On the morning of Jan. 8, the Islamic Revolutionary Guards Corps fired 22 surface-to-surface missiles at two Iraqi airbases. If Americans had died, the Pentagon would have put in front of President Trump options for cyberattacks to disable Iran’s oil and gas sector.
Would the U.S. oil and gas industry have been ready for an Iranian cyber counterattack?
While Americans celebrated Thanksgiving, someone hit Iran with a massive cyberattack that disclosed 15 million Iranian bank debit card numbers on a social media site. On Dec. 11, Iran’s telecommunication minister admitted this was “very big” and that a nation-state carried it out.
Will U.S. banks and credit card companies be ready if Iran tries to hack the card numbers of millions of Americans?
The Trump Administration uses sanctions and cyberattacks as their go-to tools against Iran. U.S. officials have admitted twice on background to recent cyberattacks on Iran.
The implication that cyberattacks are somehow a safer response for the United States than kinetic attacks is dangerous. Iran will retaliate, and the cyber defenses of Iran’s likely targets in the United States are uneven. More needs to be done to prepare the American people for Iranian cyber retaliation.
Iran’s peculiar sense of symmetry
When it comes to the United States, Iran follows a peculiar sense of symmetry. When the United States does something to Iran, Iran tends to respond—not exactly the same way, but the symmetry is almost always there.
Thus, the day after the Jan. 2 strike that killed Qasim Soleimani, Iran’s Supreme Leader gave his Supreme National Security Council a written order to “strike America directly and in exact proportion to the attack,” two sources told the New York Times. Other Iranian military leaders made similar statements.
More strategically, starting in May 2018, “maximum pressure” U.S. sanctions reduced Iran’s oil exports, which Iran considers economic warfare. After Iran tried for a year to get Europe to ease the pressure, Iran showed it could reduce U.S. allies’ ability to export oil, first in May and June with attacks on tankers and a Saudi pipeline, then with the Sept. 14 Abqaiq attack that halved Saudi oil exports.
Another symmetry: On July 4, Britain seized an Iranian tanker violating international sanctions. On July 19, Iran seized a British tanker. On Aug. 15, Gibraltar authorities released the Iranian tanker. On Sept. 27, Iran released the British tanker.
Iran’s sense of symmetry is more pronounced in cyberspace. After the “Stuxnet” malware that targeted Iran’s Siemens industrial control systems came to light in June 2010, Iran developed its own cyberattack capability that it used in 2013, three years later.
On July 30, 2012, new U.S. sanctions targeted Iranian banks. Two months later, Iran ramped up denial of service attacks, whose main targets were—US banks.
In August 2012, Iran’s surprise “Shamoon” attack deleted 35,000 hard drives at Saudi Aramco, described as “the biggest hack in history.” What got less publicity is that in early 2012, “Wiper” malware deleted data on Iranian Oil Ministry and National Iranian Oil Company computers.
The symmetry can be positive: When the Iran nuclear deal was in force, Iranian cyberattacks appeared to drop.
When the Trump Administration began its 2018 “maximum pressure” campaign, Iranian cyberattacks increased within 24 hours.
On June 20, after Iranian attacks on civilian tankers, President Trump retaliated by cyberattack. Private U.S. businesses noticed a further increase in Iranian cyberattacks.
What should the U.S. government do about this symmetry? Iran’s nuclear ambitions and its proxy forces create real risks that threaten the security of the United States, Israel, and our allies. Doing nothing is not the answer.
First, we need to better coordinate cyber offense with cyber defense. While Cyber Command and the National Security Agency handle military offense and defense, the FBI, DHS, and—notably—the private sector handle civilian defense. They don’t all go to the same meetings or have access to the same information. Iran, in the past 10 years, has improved its cyber capabilities, reduced its response time, and shown it is capable of strategic surprise. Lack of coordination is especially a problem for the United States because of Iran’s sense of symmetry. Anything our offense does to Iran, Iran is likely to do back.
Second, while most Federal government computers are protected, U.S. civilian cyber defenses are uneven. DHS and the FBI need considerably more resources to work with the private sector.
Third, it’s good that DHS has increased its efforts since Jan. 3 by repeating earlier warnings, issuing new alerts, putting out a new security bulletin, and releasing a Joint Intelligence Bulletin with the FBI. But Congress and the administration need to significantly increase and elevate cyber defense—and to do so in a way that is above politics. Every networked device is part of the front lines of national cyber defense against Russia, China, and Iran. We need an effort comparable to the civil defense effort of the 1950′s to educate the public and coordinate federal efforts.
Otherwise, someday, Iran will surprise us.
Thomas Warrick is a Nonresident Senior Fellow at the Atlantic Council. He worked Iraq and Iran issues for the State Department from 1997-2007 and was the Department of Homeland Security’s senior Iran expert from 2007 until June 2019.