Now that Iran appears to have ended its retaliation for the deadly strike against Islamic Revolutionary Guard Corps Quds Force commander Major General Qassem Soleimani, Americans might be breathing a sigh of relief. Indeed, President Trump indicated Wednesday that he would seek to avoid further kinetic strikes on Iranian targets. This is a good thing, but Americans should expect this conflict to continue to play out in cyberspace within our nation.
Iran is one of the world’s top cyber adversaries, with sophisticated nation-state capabilities and contractors at the state’s disposal. Iran was behind the deployment of destructive wiper malware Shamoon that targeted Saudi Aramco oil refineries in 2012, destroying its systems within days. It was also responsible for the attack that cost the Sands Las Vegas Corporation (owned by Sheldon Adelson, a prominent supporter of Israel) over $40 million in 2014. In 2013, Iran attempted a cyber operation against the Bowman Dam in upstate New York. And the SamSam Ransomware, which targeted several cities, universities, transport hubs, and hospitals for three years and caused $30 million in damage, was attributed to two Iranian citizens operating within their country. In 2019 analysts at the top cybersecurity firms were worried about a group associated with the IRGC planning a cyber operation targeting the United States, possibly laying the groundwork for something destructive. Their fears were based on observations of a new campaign of phishing emails aimed at federal agency and private company employees. These are the operations that we do know about.
While it’s in Iran’s interest not to seek further military action, offensive cyber operations through its proxies provide asymmetric advantages, much like the use of improvised explosive devices via its proxies in Afghanistan. The difference is that those effects were localized to the distant battlefield and targeted at combatants. Offensive cyber operations, including those waged by Iran and its proxies, are targeted at not only US federal government and Department of Defense networks, but also at our nation’s critical infrastructure sectors — such as dams and communications operations — state and local governments, and private-sector institutions, often gaining access through employees and their social networks through phishing or by using stolen credentials from breached databases.
The US Military, through the US Cyber Command, can identify and counter malicious cyber activity within and outside of military networks. This capability recently proved successful when it disrupted Russia’s Internet Research Agency operations to prevent further interference during the 2018 elections. Its more assertive and transparent cyber posture means more contact with cyber threats and a stated intent to share information gleaned from those operations with the public and with its domestic partners at the FBI and Department of Homeland Security, which provide strategic intelligence and investigative support to domestic organizations.
However, once inside US networks, cyber threats are outside US military jurisdiction, and the responsibility for defending against them falls to the owner of a particular network — be it a state, a municipal government, a financial institution, or an energy company. Every state and local government, every company and nonprofit is different in how they conduct cyber defense, if at all. US critical infrastructure is run mostly by private-sector companies, and while DHS’s Cybersecurity and Infrastructure Security Agency works to help shore up domestic cybersecurity, it still maintains only an advisory role outside of federal network security.
Though it’s highly unlikely that Iran’s cyber operators could take down an entire energy grid, they appear to have the ability to target and potentially disrupt energy, transportation, and water systems. We don’t need a catastrophic event to be attacked effectively; Russia didn’t drop a single bomb, yet its information warfare and targeting of election infrastructure during the 2016 US elections were enough to sow anger and distrust with lasting impacts on our democracy. Iran, through its proxies, could achieve damaging effects and will probably step up longtime efforts to do so.
This is an important point, and one that will become more serious over time. In cyberspace, the Law of Armed Conflict — wherein signatories agree on how warfare should be conducted among states — applies to state conduct of cyber warfare. Not so with the “gray zone of cyber conflict,” which includes infiltration of critical infrastructure, theft of intellectual property from businesses, weaponizing information, destruction of hospital data —-activities that don’t cross the threshold of cyber warfare but are pernicious and costly nonetheless. CYBERCOM commander Paul Nakasone recently noted such attacks “have had and will have strategic effects on our nation and allies.” Not for a lack of trying, the international system lacks norms and rules for this activity, and cyber operators will seek to exploit these fissures to their advantage. American citizens and workers are likely to be unwitting access points, so it rests on each of us to be vigilant about our personal and financial data and our communications.
Cyber threats now and in the future require not just a military response, but also a whole of nation approach, in which the public and private work together. As Secretary of Defense Mark Esper noted, the game has changed. Indeed it has.
Lauren Zabierek is executive director of the Cybersecurity Project at Harvard Kennedy School’s Belfer Center.