As tensions continue to mount between the United States and Iran, many analysts fear a military conflict could soon erupt, potentially engulfing the region.
While such a conflict is certainly possible, and the situation remains highly fluid, the reality is that neither Iran nor the United States actually wants a war. Iran knows it can’t withstand one against the United States, and President Donald Trump has stated repeatedly that he is disinclined to involve America in another “endless” Middle East war.
This means both sides are likely to engage in a more covert battle of wills—and cyber will be a primary focus. Cyberwarfare is an ideal tool in this type of situation, since the risk of escalation from physical attacks remains high. Over the last fifteen years, Iran has shown an increasing reliance on asymmetric warfare to confront, challenge and undermine U.S. interests in the region, and since 2011 it has increasingly turned to cyber when doing so. On numerous occasions in the last nine years, Iran’s cyber operations have demonstrated to the world that they are willing to act aggressively and—some might say—recklessly in cyberspace, and to achieve only limited goals and objectives.
With this in mind, here is a closer look at how Iran is likely to engage the United States in cyberspace.
Iran’s Cyber Strategy
Iran uses cyber mostly as an extension of its military forces, and it seems less cognizant of red lines than other U.S. adversaries.
Just consider some of the brazen attacks it has carried out in recent years. In 2012, it risked triggering a disruption in the international oil supply when it launched a massive destructive malware attack on Saudi Aramco. From 2011 to 2013, it targeted the U.S. financial sector in a widespread DDoS campaign that disrupted services. In 2013, it attempted to gain remote access to the sluice gate controls of a New York dam, which could have produced the first cyber kinetic event on the U.S. homeland.
As we’ve seen in Iran’s traditional military operations, from its September strike on Saudi oil facilities to the June shoot down of a U.S. drone in international waters and the 2016 interdiction of U.S. sailors in the Persian Gulf, Iran is both aggressive and unpredictable—to the point of being reckless.
This is important in understanding how the Islamic Revolutionary Guard Corps (IRGC) is likely to approach future cyber operations against the United States. It has fewer restraints than other American adversaries (even Russia, North Korea and China), and is willing to act boldly and dangerously just to send a message.
Iran’s Cyber Capabilities
Since 2010, when Iran’s nuclear industry was attacked by a physically destructive malware called “Stuxnet,” the country has been steadily ramping up its development of cyber warfare capabilities.
Although Iran is generally considered at least a step below the major cyber powers—the United States, Russia, China, Israel and our European allies—it is clearly evolving rapidly, and Iran’s leadership appears to appreciate the value of cyber as an effective retaliatory measure to U.S. attacks and provocations.
Iran’s cyber operations are more decentralized than other leading cyber powers. It relies heavily on proxy cyber forces, and the extent to which the IRGC can directly control these groups is questionable, with some analysts suggesting it has less control than would be desirable.
While Iran is likely to be developing its own custom cyber “weapons,” to date it has primarily relied on criminal malware and other tools it can modify for its own purposes.
Iran is proficient in a variety of standard network attacks, such as phishing, DDoS, DNS hijacking and remote access, but it has also shown a developing ability to carry out more complicated attacks—particularly the infiltration of industrial control systems (ICS).
What Role Will Proxy Forces Play?
There is no scenario in which Iran’s proxy forces would not be utilized—and heavily—in a cyber conflict with the United States. They are vital to Iran’s overall strength in cyber, and its “show of force” tactics.
However, between Iran’s questionable control of these groups and their reduced capabilities when compared with the IRGC, they would most likely be used in regional attacks on Gulf states—and, if extended to the United States, to soft targets only.
How Would Iran Attack America?
The Center for Strategic & International Studies (CSIS) offers this assessment of Iran: “Iranian [cyber] attacks are likely to be retaliatory, intending to make the point that the United States is not invulnerable but without going too far.” It goes on to say that, “Attacking major targets in the American homeland would be escalatory, something Iran wishes to avoid.”
This is a fair assessment of Iran, but there is a lot of wiggle room in terms of what is considered “retaliatory”—as well as what Iran deems to be instigative and the timeframe for a response—and what constitutes “major targets” in the United States. Remember, Iran has already shown itself to be brazen in its attacks on U.S. homeland targets—and some describe the early 2010s cyber skirmishes with Iran as America’s first known cyberwar.
Iran is likely to carry out the bulk of any attacks on Gulf state rivals, with a particular focus on the royals, government assets and oil and gas industry infrastructure. But we should not underestimate its ability or willingness to attack important targets within the United States. Whether it limits these attacks to soft targets, like media companies, think tanks, outspoken critics of Iran, etc., or instead goes after hard targets like the U.S. financial system, energy industry and government assets depends entirely on how escalatory the regime considers U.S. actions to be.
What Trump calls “maximum pressure,” the Iranians view as “economic terrorism.” To Iran’s leaders, any cyber offensive action taken at any time during the current standoff and destabilizing economic sanctions may be deemed justified as a retaliatory measure.
Could a Cyber War Escalate?
Yes. The question isn’t so much “if” as “by how much?” Already, the United States, Iran and Saudi Arabia are in the early phases of conflict. It’s not unlikely that the United States will turn to Israel for additional support.
A recent report by DarkMatter showed that cyber attacks (linked to Iran) have been increasing generally in the Middle East, particularly against the United Arab Emirates. We can expect that trend to continue and worsen as tensions mount.
Iran is more likely to be the aggressor in these regional attacks, with countries like Saudi Arabia and the UAE largely playing defense. Iran and its proxies will target the energy infrastructure, critical infrastructure and government networks of its regional rivals, as it attempts to weaken those governments, signal the growing danger it can pose to the global energy market and in general create complications for the United States.
A key question is what role China will play in the event of a serious escalation in cyber incidents. China is Saudi Arabia’s largest oil customer, and its economy can’t afford price hikes or supply disruptions.
Iran is a potent force in the cyber domain and the threats it poses should be taken seriously. The chances are high that we will see an extended cyber conflict between the United States and Iran, which will likely spill over into other regional players.
The key uncertainty is “how far will it go”—but what we can be sure of is Iran’s unpredictability. This nation has shown itself to be one of the most aggressive actors in cyber warfare, and it hasn’t shied away from attacking the United States on its own soil.
While a major oil supply disruption or kinetic attack in the United States is less likely, one cautionary note to bear in mind is that cyber attacks on industrial environments can produce unexpected outcomes. Therefore, it is possible for an Iranian miscalculation to accidentally trigger a dire event that could have far-reaching consequences.
David Kennedy, founder/CEO of TrustedSec (www.trustedsec.com), is a former hacker for the NSA and Marine Corps, where he worked in signal intel and electronic warfare operations, and completed two tours in the Middle East. He served as a technical advisor to the Mr. Robot show and has testified twice before Congress. David's company specializes in penetration testing, vulnerability research and nation-grade adversary simulation, which they provide to the U.S. government, foreign governments and Fortune 100s. TrustedSec also provides training to the U.S. military's cyber protection teams (i.e., rapid response units).