Does the Islamic Republic of Iran pose a cyber threat to the United States? On the surface, the idea seems far-fetched. Squeezed by sanctions over its nuclear ambitions, suffering from widespread social malaise and weathering unprecedented divisions among its leadership, Iran hardly seems an imminent threat to the U.S. homeland - even if it does pose a vexing challenge to American interests in the greater Middle East.
Yet mounting indicators suggest that Iran's leadership is actively contemplating cyberwarfare against America and its allies.
In August, Iran's Ministry of Information and Communications Technology announced that it was standing up an official cyber command. According to Information Minister Reza Taghipour, the new government entity will be tasked with preventing "cyber malwares … and many other forms of state terrorism" being directed at the Islamic Republic.
That is an obvious reference to Stuxnet, the malicious software that targeted Iran's nuclear infrastructure between the summer of 2009 and the fall of 2010. By all accounts, the damage it inflicted was considerable; according to the Washington-based Institute for Science and International Security, Stuxnet was responsible for taking offline as many as 1,000 of the 9,000 centrifuges then operating in Iran's nuclear facilities.
The regime's uranium enrichment effort suffered notable - albeit temporary - delays as a result.
Publicly, the origins of Stuxnet are still an open question. Israel has steadfastly denied any role in the authorship of the malware, despite widespread speculation to the contrary. The United States, too, has stayed mum on the subject, although suspicions abound that the CIA played at least some part in putting together and deploying the cyber worm.
In Iran, however, the verdict is already in: War with the West, at least on the cyber front, has been joined. And the Iranian regime is mobilizing in response.
To this end, part of the mission of Iran's new cyber command, Taghipour has made clear, will be to implement "retaliatory measures" against a host of nations the Iranian government deems hostile. Most directly this means Israel, which Tehran has accused of "unmatched cyber terrorism" around the world, and which itself recently deployed a military cyber division as part of Prime Minister Benjamin Netanyahu's quest to transform that country into a "global cyber superpower."
Increasingly, however, Iran seems to be thinking about America as a potential target as well. In late July, Kayhan, a hardline newspaper affiliated with the country's clerical army, the Iranian Revolutionary Guard Corps, issued a not-so-subtle warning to the United States when it wrote in an editorial that America, which once saw cyberwarfare as its "exclusive capability," had severely underestimated the resilience of the Islamic Republic.
The United States, the paper suggested, now needs to worry about "an unknown player somewhere in the world" attacking "a section of its critical infrastructure."
Infrastructure protection specialists have begun to take notice. As one concerned professional from a major energy utility put it, Iran's "chatter is increasing, the targeting more explicit, and more publicly disseminated." Industry is now increasingly looking at Washington for guidance regarding what threats they can expect from Iran and how they can best prepare.
So far, the answer has been far from reassuring. Over the past two years, the Obama administration has spent a great deal of time thinking about cybersecurity. But the administration's International Strategy for Cyberspace, released in May, places little emphasis on deterrence and retaliation in response to cyber attacks on the United States or its interests. (The Pentagon's own policy doctrine is similarly vague as to whether such events would be treated as acts of war, or merely as intrusions warranting a defensive response.)
Meanwhile, efforts to strengthen safeguards to the nation's critical infrastructure, although discussed at length by the administration, have made only modest headway.
All of which makes America an inviting target. When news of Stuxnet broke into the public sphere last fall, more than a few observers cheered what they saw as a potential quick fix to the nagging problem of Iran's nuclear ambitions.
Homeland security professionals, however, were considerably less sanguine. As Melissa Hathaway, a former U.S. national cybersecurity coordinator, opined at the time, Stuxnet represents a qualitatively new kind of warfare, "and no country is prepared to deal with it."
Nearly a year later, we still are not. And while Iran isn't necessarily planning an unprovoked digital offensive against the United States, its leaders are clearly thinking about cyberwarfare in connection with their country's deepening standoff with the West. Prudence dictates that we should be, too.