Will the U.S.-Iran Cyber Conflict Escalate?

Washington, DC - When most people think of what will happen if tensions between the U.S. and Iran continue to escalate, images of Iran’s nuclear program, missile attacks, or another costly boots-on-the-ground conflict in the Middle East come to mind.

Less thought of is the ongoing U.S.-Iran face-off taking place in cyberspace, and the threat posed by future cyber attacks. However, as attacks have become more prominent on each side, this issue has been receiving increased attention. Director of National Intelligence Gen. James R. Clapper, for example, ranked cyber attacks at the top of the list of U.S. national security threats when testifying before the Senate Select Committee on Intelligence earlier this year.

And, last week, the Atlantic Council recently published an issue report and sponsored a panel briefingentitled “Iran: How a Third Tier Cyber Power Can Still Threaten the United States,” which focused on the threat of escalation in the cyber realm. According to the Atlantic Council, potential Iranian cyber attacks represent a substantial challenge to the U.S. due to both the economic and political consequences they could have.

Recent Cyber Assaults

The opening salvo in the cyber war between the U.S. and Iran - at least, the first to become public and attributed to either side - was the use of a U.S.-Israeli cyberworm known as “Stuxnet,” which is alleged to have set back Iran’s nuclear program when it was launched in 2010. Stuxnet was not only the first strike in the U.S.-Iran cyber exchange, but - according to former CIA director Michael Hayden - it also marked the first time any foreign power used a cyber attack to "effect physical destruction" on another nation's critical infrastructure.

Stuxnet may have delayed but did not stop Iran’s nuclear program. Further, some allege that Iran orchestrated the 2012 distributed denial of service (DDoS) assaults on over a dozen American financial institutions, including banking giants JPMorgan Chase, Wells Fargo, and Capital One, in retaliation for Stuxnet and punishing sanctions on Iran's financial sector. The DDoS assaults briefly cut off banks’ access to their online accounts and forced them to implement pricey countermeasures. While likened to a “digital Pearl Harbor” by then-Defense Secretary Leon Panetta, the Atlantic Council’s Jason Healey, director of their “Cyber Statecraft Initiative,” pointed out that these same banks still had multibillion-dollar quarters throughout the duration of the attacks.

Threat of Future Iranian Cyber Strikes

Even though Iran is merely a “Third Tier Cyber Power” in terms of capability, while the U.S. is in Tier One, the Atlantic Council’s report was clear that these imbalanced rankings do not mean that Iran cannot harm the U.S. “Iran does not need the equivalent of a Ferrari to inflict damage on U.S. infrastructure: a Fiat may do,” it asserts.

Panelist Frank Cilluffo, director of George Washington University’s “Homeland Security Policy Institute,” agreed, noting that not only is “the bar to entry...low” for launching cyber attacks, but also that there are countless outsourcing opportunities for cyber capabilities on the Internet’s vast black market.

Additionally, even if Iran currently ranks in the third tier, Iran is expected to be “edging in on the top tier” in five year’s time, according to the panel’s cyber expert, Dmitri Alperovitch. He based this prediction on his assessment of Iran’s “vibrant hacker community,” which is increasingly being brought into the mainstream, and Iran’s official cyber developments (including the creation of 2 state-level cyber warfare centers and cyber security courses taught at Iranian universities). And these factors are compounded by Persian culture’s history of innovation in engineering and technology.

The question is therefore not whether Iran will soon have the capacity to launch a sizable cyber attack on the U.S., said Alperovitch, but rather, “Will the motivation be there?”

Capacity vs. Intent - Impact of Political Climate on Conflict Escalations

As of right now, Iran could be motivated to retaliate to Western-led pressure. “What they lack in capability, they more than make up for in intent,” asserted Cilluffo. In the present political context with Iran isolated from the rest of the international community, Iran could perceive that they have little to lose from launching cyber attacks.

However, an Iranian cyber attack could escalate the standoff over Iran's nuclear program and elicit a damaging American response. “Even if there are no deaths or significant damage, if we know that Iran is behind it, you’re going to see a lot of fury in this country,” said Healey, co-author of the Atlantic Council’s report, expressing his concerns over an “outsized national security response” by the U.S. and the further escalation of conflict this could create.

But as for the future of Iranian cyber attacks, the Atlantic Council’s report (whose co-authoris Iran-expert Barbara Slavin) asserts that the determining factor will be the political will of Iranian leadership. Their motivations and decisions, moreover, will largely depend on the geopolitical climate.

Recommendations and Conclusions

The Atlantic Council’s panel was careful to point out that if U.S.-Iran relations do significantly worsen, cyber is the least of the U.S.’s worries. The report and panel concluded that, in addition to enhancing its cyber defenses for both government and private networks, the U.S. should attempt to pursue other avenues for influencing Iran and easing tensions, such as through sanctions and diplomatic outreach.

However, it appears unlikely that more economic pressure would reduce the likelihood of escalation in the cyber realm. Sanctions relief, offered in exchange for Iranian nuclear concessions through diplomatic negotiations, could lead to an overall reduction in tensions that reduce the likelihood of cyber attacks.

Furthermore, the U.S. should be cautious about mounting any new cyber attacks, especially given that the blowback will likely continue to be on the U.S.’s private sector, which has already shown itself to be highly vulnerable. “Those with glass infrastructure should not throw stones,” said Slavin.

Cilluffo also advised the private sector itself to be proactive in defending itself against cyber attacks. “We’re never going to firewall our way out of this problem,” he said. And he would advise European banks to do the same, particularly since the EU’s recent labeling of Hezbollah’s military wing as a terrorist organization.

In terms of strategic advice for U.S. policymakers, the Atlantic Council's report concludes that “cyber war, like sanctions, may be preferable to so-called ‘kinetic’ action that puts American forces at risk, but it is not a silver bullet against Iranian centrifuges or any other target."

Ultimately, strategies that will lead to more overall progress in mending the estranged relationship between the two countries offer the most hope for staving off both the threats posed by future Iranian cyber attacks as well as the much greater threats to U.S. national security posed by further deterioration of U.S.-Iran relations.

- Payvand News