The Iranian Cyber Threat To The U.S. Homeland
by Ilan Berman
Congressman Lundgren, Congressman Meehan, distinguished members of the Subcommittees:
Thank you for the opportunity to appear before you today to address the cyber warfare capabilities of the Islamic Republic of Iran, and the threat that they pose to the U.S. homeland.
Conventional wisdom suggests that the Iranian regime, now being squeezed significantly by sanctions from the United States and Europe and grappling with significant domestic socio-economic malaise, is far from an imminent threat to the American homeland (even if it does present a vexing foreign policy challenge for the U.S. and its allies). Yet, over the past three years, the Iranian regime has invested heavily in both defensive and offensive capabilities in cyberspace. Equally significant, its leaders now increasingly appear to view cyber warfare as a potential avenue of action against the United States.
IRANIAN CAPABILITIES IN GEOPOLITICAL CONTEXT
Iran's expanding exploitation of cyberspace can be attributed to two principal geopolitical drivers.
The first are the Iranian regime's efforts to counter Western influence and prevent the emergence of a "soft revolution" within its borders. In his March 2012 Nowruz message to the Iranian people, President Obama alluded to the growing efforts of the Iranian regime to isolate its population from the outside world when he noted that an "electronic curtain has fallen around Iran." That digital barrier has grown exponentially over the past three years, as Iran's leadership has sought to quell domestic dissent and curtail the ability of its opponents to organize.
The proximate cause of this effort was the fraudulent June 2009 reelection of Mahmoud Ahmadinejad to the Iranian presidency, which catalyzed a groundswell of domestic opposition that became known colloquially as the "Green Movement." In the months that followed, Iran's various opposition elements relied extensively on the Internet and social networking tools to organize their efforts, communicate their messages to the outside world, and rally public opinion to their side. In turn, the Iranian regime utilized information and communication technologies extensively in its suppression of the protests—and thereafter has invested heavily in capabilities aimed at controlling the Internet and restricting the ability of Iranians to access the World-Wide Web.
This focus has only been reinforced by recent revolutionary fervor throughout the Middle East and North Africa. For while Iranian authorities have sought to depict the so-called "Arab Spring" as both the start of an Islamic awakening and an affirmation of their regime's worldview, the anti-regime sentiment prevalent in the region actually represents a mortal threat to their corrupt, unrepresentative regime. As a result, the past year has seen a quickening of the regime's long-running campaign against "Western influence" within the Islamic Republic. These efforts include:
The second geopolitical driver of Iran's interest in cyberspace relates to the expanding conflict with the West over its nuclear ambitions. Since the Fall of 2009, Iran has suffered a series of sustained cyber attacks on its nuclear program. The most well-known of these is Stuxnet, the malicious computer worm that attacked the industrial control systems at several Iranian nuclear installations, including the uranium enrichment facility at Natanz, between late 2009 and late 2010. At the height of its effectiveness, Stuxnet is estimated to have taken ten percent or more of Iran's 9,000 then-operational centrifuges offline.
Stuxnet has been followed by at least two other cyber attacks aimed at derailing Iran's nuclear development. "Stars," a software script targeting execution files, was uncovered by the Iranian regime in April 2011. Subsequently, "Duqu," a malware similar to Stuxnet and aimed at gaining remote access to Iran's nuclear systems, was identified in October/November 2011.
Publicly, the origins of these intrusions are still an open question. Israel has steadfastly denied any role in the authorship of Stuxnet or other cyber attacks, despite widespread speculation to the contrary. The United States, too, has remained silent on the subject, although suspicions abound that the CIA played at least some part in putting together and deploying Stuxnet (and perhaps other malware as well).
For the Iranian regime, however, the conclusion is clear. War with the West, at least on the cyber front, has been joined, and the Iranian regime is mobilizing in response. In recent months, it reportedly has launched an ambitious $1 billion governmental program to boost national cyber capabilities—an effort that involves acquisition of new technologies, investments in cyber defense, and the creation of a new cadre of cyber experts. It has also activated a "cyber army" of activists which, while nominally independent, has carried out a series of attacks on sites and entities out of favor with the Iranian regime, including social networking site Twitter, Chinese search engine Baidu, and the websites of Iranian reformist elements.
