Article by Robert Scammell – Verdict
Tensions between Iran and the US are high as the conflict shifts between the physical world and the digital.
Last Thursday US president Donald Trump ordered a crippling cyberattack on Iran’s missile systems. The Iran cyberattack disabled computer systems used to control rocket and missile launches, according to the Washington Post.
The US says that this was in retaliation for attacks on oil tankers in the Gulf region and the shooting down of a US drone earlier this month.
“The US actively decided to respond other than militarily; the battlespace has changed,” says Malcom Taylor, director of cyber advisory at cyber consultancy firm ITC Secure.
The growing tensions stem from the US’ unilateral withdrawal from the 2015 nuclear deal with Iran and the imposing of sanctions on the Islamic Republic, resulting in significant economic pressure.
Last week’s cyberattack against Iran reflects a shift among world powers to publicly and strategically use cyber means during conflicts.
“Historically, nations would threaten and claim petty victories in skirmishes in the kinetic world,” says Sam Curry, chief security officer at Cybereason. “However, now cyber is the domain of choice to make these war cries of angst and escalation.”
Why the US chose a cyber response against Iran
The reasons for this are manifold. Taylor, a former British intelligence officer for GCHQ, told Verdict that the use of cyber responses – albeit alongside a US carrier deployed to the Gulf – come with clear advantages.
“It’s cheaper, has fewer risks for US personnel, and (as far as we know) is less likely to lead to further military response and escalation and it didn’t lead to any loss of life,” he says.
Cyberattacks can also be difficult to attribute. Unlike a missile strike, aggressors can hide behind layers of code, as well as distance themselves by using private hacking groups to carry out cyberattacks on behalf of a nation state.
“Nothing can be definitively proven in cyber,” says Curry. “Even if cyber activities produce kinetic effects, like disrupted pipelines, sabotaged uranium enrichment or interrupted communications.
“Both sides can claim victory regardless of outcomes and appear strong. Now we’re learning how cyber will get used in more hostile conflicts for the theatre of diplomacy.”
For example, Iran’s claims that it stopped 33 million cyberattacks against it in 2018 is “useless” because “real attacks aren’t stopped by firewalls”, says Curry.
Iran cyberattack – business as usual?
There is a commonly held belief among the cybersecurity community that nation states – not just the US and Iran – are constantly exchanging cyberattacks that never become public knowledge.
“Rest assured conflict is happening, but nothing either nation has said at this point is pointing to anything new or significant happening in the cyber domain,” says Curry.
If this belief is taken to be true, says Taylor, it raises the question as to why the US chose to publicise this attack so widely.
“Which must, in turn, make it political in nature as much as anything else,” he says.
Trump, for all his jingoistic rhetoric, called off the missile strike against Iran when the number of likely causalities was made clear. Retaliating with a cyber-response is one way for the US to show strength without a cost to human life.
“The US perhaps felt it needed to be seen to be doing something, and so launched a cyberattack and told the world,” says Taylor.
“Although, of course, given the target was allegedly just an IRGC [Islamic Revolutionary Guard Corps] weapons system, perhaps they could have cut out the middle man and just claimed to have launched a cyberattack. No-one but the IRGC would ever know, and they of course have little international credibility and would be widely disbelieved.”
Dave Weinstein, CSO at cybersecurity firm Claroty, says that the Iran cyberattack is a “great example” of how and when to combat kinetic attacks by using cyber means.
“It is both proportionate and limiting from a collateral damage perspective,” he says. “Furthermore, it serves deterrence value because it demonstrates not only to Iran but to other adversarial observers that the US is both capable and willing to project cyber force in a tailored fashion.”
The fallout of the Iran cyberattack
Commentators seem perplexed about what the US hopes to achieve from its pressure on Iran.
“We are stuck. It’s like the US strategy is to keep squeezing Iran, and Iran lashing out in response with no clear pathway to a negotiated resolution,” Jake Sullivan, a senior US official in the Obama administration told the Financial Times. “I’m befuddled [about] what is the endgame.”
But the game of brinkmanship seems set to continue, with cyberspace likely to be the stage.
Warnings by the US Department of Homeland Security’s cybersecurity agency that Iran may retaliate with cyberattacks against US companies reflects the muddied nature of cyber warfare, the lines blurred between civilian and military targets.
For more than a year, cybersecurity experts have been warning that squeezing Iran with sanctions is likely to trigger a cyber retaliation against the US.
“IT pros did not sign up for this, but they are finding themselves in the trenches of a cyberwar that seems to be heating up consistently,” says Stu Sjouwerman, CEO of KnowBe4, a cybersecurity awareness training firm.
“Most bad actors go for the most available attack surface – employees – with social engineering attacks. Companies should prepare for the worst by undertaking security awareness training that takes into account these politically motivated attacks.”
By contrast, the US reportedly targeted a military target with the Iran cyberattack, points out Claroty’s Weinstein.
“As international norms of cyberspace evolve, it’s important to demarcate military from civilian targets, particularly as it relates to dual-use infrastructure.”
However, Taylor warns that a cyberattack deemed unacceptable by the US may be fair game for the Iranian military.
Such asymmetrical warfare means that Trump will still have to “face with the ethical dilemma if the cyberattacks he approved last week had led to 150 deaths”.
Whether or not the IRGC would reach the same conclusion, Taylor is “far from sure they would”, citing the Salisbury Novichok poisoning as an example of an attack that Western countries would not replicate.
Trump, disruptor of the American military
So, have we seen the first digital bullet fired in the 21st-century battlespace?
“Probably not quite, but things will change and this is an early sign of that,” says Taylor. “Think, then, of the future of warfare – who needs big defence contracts, nuclear weapons and naval fleets if they are never going to be used, and can anyway be disabled from afar by an enemy?”
According to Weinstein, the Iran cyberattack “illustrates the advantages of cyberspace as an attractive alternative military domain to sea, air, or land – especially for conducting retaliatory strikes”.
Such a shift in military approach would have ripple effects, changing “budgetary calculations, defensive postures, standing armies and more,” says Taylor.
Under Trump the US has made clear the importance of cyber as a military response, elevating its US Cyber Command to an independent “unified command” operating separately from the National Security Agency. In addition to carrying out the Iran cyberattack, Cyber Command recently aggressively responded to Russian cyber threats by planting malware in Russia’s electrical grid, according to the New York Times.
Becoming an early adopter of a cyber-first military strategy will be a brave and perhaps farsighted move, one that “could carry a very heavy price indeed”, says Taylor.
“But, isn’t it inevitable that this is the way things will go, from heavy weapons to disruptive, coercive cyberattacks? Trump sells himself as a disruptor president; I am just not sure he and the GOP truly saw him as perhaps the disruptor of the American military.”