Iranian hacks into the social media accounts of U.S. State Department officials are the latest signal from Tehran that it is not looking to turn the page on its embattled relationship with Washington. They also reflect the diversification underway in Iranian cyberwarfare tactics, which in recent years have expanded from denial and disruption attacks against mostly private sector targets in the U.S. and allied countries, to include intelligence gathering. The recent hacks targeted U.S. officials who work on Iran policy, presumably to penetrate their networks of contacts for further intelligence exploitation.
Tehran has long sought to advance its foreign policy objectives using asymmetric tactics, which compensate for its conventional weakness. For example, it funds and supports proxy fighters in Syria, Iraq, and Yemen instead of sending conventional troops. It perpetrates targeted assassinations against enemy countries, such as the failed attempt against the Saudi ambassador to Washington in 2011. Viewed through this lens, cyberwarfare fits neatly into Tehran’s existing arsenal. With relatively few resources, Iranian hackers can inflict damage on more powerful adversaries from afar. As with its proxy fighters, hacking provides Iran with a degree of deniability that helps to minimize the risk of escalation, and Tehran modulates the pace of its cyber attacks depending on the political climate. It has been widely reported that attacks ceased during sensitive nuclear negotiations with the West but have resumed now that the deal is finalized.
Although cyberespionage is a newer tactic, Iran frequently uses cyberwarfare to retaliate against its enemies; the attacks typically are targeted and proportional, intended to send a clear message. Following the imposition of new U.S. sanctions on Iran’s financial sector in late 2011, Iranian hackers conducted a series of denial of service attacks against major U.S. banks in 2012 and 2013; these attacks took down the banks’ websites, but the hackers did not gain access to the banks’ networks. After billionaire Republican donor Sheldon Adelson suggested that the U.S. detonate a nuclear weapon inside Iran, Iranian hackers reportedly penetrated the computer system of the Las Vegas Sands Corporation, which he owns, causing massive damage. Most famously, Iran infected the IT infrastructure of Saudi Aramco, the Saudi state-owned oil company, with malware that destroyed data and replaced it with an image of a burning American flag. The Aramco attack is widely believed to have been in response to alleged intrusions into the computer and communications systems at Iranian oil facilities. These tactics are not limited to Tehran’s foreign enemies, however. The regime also uses cyberwarfare against its opponents at home, tightly controlling the internet and monitoring dissent. And the state’s reach extends even beyond Iran’s borders, as hackers have accessed dissidents’ data on servers in Europe and the U.S.
The cyber program is a source of prestige for Tehran. It is broadly acknowledged as one of the most sophisticated in the world—after the U.S., Russia, and China—and Iranian security officials have boasted about it publicly. Because the regime perpetuates a grievance narrative, in which the country is constantly beset by more powerful enemies, the cyber program presents an opportunity for Iran to cast itself as an underdog punching above its weight.
Although Iran has demonstrated that it views the U.S. private sector as a legitimate target, the Pentagon’s cyber strategy stipulates that companies are on their own when it comes to protecting their networks against state-sponsored hackers. The pace of innovation in the private sector certainly outstrips that of the government, but the latter’s overwhelming focus on developing offensive cyber capabilities turns a blind eye to a key vulnerability that our enemies are keen to exploit. While an attack on our critical infrastructure has the potential for massive damage or even casualties, Director of National Intelligence James Clapper downplayed the likelihood of such a “doomsday” scenario earlier this year, noting instead that he expects an “ongoing series of low-to-moderate level cyberattacks from a variety of sources over time, which will impose cumulative costs on U.S. economic competitiveness and national security.” That said, the private sector is constrained legally in how it can respond to hacking incidents, and companies typically cannot conduct counter-attacks on their own.
Intelligence analysts assess an adversary in terms of both its intent and its capabilities. Tehran’s intent is to preserve its regime and weaken its enemies, and its cyber attacks in recent years have demonstrated that its capabilities are sophisticated and expanding. Iran poses a serious threat to our national interests and is unlikely to respect the evolving “norms” of cyberspace that are regularly discussed in policy circles. Given Tehran’s penchant for retaliatory attacks, our impressive offensive cyber capabilities are as likely to provoke an Iranian attack as to deter one. We must therefore ensure that the targets are equipped—legally, financially, and strategically—to adequately defend against them.
