Security professionals in both the U.S. government and in private industry have long feared the prospect of a cyberwar with China or Russia, two states capable of launching destructive attacks on the computer networks that control critical assets such as the power grid or the financial system.
Now they face a new cyberthreat: Iran.
"[The Iranians] have all the resources and the capabilities necessary to be a major player in terms of cyberwarfare," says Jeffrey Carr, an expert on cyberconflict who has consulted for the U.S. Department of Defense.
Iran still lags behind China and Russia in its cyber expertise, but unlike those countries, it is locked in conflict with the U.S. over its nuclear program, and the prospect of hostilities is far more conceivable. Sanctions imposed on Iran by the U.S. and its allies are so severe as to constitute a form of economic warfare, and Israeli leaders have suggested that military action may yet be necessary to keep Iran from developing nuclear weapons.
Under the circumstances, could the Iranians be tempted to consider a cyberattack on the U.S.?
"There is a great deal of worry in terms of what they may be able to do if they're pushed to the brink," says cybersecurity researcher Dmitri Alperovitch. "If they believe the regime is threatened, if they believe they're about to be attacked, [they may consider] how can they employ cyberweapons, either to deter that attack or to retaliate in a way they can't do militarily."
'Dramatically Increased' Capabilities
In congressional testimony earlier this year, the director of national intelligence, James Clapper, said Iran is now "more willing to conduct an attack in the United States," and he noted that the country's cyber capabilities have "dramatically increased in recent years."
Iranian authorities, for example, have shown an impressive ability to monitor dissidents' online communications. They have organized an "Iranian Cyber Army" and made use of pro-government hackers. Those groups have managed to shut down Twitter, block websites and carry out sophisticated cyberattacks inside Iran.
"If the Iranian hackers have demonstrated a better-than-average capability, then it's only common sense to assume that the Iranian government is at least as good and probably better," says Carr, author of Inside Cyber Warfare. "They certainly have the money, they have the desire, and they have access to some of the best schools around the world to train their engineers."
The big fear in the U.S. is that a cyberattacker could penetrate a computer system that controls a critical asset like the power grid and shut it down. Such an effort is probably beyond the capability of Iranian actors right now, according to cybersecurity experts. But a less ambitious approach would be to hack into the U.S. banking systems and modify the financial data. Alperovitch, whose new company CrowdStrike focuses on cyberthreats from nation-states, says such an attack is well within Iran's current capability.
"If you can get into those systems and modify those records, you can cause dramatic havoc that can be very long lasting," he says.
Risks Of A Cyberattack
If Iran were caught in such a caper, however, it could soon find itself in a cyberwar with the U.S. military, which has its own fearsome computer weapons. The prospect of losing such a conflict may well discourage Iran from launching a direct cyberattack on the United States.
"Like most nation-states, [Iran] may want to develop a cyber capability for the same reason it would want a nuclear capability — as a shield," says retired Marine Gen. James Cartwright, the former vice chairman of the Joint Chiefs of Staff.
But having a cyber arsenal mainly for deterrent purposes would not necessarily preclude Iran from sharing those weapons with groups less hesitant to use them.
"A country could take an offensive capability and easily hand it to somebody that has the intent to use it as a sword rather than a shield," Cartwright says. "That's what people worry about, both in cyber and in nuclear. In cyber, it's much easier. [They could say,] 'I'll just email it to you. I know you don't like the Americans. Here's a tool.' "
One obvious candidate for such a transfer is Hezbollah, the Lebanon-based Islamist group that has conducted operations around the world. Hezbollah operatives have already used cyber tools to identify informants within their ranks and launch attacks against Israeli targets.
"Iran has a long history of demonstrated readiness to employ proxies for terrorist purposes," according to Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University. "There is little, if any, reason to think that Iran would hesitate to engage proxies to conduct cyber strikes against perceived adversaries."
Cilluffo's comments are in testimony prepared for a House hearing to be held Thursday by two Homeland Security subcommittees.
"We know that [the Iranians] will do something if they feel cornered," says Rep. Patrick Meehan, R-Pa., chairman of the subcommittee on counterterrorism and intelligence. "We know they have a capacity, and I think it's realistic to try to assess the scope of that."
U.S. intelligence officials declined to comment further on Iranian cyber capabilities, though they acknowledge the threat in general terms.
"There are a number of countries developing their offensive cyber capabilities," says John Brennan, the White House counterterrorism adviser, "and there are countries where there are tensions with the United States. We are mindful of that. [For] a country that has both the capability and intent [to use cyberweapons], there is a requirement that we do everything possible to prevent such an attack from taking place."