The U.S. re-imposed sanctions on Iran on Monday after pulling out of the JCPOA Agreement in May. European allies responded by issuing a statement saying the nuclear agreement with Iran "is working."
The reimposition of sanctions followed Iranian military exercises in the Gulf last week that U.S. officials largely interpreted as a show of strength and a reminder that Iran has the ability to close the Strait of Hormuz, if it desires.
In a webcast on Monday for Cipher Brief members, the former National Intelligence Manager for Iran at the ODNI, and current Cipher Brief expert Norman T. Roule answered questions about the likely impact that reimposing sanctions will have on Iran and the likelihood that Iran will choose to retaliate. This is a condensed and edited version of that conversation.
With recent evidence of Iran's involvement in terrorist and cyber activities as well as a military show of strength, we asked Roule to talk about the likely form of retaliation, if Iran choses to take that path.
Roule: Let’s step back and look at Iran’s risk calculus. In a piece I did earlier this year for The Cipher Brief, I described the recent history of Iran’s apparent terrorist activities in Europe. If you were in Tehran right now, perhaps as a senior officer in the Quds force, you might well say ‘within Europe we undertook a handful of terrorist operations and endured no real consequences. Let's see how far we can push the envelope."
Iran’s malware activities began in 2007. Since that time, Iran’s cyber actions have been the most consequential, costly, and aggressive actions in the history of the internet. More so than Russia, because Russia has conducted traditional espionage operations to exert political influence in the U.S., European and Baltic elections. The Chinese mainly use cyber tools to steal technology for their companies. But the Iranians are destructive cyber operators. Prior to the North Korean hack on Sony, the Iranians conducted a cyber attack against a U.S. casino which inflicted about 40 million dollars in damage. It was the first destructive cyber-attack against the United States and they saw no response from the U.S. In 2012 and 2013, you had Operation Ababil, which targeted a number of U.S. banks over a period of 176 days and resulted in remediation costs in the tens of millions of dollars. Again, Iran faced no response from the U.S. Iran’s cyber operations effectively destroyed the Dutch internet certificate firm DigiNotar. The attack remains one of the most significant security breaches in the history of the internet. Again, no response from Europe. So, if you are in Iran, cyber operations look like a fairly low-risk, high potential tool. Iran’s malware tools are basic, but effective. They employ spear phishing and extensive social media exploitation. They often target mid-level (and middle-aged) IT specialists who somehow believe that an attractive photographer in London finds them interesting and would like to engage in an internet relationship. This technique was the foundation of the famous 2016 cyber operation involving the fictitious ‘Mia Ash’ persona.
The Iranians are adept at using LinkedIn, Facebook, Blogger and Instagram in a coordinated, self-supporting cyber campaign to develop personas with the goal of convincing targets to open links, which enable Iran to install malware into corporations or government organizations. Once Iran has gained privileged user access, the game is pretty much over.
Companies need to invest heavily in technology that provides deception protection and real-time behavioral analytics. They should also routinely brief personnel on the risks of spear phishing and of ‘water hole sites’. The Iranians have made good use of the latter by creating fictitious mirror sites of real Israeli and Western cybersecurity firm websites to harvest log in information from individuals. Anyone out there who would like to start researching Iran, should be careful about the websites they access.
For all of these reasons, I think there’s a good chance the Iranians will undertake offensive cyber operations in the near future, although the scale of the attack will probably not be so great that it would fracture Tehran’s relationship with Europe. Iran probably doesn’t feel that the West is prepared to impose costs on Iran’s cyber activity, and these operations are a good way to inflict economic costs on the United States and other adversaries supporting the United States. For example, Bahrain will hold an election later this year for its Council of Representatives. This is the sort of event that represents an attractive cyber target.
The Cipher Brief: Do you think that President Trump has the opportunity to make things better or worse with regard to Iran?
Roule: Whatever one's views of the nuclear deal, it is fair to say that the Trump administration has held a consistent position on Iran. The President ran for election on a promise to overturn the deal. He repeated his intention last summer and in October of 2017, as well as in January of this year. He and his cabinet members have repeatedly highlighted Iran’s malign regional adventurism, which includes support for missile attacks and regional cyber activities. The President and the Secretary of State have each stated that if Iran changes its behavior, the administration will be ready to engage.
There certainly is a lot of rhetoric in the air from both sides, but there has never been a shortage of hostile rhetoric from Iran. Iran’s leadership will mirror any rhetoric from Washington if only to demonstrate defiance. But with that said, Iran’s leadership has historically demonstrated an ability to carefully calculate the consequences of decisions, often only incrementally testing red lines and employing a “prize vs price” view of adversarial challenges.
The Cipher Brief: What should we be watching for next?
Roule: As we weigh the impact of sanctions, I would focus on Chinese oil purchases. Beijing has stated that they would not respect U.S. oil sanctions on Iran, but words are cheap. The Chinese have been Iran’s largest oil customer and Beijing will seek deep price discounts from Iran or other suppliers. We should also watch to see whether the U.S. administration provides leeway to some purchasers to continue purchasing Iranian oil. Some countries may need to invest in new technologies for refineries to deal with different grades of oil.
Moving back to the issue of cyber attacks, it would be reasonable to assume that Iran may have been conducting network reconnaissance over the past 18 months. If I were managing a corporation, I would ask for a review of our breach response plan, which should include a public relations component.
Finally, I would watch to see what the Iranians do against our Gulf allies. Much of the world’s economy is tied to the smooth management of trade and energy through the Bab al-Mandab and the Strait of Hormuz. About 46% of the world’s shipped oil is handled through these two waterways. Pressure here could impact economies around the world.
This interview was edited for clarity.
