Most analysts have been impressed, and increasingly concerned, with the rapid improvement of Iran’s cyber capabilities. Tehran undoubtedly focuses the bulk of its cyber investment in defending itself from cyberattack, as well as being able to better monitor and manage its own people. That mission is a clear priority in the Islamic Republic’s Sixth Five-year Development Plan drafted by Supreme Leader Ayatollah Ali Khamenei and soon to be passed by the Iranian legislature. Defense Tech reported Iran’s cyber program has “an annual budget of 76 million dollars and over a billion dollar investment in infrastructure.”
Iran’s offensive cyber capacity is what concerns the United States and our allies the most, however. On that front, Tehran has quickly moved into the elite ranks in the past few years, just behind the cyber superpowers of the United States, Russia, China, and Israel. Iran’s Islamic Revolutionary Guard Corps (IRGC) leads these efforts and likely has dozens, if not hundreds, of dedicated hackers at its disposal.
Obscuring attribution and plausible deniability are the coins of the realm for state-sponsored cyber warfare, however, and Iran is no different in this sense. The IRGC’s role in directing hacking groups, like the Iranian Cyber Army, Parastoo, and the al Qassem Cyber Fighters that have emerged in the past decade, is fairly well accepted. This is seen most evidently in the well-coordinated campaigns these three organizations have conducted against Saudi and U.S. targets in recent years, and in the lack of discrete activities and promulgated manifestos one would normally expect from more autonomous hacker groups.
What is less clear is whether Tehran is able to mobilize and orchestrate more independent individuals and groups of ‘patriotic’ hackers the way China and Russia have been able to do. The IRGC likely fosters the loose networks of university students and computer scientists – “script kiddies” – who occasionally deface Saudi websites touting Persian nationalistic slogans, but these pale in comparison to the capacity of groups sponsored by Moscow and Beijing. What may be more important for the IRGC is an effort to develop and train, both domestically and internationally, elite corps of Iranian national cyber experts who can be employed to both defend Iran’s critical infrastructure and security apparatus as well as design Tehran’s future cyber weapons.
Similarly, there are larger questions about whether well-known external cyber groups fighting on behalf of Iran’s allies, such as the Syrian Electronic Army (SEA) for President Bashar al Assad, the Islamic Cyber Resistance (ICR) for Hezbollah, and the Yemen Cyber Army (YCA) for the al Houthi rebels, are really local actors or simply extensions of the IRGC. In the case of the SEA, there appear to be Syrians involved, but Iranian actors likely play roles in infrastructural and materiel support. In the case of the YCA, local Yemeni capacity is doubtful and the alleged group’s close coordination with Iranian state media raise doubts whether there is any real independence for the organization. The ICR, for its part, has links to the Iranian hacker community but does not appear to have direct links to the Iranian government or other Iran-linked groups.
Iran is a state adept at building powerful proxy groups like Lebanese Hezbollah for unconventional warfare, which begs the question: why have cyber equivalents of that group not really emerged? The answer likely lies in how Iran sees both the role of proxies and cyber in general.
Iran builds proxies for at least three reasons. First, creating political and paramilitary capacity within foreign states expands the reach of Iran’s ideology and influence. Iran prefers to coopt from below rather than impose its will from above. Second, Iran builds organizations that can attack Iranian adversaries if needed, but with enough plausible deniability that Tehran can manage escalation and diffuse potential blowback. Third, attempts to instill fear of terrorism and asymmetric warfare if an enemy attacks Iran or its interests, although this is generally only possible once a proxy’s offensive capabilities are advanced enough to serve as a retaliatory deterrent.
Iran is investing in cyber for many of the same reasons it builds proxies. The internet and social media are critical conduits for ideas and propaganda. Cyber capacity provides weapons that can be employed while minimizing the risk of escalation to conventional warfare. And finally, if Iran’s capabilities improve sufficiently, cyber can serve as a deterrent against U.S., Israeli, or Saudi actions, threatening to strike its adversaries’ homelands in ways that more traditional weapons and means of conflict cannot.
But Tehran does not need to necessarily create non-Iranian organizations to execute its cyber objectives. For most cyber operations, especially for high value targets, Iran can easily use more controllable “front” organizations – which most of these hacker groups are in essence – while still accruing the same plausible deniability and escalation management benefits in the virtual realm that a foreign proxy can provide on a real battlefield. That is a luxury the cyber domain affords.
This does not mean Iran will forego the opportunity to assist or coopt foreign hacker groups aligned with its interests, which may have been the case with the SEA. However, the United States and its allies should be much more concerned with Iranians conducting Iranian cyber operations than with the possibility of a new generation of cyber Hezbollahs.