The US and other major world powers just reached an interim agreement with Iran aimed at curbing that country’s nuclear program – but experts say this might increase the risk of digital conflict in an already tense region.
The Atlantic Council held a panel discussion about the the future of Iran’s cybercapabilities on Wednesday and Passcode was the exclusive media partner.
Here's what we learned:
A nuclear deal may inflame the risk of cyberconflict in the region. Whether or not you like the framework agreement, says James Jones, a retired United States Marine Corps general and a former US National Security Adviser, there are still many outstanding national security flashpoints in the region
There’s the war in Syria, in which Iran supports strongman Bashar al-Assad. And there’s Iran’s hostility toward Israel, support for recognized terrorist groups and for Houthi rebels in Yemen, and allegations of hostile actions in cyberspace. The US and its allies will continue to oppose Tehran on these issues, Mr. Jones said. “No nuclear deal is going to change that fact. In fact, the framework nuclear agreement in the context of rising regional tensions could actually inflame the risk of major cyberconflict in the region,” he said.
If sanctions are lifted, Jones added, it’s possible an “emboldened Iran” will “become more aggressive in supporting proxies in the region, and continue to undermine the United States allies in the region through cyber attacks.” In light of increased tensions, the US and its allies in the Gulf should prepare for more a more aggressive Iranian cyberposture, he said. That said, failing to clinch a nuclear deal is also risky. “Tensions are certain to escalate … including in the cyber domain.”
Stuxnet crippled Iran’s nuclear capability, but it also helped build its cybercapabilities. With so much attention focused on Iran’s nuclear program right now, the topic of Stuxnet – the computer worm ordered by the US to quietly attack Iran’s nuclear facilities – was at the front of many security experts’ minds. JD Work, research director at the Cyber Conflict Documentation Project, said the “unprecedented degree to which Stuxnet was discussed in the West has led to hardening measures that we are aware of, occurring at several of their nuclear facilities.” These hardening measures, he said, may reduce the ability to bring cyber options to bear against those networks in the future.
The ramped-up defense doesn’t stop at the nuclear facilities, experts said. “Stuxnet was kind of an awakening for that in cybersecurity matters, the country realized … that building the national cybercapability was just the next natural step,” said Andretta Towner, senior intelligence analyst at security firm CrowdStrike. In fact, the tools Iran was likely used to track dissidents within its borders – such as remote access tools and key loggers – are the same type of tools that are used in cyberespionage campaigns, Towner said. “We have even seen, in some cases, where an adversary previously targeting dissidents opened up its targeting to other agendas.”
China and Russia have long been viewed as major cyberpowers, but Iran could soon be a rival. Iran’s national budget for cybersecurity has increased by 1,200 percent in the past three years, Towner said. Some notable suspected attacks include the destructive attack on oil and gas company Saudi Aramco in August 2012, in which data was destroyed on tens of thousands of computers, and distributed denial of service attacks against American banks the following year. All this means, she said, Iran “is definitely not a tier three country anymore.” If the NCAA college basketball tournament were the analogy, Towner said, “they’re into the final four.”
Two quotes to remember:
“We do not know what a strong deterrence posture looks like in cyber. I think we’ve been talking about it or a very long time, and we have not yet demonstrated actions which would create a deterrent capability, and we have not demonstrated the political will to employ a deterrent capability in a way that would forestall future unacceptable actions by other states.” – JD Work, who wants the national security establishment in the US and European Union to come to a consensus on acceptable behavior in cyberspace – and enforce it.
“They don’t want to be one of the last countries to have adequate cybercapability. But they also maybe have obstacles in openly funding different organizations throughout the [Iranian] regime.” – Andretta Towner, who says it’s beneficial for the Iranian security apparatus to have a relationship with semilegitimate security companies because it gives them deniability for attacks – and a way to, essentially, fund an emerging cybersecurity industry in the country.