In the most dramatic chapter yet of escalation between the United States and Iran, the United States killed Major General Qasem Soleimani, head of the Islamic Revolutionary Guard Corps (IRGC)-Quds Force, in a drone strike on January 3.
The attack has raised questions of when and how Iran might respond and the role that cyber capabilities might play in any retaliation. Soleimani’s death rips an influential figure in Iran’s history of international terrorism and support for foreign military activities from the world stage. The Islamic Republic is a regional power with influence beyond its territorial borders, and the IRGC is a well-developed institution outside of the figure of Soleimani. Nonetheless, his influence shaped the domestic political activities of Lebanon, Syria, Iraq, and other neighboring states; his death marks a major inflection point for the IRGC and Iran’s activities in the region.
Iran’s government will feel the need to retaliate against the United States, but it does not wish to ignite a prolonged war with the United States. The regime’s near-term aim is to demonstrate to its domestic and regional constituencies that it has the capability and the resolve to avenge Soleimani’s killing and, more strategically, to drum up support for hardliners ahead of legislative elections next month. While Iran has a number of options available, its cyber toolkit not one to be overlooked.
Tehran’s cyber capabilities
Iran’s offensive cyber capabilities trace back a decade in response to the US-led Operation Olympic Games, which targeted industrial control systems for a nuclear enrichment equipment, including the now famous facility at Natanz. One prominent attack, later dubbed Stuxnet, represented a new form of counter-proliferation and harmed the country’s still developing nuclear program.
In response, the Iranian government made serious new investments in an offensive cyber program. Progress was rapid and by 2013, one Israeli think tank asserted that Iran was “one of the best and more advanced nations when it comes to cyberwarfare,” following on a speech by then Prime Minister Benjamin Netanyahu that decried Iran’s “non-stop” attacks on critical infrastructure. Iran was also the source of the Shamoon malware which, in 2012, infected the computer systems of Saudi Aramco, a popular regional target, resulting in the destruction or disabling of more than 35,000 computers. The cyberattack was one of the most debilitating ever to target a private company despite not impacting oil extraction or refining systems.
Iran’s appetite for cyber operations continued to grow apace with the country’s capabilities. From 2011 to 2013, Iranian groups targeted forty-six different US banks with denial-of-service attacks, taking down websites and temporarily blinding online infrastructure. In 2014, the Sands Casino was attacked with another strain of destructive malware, destroying thousands of computers and extracting sensitive customer information including credit card data and Social Security numbers. More recent activity has been less destructive but even more concerning, as security researchers discovered a sustained Iranian campaign to break into the manufacturers and operators of industrial control equipment across industries, potentially laying the groundwork for future attacks.
Advantages vs. disadvantages of strategic ambiguity
Cyber capabilities can be an asset for Iran and the country has exhibited a predilection for utilizing cyberattacks in response to perceived US provocations, with examples as recent as June 2019, after the US announced new sanctions and military deployments to the region. Tehran is widely believed to have shifted its focus of late toward targeting and gaining access to industrial control systems (ICS) in the United States and close allies with a January 2 tweet from Department of Homeland Security (DHS) leadership warning listeners to “…pay close attention to your critical systems, particularly ICS.”
Cyber capabilities, however, can obscure attribution of the source of an attack and make it difficult to identify a perpetrator. This can be an advantage if the intent is to avoid a response. As exhibited by the United States in October 2019 in response to an Iran-backed attack on Saudi oil facilities, cyber operations can allow a state to demonstrate action while providing an escalatory off ramp.
This same feature of ambiguity is a disadvantage if the purpose of the attack is to signal national resolve or make a public response. Inherent questions surrounding attribution of cyberattacks place limitations on Tehran’s ability to execute public shows of force in cyberspace. This same difficulty impairs the observation of cyber capabilities and limits their use as a “loud weapon,” the same issue raised by then Vice-Chairman of the Joint Chiefs of Staff Gen. James Cartwright. Now a board member with the Atlantic Council, Gen. Cartwright argued, “You can’t have something that’s a secret be a deterrent. Because if you don’t know it’s there, it doesn’t scare you.”
To cyber or not to cyber?
Tehran must consider its cyber capabilities and their utility to collect future intelligence against the desire to create momentary fireworks. Iran’s ability to integrate cyber operations into a retaliation depend on if, and where, it has access to computer systems and networks it wishes to target. While software may only take seconds to execute, developing cyber capabilities, gaining access to targets, and positioning those capabilities for maximum effect is a time- and cost-intensive process. This access is also a valuable source of intelligence, leading to a cost-benefit analysis for the attacker; is executing destructive malware, such as a ransomware, for short-term gain worth exposing—and therefore losing—access for espionage in the long-term?
This is not to say that Iran will not continue to employ cyber operations, but that these methods will likely be only part of a broader strategy that is likely to involve additional asymmetric means such as proxy forces. The choice to use offensive cyber capabilities will likely depend on the immediate options available to Iran, the cost-benefit of losing access to targeted computer networks, and the anticipated US response.
For US policymakers, in industry and the public sector, there are two imperatives: get the basics right and consider the larger regional strategy. Regardless if Iran decides to employ cyber capabilities as part of a response, companies and government agencies can do a better job securing their systems against attacks. The outbreak of ransomware infections in the United States across 2019 demonstrate the need for broad improvement in basic security hygiene. DHS can step up efforts to provide capacity to state and local entities, existing information sharing and analysis centers (ISACs) can leverage their membership to hold each other accountable to best practices, and efforts like the National Security Agency’s Cybersecurity Directorate can use this opportunity to demonstrate value to new stakeholders.
The White House must consider its action in response to an Iranian retaliation. Is the answer to pursue greater deterrent action against the Iranian regime in a way that sharpens the US administration’s maximum pressure campaign, while managing further instability in the Gulf?
A lot depends on Iran’s next steps, but the answer may not be to counter-punch. The United States has already demonstrated it is not only capable of deterrence, but willing to use its military on the ground, through offensive cyber capabilities, and economic heft against the Islamic Republic. Perhaps the pressure campaign has reached a point where there is a path towards de-escalation that serves the goals of preventing a nuclear armed Iran, further constrains Iranian regional destabilizing activities, and strengthens US alliances in the Gulf. The prospect of negotiation with Iran may still feel far off, but continuing an escalatory path could push that possibility even further into the future.
Simon Handler is a program assistant with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and national security with cyberspace. He is a former special assistant in the United States Senate. Follow him on Twitter @SimonPHandler.
Will Loomis is a program assistant with the Atlantic Council’s Cyber Statecraft Initiative under the Scowcroft Center for Strategy and Security, focused on the nexus of geopolitics and national security with cyberspace. Follow him on Twitter @loomisoncyber.
Katherine Wolff is associate director for Middle East security in the Atlantic Council’s Middle East programs, where her current and past research focuses include regional security, economic transformations in the Arab Gulf, and security challenges in North Africa. Follow her on Twitter @kawolff_.