Since taking office in 2009, the Obama administration has made cybersecurity a major area of policy focus. The past year in particular has seen a dramatic expansion of governmental awareness of cyberspace as a new domain of conflict. In practice, however, this attention is still uneven. To date, it has focused largely on network protection and resiliency (particularly in the military arena) and on the threat potential of countries such as China and Russia. Awareness of what is perhaps the most urgent cybermenace to the U.S. homeland has lagged behind the times.
That threat comes from the Islamic Republic of Iran. Conventional wisdom suggests that the Iranian regime - increasingly isolated as a result of mounting international sanctions and facing growing socioeconomic malaise - isn't an immediate danger to America in the cyberrealm. But those same factors have dramatically increased the potential for conflict in that domain between Washington and Tehran.
So has Iran's expanding exploitation of cyberspace, which is driven by two principal strategies.
The first is domestic repression. In his March 2012 Nowruz message to the Iranian people, President Obama alluded to the growing efforts of the Iranian regime to isolate its population from the outside world when he noted that an "electronic curtain has fallen around Iran." That digital barrier has grown exponentially over the past three years and now includes the construction of a new national Internet, which will effectively sever Iran's connection to the World Wide Web; the installation of a sophisticated Chinese-origin surveillance system for monitoring phone, mobile and Internet communications; restrictive governmental guidelines forcing Internet cafes to record the personal information of customers and keep video logs of all customers accessing the Web; and movement toward the formation of a new government agency responsible for the "constant and comprehensive monitoring over the domestic and international cyberspace."
The second is the quiet conflict already under way with the West over its nuclear ambitions. Since the fall of 2009, Iran has suffered a series of sustained cyberattacks on its nuclear program. The best known of these is Stuxnet, the computer worm that attacked the industrial control systems at several Iranian nuclear installations between 2009 and 2010. But at least two other cyberattacks aimed at derailing Iran's nuclear development have targeted the Islamic republic as well. And while the origins of those intrusions are still hotly debated in the West, Iranian authorities already are convinced that conflict is under way - and are mobilizing in response.
Thus, in recent months, Iran has launched an ambitious $1 billion governmental program to boost its national cybercapabilities. That effort reportedly includes the acquisition of new technologies, major investments in cyberdefense and the creation of a new cadre of cyber experts. The Iranian regime also has activated a "cyberarmy" of activists that, while nominally independent, has carried out a series of attacks on sites and entities out of favor with the Iranian regime, including the social networking site Twitter, the Chinese search engine Baidu and the websites of Iranian reformist elements.
Moreover, Iran increasingly appears to be moving from defense to offense in the way it thinks about cyberspace. In his testimony to the Senate Select Committee on Intelligence in January, Director of National Intelligence James R. Clapper noted that Iran's cybercapabilities "have dramatically increased in recent years in depth and complexity." More and more, they also appear to be directed against the United States.
Analysts have warned that should the standoff over Iran's nuclear program precipitate a military conflict, Iran "might try to retaliate by attacking U.S infrastructure such as the power grid, trains, airlines, refineries." And the Iranian regime appears to be contemplating just such an asymmetric course of action. Last July, Iran's hard-line Kayhan newspaper issued a thinly veiled threat to the United States that it could soon face attack against "a section of its critical infrastructure." In keeping with this warning, infrastructure professionals have noted growing Iranian interest in the U.S. electrical sector and other segments of our national grid. The Islamic republic, in other words, has begun to seriously contemplate cyberwarfare as a potential avenue of action against the West.
Iran has significant capacity in this sphere. A 2008 assessment by the policy institute Defense Tech identified the Islamic republic as one of five countries with significant nation-state cyberwarfare potential. Similarly, in his 2010 book "CyberWar," former National Security Council official and noted cybersecurity expert Richard A. Clarke ranked Iran close behind the People's Republic of China in terms of its potential for "cyberoffense."
Does this mean Iran will target the United States? It is certainly not out of the question that the Iranian regime could attempt an unprovoked cyberattack on the United States. As the foiled October 2011 Iranian plot to assassinate Saudi Arabia's ambassador to the United States in the nation's capital indicates, Iran has grown significantly bolder in its foreign policy and no longer can be relied upon to refrain from direct action in or against the U.S. homeland.
Far more likely, however, is a cyberwarfare incident related to Iran's nuclear program. In coming months, a range of scenarios - from a renewed diplomatic impasse to a further strengthening of economic sanctions to the use of military force against Iranian nuclear facilities - hold the potential to trigger an asymmetric retaliation from the Iranian regime aimed at vital U.S. infrastructure, with potentially devastating effects.
At the very least, it is clear that policymakers in Tehran are actively contemplating such an eventuality. Their counterparts in Washington should be doing so as well.