Even before Iran can begin realizing the benefits of the recently signed nuclear deal, a pathway for Tehran to shed international isolation, hard-line elements in the Islamic Republic have ramped up digital attacks on the Obama administration.
Last month, numerous reports surfaced that the Revolutionary Guard, the dominant branch of Iran's military, hacked into e-mail and social media accounts belonging to Obama administration officials. But that uptick is just the latest effort in Iran’s ongoing cybercampaign against US targets.
In fact, Iranian digital assaults are so numerous that the State Department issued an unprecedented security report in May warning American businesses operating abroad of Iran’s rapidly improving cyberwarfare capabilities.
It shouldn't come as any surprise that Iran is constantly sharpening its arsenal of digital weapons – cyberspace is increasingly critical front for most modern nation-states. But its concentration on developing cyberweapons, and carrying out hacks on American and Middle East targets, certainly wasn't a reaction to Stuxnet.
Some analysts, however, attribute the Islamic Republic’s cyberwarfare operations to the Stuxnet attack that utilized malware to target – and likely destroy – up to 1,000 centrifuges in Iran’s Natanz nuclear reprocessing facility.
"We are coping with the Pandora’s Box of reciprocated evils unleashed by this first nation-state cyberattack,” Jeff Landale and Sascha Meinrath wrote in Passcode last month, “[w]ith Stuxnet, the US set off an arms race in cyberspace.”
Although the alleged joint US-Israel operation against Iran’s nuclear program was a seminal event, the conventional wisdom regarding its role as the catalyst of a cyberarms race is misplaced from both a historic and strategic perspective.
First, Stuxnet did not "set off an arms race in cyberspace." Arms races are the reflection – not the source – of rivalries between states, and their specific characteristics reflect broader trends in strategy and technological innovation. After the US military decimated the Iraqi Army in 1991, other nations realized they could not match America’s conventional military capabilities and sought ways to gain an asymmetric advantage over US forces.
This strategic approach was summarized in 1999’s "Unrestricted Warfare," in which two prominent Chinese army colonels asserted that the ability to blend technologies – such as combining financial and cyberattacks with military actions and political-influence activities – signifies that weapons alone will not be sufficient to attain future strategic victories.
This new concept of war means "no longer using armed force to compel the enemy to one’s will, but rather, using all means, military and nonmilitary, lethal and nonlethal, to compel the enemy to accept one’s interests." Thus Chinese "citizen hackers" began targeting US websites during diplomatic crises in 1999 and 2001, and by 2003 the Chinese government had announced the creation of cyberwarfare units. Similarly, Russian "patriotic hackers" disabled Estonia’s banking sector during a 2007 diplomatic dispute and crippled key portions of Georgia’s communications systems to facilitate the invasion of Georgia in 2008.
Iran’s interest in cyberwar has similar roots. Since the Iran-Iraq War, the Islamic Republic’s strategic culture has emphasized deniability through the use of surrogates. What's more, it focuses on attacking soft targets to allow Iran to pursue strategic objectives beyond its conventional forces’ capabilities.
In 2005, the Revolutionary Guards sponsored the formation of the Iranian Cyber Army, a hacking collective responsible for the December 2009 hack of Twitter and January 2010 hack of China’s largest search engine. Other hacker groups linked to the Iranian military such as Ashiyane claimed credit for hacking thousands of websites in the US, Europe, and the Gulf states from 2008 to 2010 in response to perceived slights against Iran, and openly acknowledged their cooperation with Iran’s clerical regime.
Thus, nearly every prominent cyber actor began to develop and deploy cyberweapons before Stuxnet’s discovery in 2010, a reflection of the ongoing evolution of strategies toward asymmetric warfare. Although they may have accelerated their efforts after Stuxnet, it is because the attack showed how far behind the US they were in operationalizing their cyberwar efforts.
Moreover, Stuxnet did not “legitimize destructive cyberattacks," as Messrs. Landale and Meinrath claim. A country’s decision whether or not to launch such an operation hinges upon multiple factors, including the likelihood and cost of retaliation. The challenges to clearly determining attribution for cyberattacks make deterrence and/or retaliation problematic.
Yet despite this attribution dilemma – and possessing the acumen to do so – Chinese and Russian hackers have not engaged in destructive attacks, likely because an operation that damages the US economy will also have negative economic consequences for their countries.
Conversely, because Iran’s economy is isolated from the American dominated global financial system, it is less constrained in launching destructive attacks such as the 2012 cyberattack on Saudi Aramco that destroyed 30,000 computers and the 2014 attack on Sands Corp. computer servers that caused $40 million in damages.
It is possible this calculation could change as international sanctions against Iran are lifted in the wake of the nuclear deal. But the Islamic Republic’s repeated violation of international norms regarding the inviolability of embassies, prohibiting terrorism, outlawing foreign assassinations, and banning nuclear nonproliferation suggest Tehran prioritizes the pursuit of other strategic interests above economic considerations.
To be clear, the Stuxnet operation was not cost free. Whereas conventional weapons are destroyed upon impact, cyberweapons can be captured intact by the intended target. Within weeks of Stuxnet’s discovery, an Egyptian blogger posted instructions for replicating the malware online. Such copying allows weaker parties to quickly narrow the qualitative "cybergap" with the US.
Because America depends on information communications technologies for critical military and civilian services, this creates potentially dangerous second-order effects. This danger is not unique to Stuxnet, however, but rather is endemic to cyberwarfare. Cyberweapons should always be deployed with great caution and consideration for blowback potential, but our adversaries will continue to develop increasingly sophisticated tools even if the US never launched another cyberattack.
Conversely, if causing destruction to physical infrastructure beyond computer hardware requires more than just code but also significant "black bag" capabilities beyond the means of all but the most advanced spy agencies – as suggested by cyberwar skeptics such as Thomas Rid and P.W. Singer – then in the specific case of Stuxnet any chance that it would stall Iran's nuclear weapons program or obviate the need for military strikes would appear to outweigh the risk of blowback.
Regardless, rather than foreswearing offensive operations altogether, America is better served by devoting equal resources to the defense and resiliency of US critical infrastructure as we do on offensive capabilities.
Asserting that Stuxnet started the cyberarms race and legitimized destructive attacks implies that other states are purely reactive when engaging in cyberwarfare. As long as states seek to challenge the American led international order, they will seek to gain leverage through cyberwarfare in its various permutations.
If nothing else, the recent renewal of Iranian hacking against US targets demonstrates that conciliatory efforts on our part are insufficient to change our rivals' behavior in the digital realm.
Benjamin Runkle has served as in the Defense Department, as a director on the National Security Council, as a professional staff member on the House Armed Services Committee, and as a consultant in the Department of Homeland Security's Office of Cybersecurity and Communications.