Iran could pose a challenge to the United States despite its limited cyber warfare capabilities, according to a new report by the Atlantic Council. Given Tehran’s weak conventional forces, cyber attacks could be an attractive alternative. “Iran does not need the equivalent of a Ferrari to inflict damage on U.S. infrastructure: A Fiat may do,” warns the report. More than a dozen U.S. financial institutions may have already been hit by hackers linked to Iran in 2012, it says. Tehran has denied involvement in cyber attacks on SunTrust, JP Morgan Chase, CitiGroup and several others, which cost the financial industry millions of dollars. The following are excerpts from the report.
When most people think of the “military option” against Iran, they imagine a US attack that takes out Iran’s most important known nuclear facilities at Natanz, Fordow, Arak, and Isfahan. They expect Iran to retaliate by closing the Strait of Hormuz, sending missiles into Israel, and/or supporting terrorist attacks on US personnel in Iraq and
Afghanistan.
But what if the response came in the form of an anonymous cyber attack that shut down the New York Stock Exchange for a few hours? Or an assault that cut off electrical power in a major US city, froze civilian air traffic, or interfered with further military strikes on Iran by conveying incorrect information to American military commanders?
Many US officials and experts on cyberspace say Iran is probably not yet in a position to mount such a damaging assault against the United States. Iran, they say, is a “third tier” cyber power compared to the United States, its Western allies, or Russia and China. Yet this overlooks an important factor. In the history of cyber conflict, few attacks have themselves been devastating. For example, the Russian-encouraged attacks which hit Estonia in 2007—overwhelming government web sites, Estonia’s largest bank, and several newspapers—were neither technically significant nor very effective.They were disruptive, but for only short periods and with little or no long-term impact to Estonia’s GDP. The primary impact was political, not military, serving as a wake-up call on cyber vulnerabilities and leading to NATO establishing a Cyber Center of Excellence in the capital, Tallinn. In this way, a significant Iranian cyber attack against the United States would take on outsized importance regardless of its technical sophistication.
Moreover, technological edges in warfare tend to be ephemeral. There is no assurance that Iran’s growing cyber forces—or a skilled foreign or nonstate actor hired by Iran—will not be capable of significantly disruptive activities in the next few years, especially as the United States continues to extend its already deep dependence on a very vulnerable cyberspace.
In fact, there has already been an ongoing tit-for-tat of clandestine cyber conflict between Iran and the United States (and probably also Israel), though so far it has not passed into open cyber warfare. Concerns about Iran’s cyber abilities rose in 2012 in connection with so-called distributed denial of service (DDoS) attacks on American financial institutions that briefly cut off access to online accounts and required expensive countermeasures. The attacks appear to have come in retaliation for US-led banking sanctions on Iranian financial institutions and the Stuxnet worm that set back Iran’s nuclear program in 2010. Iran is also believed to have been behind an even more destructive assault in August 2012 on the Saudi Aramco oil company that wiped out data on more than 30,000 computers.
But what if the response came in the form of an anonymous cyber attack that shut down the New York Stock Exchange for a few hours? Or an assault that cut off electrical power in a major US city, froze civilian air traffic, or interfered with further military strikes on Iran by conveying incorrect information to American military commanders?
Many US officials and experts on cyberspace say Iran is probably not yet in a position to mount such a damaging assault against the United States. Iran, they say, is a “third tier” cyber power compared to the United States, its Western allies, or Russia and China. Yet this overlooks an important factor. In the history of cyber conflict, few attacks have themselves been devastating. For example, the Russian-encouraged attacks which hit Estonia in 2007—overwhelming government web sites, Estonia’s largest bank, and several newspapers—were neither technically significant nor very effective.They were disruptive, but for only short periods and with little or no long-term impact to Estonia’s GDP. The primary impact was political, not military, serving as a wake-up call on cyber vulnerabilities and leading to NATO establishing a Cyber Center of Excellence in the capital, Tallinn. In this way, a significant Iranian cyber attack against the United States would take on outsized importance regardless of its technical sophistication.
Moreover, technological edges in warfare tend to be ephemeral. There is no assurance that Iran’s growing cyber forces—or a skilled foreign or nonstate actor hired by Iran—will not be capable of significantly disruptive activities in the next few years, especially as the United States continues to extend its already deep dependence on a very vulnerable cyberspace.