CYBERWAR AND IRANIAN STRATEGY
In his testimony to the Senate Select Committee on Intelligence this past January, General James Clapper, the Director of National Intelligence, alluded to what amounts to a seismic shift in Iranian strategy. In response to growing economic sanctions and mounting pressure from the United States and its allies, he noted, "Iranian officials—probably including Supreme Leader Ali Khamenei—have changed their calculus and are now willing to conduct an attack in the United States."
Gen. Clapper was referring, most directly, to the foiled October 2011 plot by Iran's Revolutionary Guards to assassinate Saudi Arabia's envoy to the U.S. in Washington, DC. But, as the international crisis over Iran's nuclear ambitions continues to deepen, Iran's cyber capabilities should be a matter of significant concern as well. Experts have warned that, should the standoff over Iran's nuclear program precipitate a military conflict, Iran "might try to retaliate by attacking U.S infrastructure such as the power grid, trains, airlines, refineries."
The Iranian regime appears to be contemplating just such an asymmetric course of action. In late July 2011, for example, Kayhan, a hardline newspaper affiliated with Iran's Revolutionary Guards, issued a thinly-veiled warning to the United States when it wrote in an editorial that America, which once saw cyberwarfare as its "exclusive capability," had severely underestimated the resilience of the Islamic Republic. The United States, the paper suggested, now needs to worry about "an unknown player somewhere in the world" attacking "a section of its critical infrastructure."
In keeping with this warning, over the past year infrastructure professionals in the United States have noted that Iran's "chatter is increasing, the targeting more explicit, and more publicly disseminated." The Islamic Republic, in other words, increasingly has begun to seriously contemplate cyberwarfare as a potential avenue of action against the West.
Iran has significant capacity in this sphere. A 2008 assessment by the policy institute Defense Tech identified the Islamic Republic as one of five countries with significant nation-state cyberwarfare potential. Similarly, in his 2010 book Cyber War, former National Security Council official Richard Clarke ranks Iran close behind the People's Republic of China in terms of its potential for "cyber-offense." These capabilities, moreover, are growing. In his January 2012 Senate testimony, General Clapper alluded to the fact that Iran's cyber capabilities "have dramatically increased in recent years in depth and complexity."
PREPARING FOR CYBERWAR WITH IRAN
Where does the United States stand with regard to a response? The Obama administration has made cybersecurity a major area of policy focus since taking office in 2009, and the past year in particular has seen a dramatic expansion of governmental awareness of cyberspace as a new domain of conflict. But this attention remains uneven, focused largely on network protection and resiliency (particularly in the military arena), and on the threat capabilities of the People's Republic of China and, to a lesser extent, of the Russian Federation. Serious institutional awareness of, and response to, Iran's cyberwarfare potential has lagged behind the times.
Indeed, personal conversations with a range of experts inside and outside of government reveal a troubling lack of clarity about the Iranian cyber threat—and the absence of serious planning to counter it. While some parts of the federal bureaucracy (namely U.S. Strategic Command and the State Department's Nonpoliferation Bureau) have begun to pay attention to Iran's threat potential in the cyber realm, as yet there exists no individual or office tasked with comprehensively addressing the Iranian cyberwarfare threat. The U.S. government, in other words, has not yet even begun to get ready for cyberwar with Iran.
It should. After all, it is not out of the question that the Iranian regime could attempt an unprovoked cyber attack on the United States. As the foiled October 2011 plot against Saudi Arabia's ambassador to the United States indicates, Iran has grown significantly bolder in its foreign policy, and no longer can be relied upon to refrain from direct action in or against the U.S. homeland. Far more likely, however, is a cyberwarfare incident related to Iran's nuclear program. In coming months, a range of scenarios—from a renewed diplomatic impasse to a further strengthening of economic sanctions to the use of military force against Iranian nuclear facilities—hold the potential to trigger an asymmetric retaliation from the Iranian regime aimed at vital U.S. infrastructure, with potentially devastating effects.
At the very least, it is clear that policymakers in Tehran are actively contemplating such an eventuality. Prudence dictates that their counterparts in Washington should be doing so as well.