Iran could pose a challenge to the United States despite its limited cyber warfare capabilities, according to a new report by the Atlantic Council. Given Tehran’s weak conventional forces, cyber attacks could be an attractive alternative. “Iran does not need the equivalent of a Ferrari to inflict damage on U.S. infrastructure: A Fiat may do,” warns the report. More than a dozen U.S. financial institutions may have already been hit by hackers linked to Iran in 2012, it says. Tehran has denied involvement in cyber attacks on SunTrust, JP Morgan Chase, CitiGroup and several others, which cost the financial industry millions of dollars. The following are excerpts from the report.
But what if the response came in the form of an anonymous cyber attack that shut down the New York Stock Exchange for a few hours? Or an assault that cut off electrical power in a major US city, froze civilian air traffic, or interfered with further military strikes on Iran by conveying incorrect information to American military commanders?
Many US officials and experts on cyberspace say Iran is probably not yet in a position to mount such a damaging assault against the United States. Iran, they say, is a “third tier” cyber power compared to the United States, its Western allies, or Russia and China. Yet this overlooks an important factor. In the history of cyber conflict, few attacks have themselves been devastating. For example, the Russian-encouraged attacks which hit Estonia in 2007—overwhelming government web sites, Estonia’s largest bank, and several newspapers—were neither technically significant nor very effective.They were disruptive, but for only short periods and with little or no long-term impact to Estonia’s GDP. The primary impact was political, not military, serving as a wake-up call on cyber vulnerabilities and leading to NATO establishing a Cyber Center of Excellence in the capital, Tallinn. In this way, a significant Iranian cyber attack against the United States would take on outsized importance regardless of its technical sophistication.
Moreover, technological edges in warfare tend to be ephemeral. There is no assurance that Iran’s growing cyber forces—or a skilled foreign or nonstate actor hired by Iran—will not be capable of significantly disruptive activities in the next few years, especially as the United States continues to extend its already deep dependence on a very vulnerable cyberspace.
In fact, there has already been an ongoing tit-for-tat of clandestine cyber conflict between Iran and the United States (and probably also Israel), though so far it has not passed into open cyber warfare. Concerns about Iran’s cyber abilities rose in 2012 in connection with so-called distributed denial of service (DDoS) attacks on American financial institutions that briefly cut off access to online accounts and required expensive countermeasures. The attacks appear to have come in retaliation for US-led banking sanctions on Iranian financial institutions and the Stuxnet worm that set back Iran’s nuclear program in 2010. Iran is also believed to have been behind an even more destructive assault in August 2012 on the Saudi Aramco oil company that wiped out data on more than 30,000 computers.
But this categorization should not give the United States false confidence that it can defeat any Iranian cyber threat. Iran does not need the equivalent of a Ferrari to inflict damage on US infrastructure: a Fiat may do.
As the Atlantic Council has pointed out, the blowback for US government-approved attacks has come largely against the US private sector. Already, distributed denial of service (DDoS) attacks attributed to Iran have cost the US financial industry millions of dollars. The attacks, starting in 2012, hit more than a dozen major institutions including SunTrust, JPMorgan Chase, CitiGroup, Wells Fargo, U.S. Bancorp, Capital One, PNC, HSBC, and BB&T; at least five websites crashed in the face of traffic 10 times higher than any previously recorded assaults.Just one bank estimated spending least $10 million mitigating the attacks. Another hacking episode in April 2013 claimed by a group that may have ties to Iran—the so-called Syrian Electronic Army—caused the Dow Jones Industrial average to drop 150 points, briefly wiping out $136 billion in value. The damage was done by hacking the Twitter account of the Associated Press to report bogus explosions at the White House that were said to have injured President Barack Obama. In May 2013, there were allegations that Iran was behind new attacks on US energy firms.
US allies have also been targeted. An individual with access to employees’ desktop computers at Saudi Aramco infected them last year with a virus that destroyed data on three quarters of the machines and displayed a picture of a burning US flag. These computers became paperweights, entirely useless with all their data destroyed—a significant escalation from attacks that entail only stealing information