In fact, there has already been an ongoing tit-for-tat of clandestine cyber conflict between Iran and the United States (and probably also Israel), though so far it has not passed into open cyber warfare. Concerns about Iran’s cyber abilities rose in 2012 in connection with so-called distributed denial of service (DDoS) attacks on American financial institutions that briefly cut off access to online accounts and required expensive countermeasures. The attacks appear to have come in retaliation for US-led banking sanctions on Iranian financial institutions and the Stuxnet worm that set back Iran’s nuclear program in 2010. Iran is also believed to have been behind an even more destructive assault in August 2012 on the Saudi Aramco oil company that wiped out data on more than 30,000 computers.
Iran’s Place in the Cyber Arms Race
According to Dmitri Alperovich, cofounder and chief technical officer of the cyber-security firm CrowdStrike and a senior fellow at the Atlantic Council, the most effective cyber warriors—what he terms the “tier one actors”—are the United States, Russia, and US allies such as Great Britain. Alperovitch puts China a step behind at tier two and says that Iran is tier three.
But this categorization should not give the United States false confidence that it can defeat any Iranian cyber threat. Iran does not need the equivalent of a Ferrari to inflict damage on US infrastructure: a Fiat may do.
As the Atlantic Council has pointed out, the blowback for US government-approved attacks has come largely against the US private sector. Already, distributed denial of service (DDoS) attacks attributed to Iran have cost the US financial industry millions of dollars. The attacks, starting in 2012, hit more than a dozen major institutions including SunTrust, JPMorgan Chase, CitiGroup, Wells Fargo, U.S. Bancorp, Capital One, PNC, HSBC, and BB&T; at least five websites crashed in the face of traffic 10 times higher than any previously recorded assaults.Just one bank estimated spending least $10 million mitigating the attacks. Another hacking episode in April 2013 claimed by a group that may have ties to Iran—the so-called Syrian Electronic Army—caused the Dow Jones Industrial average to drop 150 points, briefly wiping out $136 billion in value. The damage was done by hacking the Twitter account of the Associated Press to report bogus explosions at the White House that were said to have injured President Barack Obama. In May 2013, there were allegations that Iran was behind new attacks on US energy firms.
US allies have also been targeted. An individual with access to employees’ desktop computers at Saudi Aramco infected them last year with a virus that destroyed data on three quarters of the machines and displayed a picture of a burning US flag. These computers became paperweights, entirely useless with all their data destroyed—a significant escalation from attacks that entail only stealing information
But this categorization should not give the United States false confidence that it can defeat any Iranian cyber threat. Iran does not need the equivalent of a Ferrari to inflict damage on US infrastructure: a Fiat may do.
As the Atlantic Council has pointed out, the blowback for US government-approved attacks has come largely against the US private sector. Already, distributed denial of service (DDoS) attacks attributed to Iran have cost the US financial industry millions of dollars. The attacks, starting in 2012, hit more than a dozen major institutions including SunTrust, JPMorgan Chase, CitiGroup, Wells Fargo, U.S. Bancorp, Capital One, PNC, HSBC, and BB&T; at least five websites crashed in the face of traffic 10 times higher than any previously recorded assaults.Just one bank estimated spending least $10 million mitigating the attacks. Another hacking episode in April 2013 claimed by a group that may have ties to Iran—the so-called Syrian Electronic Army—caused the Dow Jones Industrial average to drop 150 points, briefly wiping out $136 billion in value. The damage was done by hacking the Twitter account of the Associated Press to report bogus explosions at the White House that were said to have injured President Barack Obama. In May 2013, there were allegations that Iran was behind new attacks on US energy firms.
US allies have also been targeted. An individual with access to employees’ desktop computers at Saudi Aramco infected them last year with a virus that destroyed data on three quarters of the machines and displayed a picture of a burning US flag. These computers became paperweights, entirely useless with all their data destroyed—a significant escalation from attacks that entail only stealing information
or causing short-term disruption.
Beyond the private sector, there have been reports of Iranian targeting of US government facilities. Diplomats from Iran and Venezuela were secretly filmed discussing plans for cyber attacks against US targets including nuclear facilities. Given Iranian terrorist attacks in Europe, the Middle East and Europe—and a foiled plot in 2011 to kill the Saudi ambassador in Washington—it is fair to draw a straight line to some potentially very bad scenarios.
Indeed, given Iran’s conventional weakness, cyber is an attractive alternative—the ultimate asymmetric weapon. Attacks can be mounted from outside the country—say by hackers in Russia or Lebanon—and difficult to trace. An assault in March 2013 on South Korea that paralyzed ATMs and three television networks has been blamed on North Korea. There is no reason to believe that Iran’s growing cyber army is any less capable than that of an isolated Asian rogue state with few IT graduates, limited Internet access, and a paucity of computers.