Iran Strikes Back

Middle East Topographic Map
“3D render and image composing: Topographic Map of the Middle East region. Including borders, rivers and accurate longitude/latitude lines. High resolution available! High quality relief structure!Relief texture and satellite images courtesy of NASA. Further data source courtesy of CIA World Data Bank II database.Related images:”

By IN MEMORIAM -- Vincent Stewart

IN MEMORIAM - Cipher Brief Expert Lieutenant General Vincent Stewart (Vince) passed in 2023.  The Cipher Brief was extremely proud to have worked with Lt. Gen. Stewart after his retirement from the U.S. Marine Corps, where he served more than 38 years of active commissioned service to the nation. On his final tour of duty, he served as the Deputy Commander United States Cyber Command. Prior to that, he served as Director of the Defense Intelligence Agency (DIA).  The Cipher Brief honors his service and remains grateful for the opportunity to work with him.

Iran’s Foreign Minister Javad Zarif confirmed Monday that Tehran has violated the limits imposed on uranium enrichment that were a key part of the 2015 nuclear deal. 

The U.S. withdrew its support for the deal last year.  The Trump Administration on Monday responded to the confirmation of increased uranium enrichment, vowing ‘maximum pressure on the Iranian regime”.  A statement from the White House press secretary said “We must restore the longstanding nonproliferation standard of no enrichment for Iran.  The United States and its allies will never allow Iran to develop nuclear weapons.”

Experts who have followed escalating tensions between Iran and the U.S. over the past several weeks have looked at the likelihood of retaliation and what form it might take.

The Cipher Brief asked our new expert, Lieutenant General Vincent Stewart (Ret.), who just retired as Deputy Commander of U.S. Cyber Command, for his thoughts.

Iran has known for some time that they can’t match the U.S. or its allies in a straight up conventional military conflict, so they have invested in asymmetric responses that include naval swarming techniques and tactics, missiles with ranges that can hit all of our advanced staging bases, air defense to counter our air advantages and the use of militia and special units that are capable of targeting U.S. and Western interests around the world.

In a conflict with the United States, the Iranian strategy would be to avoid where possible, direct conventional force on force operations. They would attempt to impose cost on a global scale, striking at U.S. interests through cyber-operations and targeted terrorism with the intent of expanding the conflict, while encouraging the international community to restrain America’s actions.

Every attempt will be made to avoid a repeat of Desert Storm, where the conflict was largely resolved in 100 hours. The underlying element of the strategy being, Americans lack the will for another protracted conflict in the Middle East.  Iran views the U.S.’ center of gravity as the will of the American people to avoid another protracted Middle East conflict. In light of our connectedness, the most effective cost imposing asymmetric elements of the Iran strategy with global effects would likely occur in cyberspace in actions focused on our critical infrastructure with an emphasis on the financial elements that impact our economy.

Lt. General Vincent Stewart (Ret.), Former Dep. Commander, U.S. Cyber Command

“The war fighting event that will get American’s attention is a war that directly impacts the American economy.  This is where offensive cyber operations begin to play a central role in Iran’s strategy.”

Iran has demonstrated and continues to refine its capabilities against its enemies in the region.  It’s 2012 attack against Saudi Aramco is an excellent example.  Iran knows how to conduct the necessary reconnaissance and deliver destructive payloads.  I would expect them to have begun selected targeting through socially-engineered phishing activities focused on the oil and gas sector, the financial sector and the electric power grid in that order.  There may be instances now where they already have some persistent access.  If they do, I expect they would use it, or risk losing the access and employ that capability early in the escalation of the crisis.

If I had a business in the sectors mentioned, I would not assume that my firewall has not been penetrated, or that my antivirus and malware tools are fully deployed and protecting my networks.  I would ensure that I have an integrated threat intelligence picture that provides global insights before it reaches my moat; I would be focused on countering phishing or whaling attempts; and I would deploy my red teams to hunt for persistent threats inside my networks.

Meanwhile, CYBERCOM and its partners are tasked with defending and disrupting forward.  Traditional military activities (TMA), to include reconnaissance, shaping, pre-positioning, preemptive deception etc. should all be in play at this point.  CYBERCOM by way of the NDAA now has all the authority needed for conducting TMA. Our increased authorities combined with our approach to defend forward allows us to be more disruptive and could reduce the threat vectors that the private sector would be required to address.

Defending forward and engaging persistently will not eliminate all threats though it does allow us to be more pro-active in reducing the threat, placing our adversary on the defensive and positions us to impose cost when approved.

Lt. General Vincent Stewart (Ret.), Former Dep. Commander, U.S. Cyber Command

“The private sector must continue their defensive diligence built around high-quality threat intelligence and a well-established sharing construct at a minimum within their sector, and continue to defend inside their network, not forgetting about insider threat. Sharing insights on known malware and reporting incidents of compromise at network speed is critical.”

Private sector leaders should be asking the key questions and dusting off the crisis management plan. They should assume compromise and ask themselves what actions they will take in the first minute, the first ten minutes, the first sixty minutes.  Do they have a playbook ready to go at time of compromise and who executes the playbook?  Who are the key members of the team and what decisions are they authorized to make?  The playbook for success in a situation like this sits in the company’s strategic communication plan.  It might be time to make sure it’s ready.

Read also Iran’s Next Surprise by former CIA Senior Analyst Steven Ward, only in The Cipher Brief.

LAUNCHING THIS MONTH:  The Cyber Initiatives Group, powered by The Cipher Brief.  The CIG is a public-private sector group of cyber professionals who share high-level thought and expert perspective on cyber issues impacting today’s businesses.

With a team of principals including Former CIA and NSA Director, General Mike Hayden (Ret.), former NSA Director, General Keith Alexander (Ret.), former Deputy NSA Director Rick Ledgett, former NCTC Director Matt Olsen, former Vice Chairman of the Joint Chiefs of Staff, Adm. Sandy Winnefeld and former DHS Deputy Undersecretary for Cybersecurity, Mark Weatherford, the new Cyber Initiatives Group will focus on connecting experts in ways that share best practices on cybersecurity. 

If you’re interested in becoming an inaugural member or sponsor of this thought leadership group, please send an email to [email protected] and we will send you an invitation to join us. 

‘I’m excited to facilitate this critical cyber conversation and to be working with leaders from across the private sector as they tackle the very difficult cyber issues that impact every company doing business today.’  – Michael V. Hayden



Related Articles