

Slavin said Iran’s involvement in cyber attacks has diminished since the election of President Hassan Rouhani in 2013.

Iran is one of the most wired countries in the Middle East—more than 70 percent of Iranians have Internet access—but the government has a firm grip on information. Most ordinary Iranians don’t have access to social media sites. The leadership, however, frequently uses networking sites such as Twitter as has been evident from Rouhani’s and Foreign Minister Javad Zarif’s frequent Twitter messages.

Cyber espionage focus shifts

Iran has mostly directed its cyber espionage at Israel. However, in December of 2014 some of that focus shifted to regional diplomatic targets in the midst of Iran’s negotiations with world powers on its nuclear program, said Towner.

“As they build up their cyber capabilities it is two-fold: While they can use it for intelligence gathering… they can also use it for their other political agendas in the Middle East,” she said.

“When they are looking at spending their money they can definitely look at getting more bang for their buck.”

The national security establishments of the United States and the European Union need to determine at “what threshold actions, whether cyber or kinetic or soft power actions, will follow from unacceptable behavior,” said JD Work, Research Director at the Cyber Conflict Documentation Project and a participant in the discussion.

“We do not know what a strong deterrence posture looks like in cyber. I think we’ve been talking about it for a very long time, and we have not yet demonstrated actions which would create a deterrent capability, and we have not demonstrated the political will to employ a deterrent capability in such a way that would forestall future unacceptable actions by other states,” he added.

Ashish Kumar Sen is a staff writer at the Atlantic Council.