On Nov. 5, the United States implemented sanctions against Iran, which the Treasury Department described as the “largest ever single-day action targeting the Iranian regime.” While the sanctions were ostensibly targeting Iran’s growing nuclear program, the Foundation for Defense of Democracies (FDD), a think tank which vacillates between nonpartisan, hawkish, and neoconservative in terms of its political leanings, argued in a report released Tuesday that the United States should be concerned about the cybersecurity implications of the new sanctions.
Iran’s Cyber Behavior
In the report, FDD referenced a 2016 study from computer security firm MalCrawler which studied the actions and attempted to “gauge the intentions of malicious cyber operators” in various countries.
“Chinese hackers pilfered ‘anything that looked like novel technical information,’” the FDD report explained, at times quoting the MalCrawler report. “Russians penetrated systems, ‘mapping them and implanting hard-to-find backdoor access for potential future use.’ In contrast, Iranian hackers sought to do ‘as much damage as possible.’ This is consistent with Iranian cyber behavior: Over the past decade, the Islamic Republic has shown it will exploit deficient cyber defenses to wreak havoc on its adversaries’ networks. The regime is now bolstering its capacity to cause even greater harm in the future.”
The report further explained that because Iran lacks “conventional forms of military, economic, and geopolitical power,” it uses “asymmetric capabilities to wage war against the United States and its allies.” While its asymmetric capabilities toolbox has previously included taking hostages, sponsoring terrorist activities, and overseas assassinations, FDD argued that Iran has added cyber-enabled economic warfare to its toolbox.
After falling victim to malicious computer worm Stuxnet, Iran heavily invested in its cyber capabilities and now “Iranian hackers are able to hone their skills on soft targets and pre-position assets for future conflicts, both cyber and otherwise,” according to the report.
Thus far, Iran is already responsible for Shamoon 2 (destructive malware against Saudi government ministries and companies), data theft and extortion against HBO, APT33 (cyber infiltration and trade secret theft against a U.S. aerospace company, Saudi aviation conglomerates, and a South Korean petrochemical company), and APT Leafminer (cyber infiltration against governments and businesses in the Middle East)–among other attacks.
How Sanctions Impact Cyber Behavior
As with the vast majority of sanctions, the new Iranian sanctions attempt to hurt Iran where it hurts – the bank account. As the report explained, the sanctions “threaten to further destabilize an economy whose currency is already in free fall and appears headed for a deep recession.” As their economy worsens, FDD predicts that the nation, which is “already inclined to aggressive and destructive cyber…activities,” may become far more aggressive online.
Policy Recommendations to Counter Iranian Cyber Behavior
While this seems to be a dire warning, the report offered advice to U.S. leaders.
“To counter the Islamic Republic’s malicious cyber activity, Washington must be prepared to impose significant costs on the leadership in Tehran and to use cyber and kinetic means to hold at risk the Islamic Republic’s most valuable assets,” the report said. “Simultaneously, Washington must work with its allies and the private sector to bolster defenses so that Iranian operations are less likely to succeed. While the Islamic Republic’s capabilities do not match those of China and Russia, its cyber capabilities are dangerous to U.S. national security and rapidly maturing.”
In addition to broad advice, FDD also offered specific policy recommendations, which it grouped into three broader suggestions. While the report goes into significant detail for each recommendation, the big picture suggestions are:
“Understand the Iranian Cyber Threat Landscape
- Analyze Tehran’s cyber escalatory
- Analyze the Islamic Republic’s cyber investments, industrial base, and partnerships with other rogue actors in order to target these assets as needed.
- Bolster information sharing with U.S. allies to improve allied defenses.
- Develop a joint R&D agenda with U.S. allies to address common threats from Iran and other malicious cyber actors.
- Conduct joint cyber wargames with allies in the Middle East to demonstrate our resolve to defend our allies.
- Announce that the U.S. will defend its key allies from significant Iranian cyber attacks.
- Share actionable information with the private sector, provide incentives for the private sector to implement better cyber defenses, and establish interoperability to allow the private sector to better defend itself.
Impose Costs on Tehran
- Sanction key Iranian leaders for authorizing cyber attacks.
- Use cyber-enabled information warfare capabilities to exploit and sharpen divisions between the regime and the Iranian public.
- Hold at risk Iranian assets using cyber and kinetic means.”
The report concluded by cautioning U.S. leaders to not write off Iran just because it doesn’t have the same infrastructure or cyber capabilities as other foreign adversaries, such as Russia and China.
“While Iran does not have the cyber capabilities of China, Russia, or North Korea, Tehran is willing to take greater risks and cause greater destruction,” the report argued. “The Islamic Republic cannot match Washington’s capabilities on the traditional military battlefield nor in the virtual world, but its hackers can still do serious damage. If U.S. decision makers begin to initiate more robust defensive initiatives with allies and the private sector, and simultaneously prepare cyber and kinetic countermeasures, Washington may well prevent a more devastating cyber battle in the future.”