Next phase in the US confrontation with Iran: Moving the battle to the cyber domain

Two weeks ago, the name Qassem Soleimani was not widely known in the U.S.; today, many people know him as the Iranian general killed in a U.S. drone strike on Jan. 3. In part, that’s because Iran — in response — launched missiles against U.S. bases in Iraq on Jan. 8, making war between the U.S. and Iran seem — for a time at least — imminent.  Fortunately, both sides have carefully deescalated, stepping back from the brink.

But that doesn’t necessarily mean hostilities will cease.

There’s almost unanimous consensus that Iranian covert cyber operations are on the menu, whether conducted directly by Iranian cyber assets, through support and sponsorship of surrogates, or by unaffiliated hackers sympathetic to Iran. The million-dollar question, of course, is what form might these cyber actions take?

While we can only speculate, there are a few themes that can be gleaned from previous Iranian cyberattacks.

For one, the Iranians previously have shown both an interest and a capability in hacking financial and energy companies. For example, between December 2011 and September 2012 a group of private sector security companies operating on behalf of Iran’s Islamic Revolutionary Guard Corps. committed a set of DDoS attacks against almost 50 companies in the U.S. financial industry, causing tens of millions of dollars in damage. Financial target(s) may be especially appealing today, given President Donald Trump’s continued emphasis on a strong economy and his presumed reliance on the economy to carry him to re-election, providing the Iranians with an opportunity to hurt both the U.S. in general, and Trump personally. Likewise, energy, oil and gas companies are also a favorite target in these battles. For example, in August 2012, Saudi Arabia’s Aramco energy company was attacked with malware nicknamed “Shamoon,” which compromised tens of thousands of Aramco’s computers, overwriting them with an image of a burning American flag.

Second, when committing an attack, Iran tends to adopt the techniques, targets or outcomes that they perceive to be comparable to the harm they suffered. For example, after several Iranian nuclear scientists were assassinated under mysterious circumstances between 2010 and 2012 — believed to be the work of the U.S. or Israel — Tehran unsuccessfully attempted to assassinate Israeli officials in similar mysterious fashion, in unexpected places such as the countries of Georgia, Thailand and India. Even the August 2012 Shamoon attack on Saudi Aramco, which wiped computer hard-drives and destroyed data, could have been symbolic retribution for the “Wiper” malware attack on Iran’s oil industry earlier that year, which likewise destroyed data and files.

Iran might therefore view a high-level U.S. leader — a senior military official or head of a government agency — as a comparable target to Soleimani; an eye for an eye, if you will. Indeed, the Iranians could take a page from the Russian playbook, which targeted high level officials from Hilary Clinton’s 2012 campaign, conducting a campaign to hack and then publicly embarrass these officials, or disclose their geolocation coordinates, patterns of life and other sensitive information, enabling (perhaps encouraging) other extremists to take action.

Third, the Iranians have shown at least some capability to penetrate our critical infrastructures. According to a 2016 indictment, a hacker acting on behalf of Iran obtained remote access to the supervisory control and data acquisition (“SCADA”) system for the Bowman Dam, in Rye, New York. Fortunately, no-one was harmed. But that was primarily because the sluice gate control that could have released the water was disconnected at the time.  

That said, an attack against a SCADA system or other critical infrastructure seems unlikely right now. The Iranians are nothing if not good at playing the long game, and in this long game — to the extent the Iranians have access to a critical infrastructure — they’d want to save that for a future, more dire situation. In the cyber underworld, you only get to use covert access once, because once exposed, the hole is patched, and the access is lost. 

Moreover, the Iranians apparently want to avoid precipitating a full-scale military confrontation with the U.S., and attacking U.S. critical infrastructure, on U.S. soil, potentially injuring or killing civilians, would almost certainly push the U.S. into more aggressive military action. The fact that the Iranians are dealing with an unpredictable and mercurial president must also figure into the equation.

Finally, as a 2018 Carnegie Endowment study on the Iranian cyber threat observed, given the hardened government systems of Israel and the U.S., Iran may opt for proxy engagements with softer U.S. allies, such as Saudi Arabia or UAE. Indeed, after the Jan. 8 missile attack, Iran explicitly threatened to target Israel and Dubai should the U.S. strike back.

At the end of the day, the only thing we can say for sure is that cyber hostilities are likely to escalate; more so now than any time since the 2015 nuclear deal with Iran.  And while we have a better idea of Iran’s cyber capabilities than we did then, we still don’t know the full extent of their penetration into our systems. Indeed, it’s this unknown element that works strongly in Iran’s favor. As the famous military strategist and author of the “Art of War,” Sun Tzu once counseled, “The supreme art of war is to subdue the enemy without fighting.”

Joel Schwarz is a senior principal at Global Cyber Risk, LLC and an adjunct professor at Albany Law School, teaching courses on cybercrime, cybersecurity and privacy. He previously served as the Civil Liberties and Privacy Officer (CLPO) for the National Counterterrorism Center and was a cybercrime prosecutor for the Justice Dept. and N.Y. State Attorney General’s Office.