The growing evidence that Iran was behind a number of recent cyber attacks against Western and Arab institutions has raised concerns in many quarters about how the Islamic Republic may employ its cyberwarfare capabilities in the future. Although there’s no way to be certain, in the short-term Iran’s likely to act with considerable restraint in the cyber realm in keeping with the larger “copycat” strategy it is using to retaliate against adversaries without escalating tensions further. Over the longer-term, however, it stands to reason that Iran will incorporate cyberwarfare into its existing military doctrine.
The recent cyber attacks against American banks and Middle Eastern oil companies are part of Iran’s broader strategy of closely emulating its adversaries’ attacks against the Islamic Republic itself. By replicating its adversaries’ tactics as closely as possible, Iran is able to retaliate against these powers while simultaneously signaling to them that it doesn’t seek to enlarge the conflict.
This “copycat” strategy was first evident in Iran’s assassination attempts against Israeli diplomats and their families in India, Georgia, and (presumably) Thailand in February of this year. In the India and Georgia incidents, Iranian nationals working under the Quds Forces unit of the Iranian Revolutionary Guards Corps (IRGC) attached magnetic bombs to the underbelly of Israeli embassy cars in order to assassinate Tel Aviv’s diplomatic personnel (although in the Georgia case the explosive failed to detonate before being discovered and disarmed.) A similar plot was likely planned for Thailand before Iranian operatives prematurely set off one of the explosives while they were building them in a safe house in Bangkok.Enjoying this article? Click here to subscribe for full access. Just $5 a month.
European intelligence officials were, inexplicitly, aghast by Iran’s audacity, proclaiming, “Until recently it was possible to see why they [Iranian leaders] were doing what they have been doing. Now it has become very unpredictable. It’s very hard to see the logic behind” the February bombings. This statement notwithstanding, the rationale behind these assassination attempts was readily apparent: over the past few years numerous Iranian nuclear scientists have been targeted and killed in the streets of Tehran in attacks that Israel’s intelligence agency, the Mossad, is widely believed to be behind. Notably, the perpetrators of the attacks on the Iranian scientists often targeted their victims by attaching magnetic bombs to the bottom of their automobiles.
Thus, Iran initially went to extreme lengths to ensure its response was exactly proportional to the original attacks, clearly seeking to minimize the risks of escalation. It was only when the Iranian operatives’ incompetence prevented the attacks from succeeding that Tehran switched from these “hard” diplomatic targets to “soft” targets like Israeli tourists and expats in places like Kenya and (via Hezbollah) Bulgaria.
The same dynamics were apparent more recently when Israeli F-16’s shot down a surveillance drone flying in its airspace reportedly seeking to gather intelligence on Israel’s Dimona nuclear site. In contrast to the attacks on the Israeli diplomats and tourists, which Iran claimed were false flag operations orchestrated by its adversaries to frame it, Iran and Hezbollah were surprisingly forthcoming about their involvement in the drone incident.
Hezbollah’s General Secretary, Sheikh Hassan Nasrallah, almost immediately accepted responsibility for flying the drone, going out of his way to point out that, “This drone is not Russian made,this drone was an Iranian made [sic].” Iranian Defense Minister Ahmad Vahidi confirmed this a few days later while another Iranian military official boasted that dozens of prior flights had been conducted without being detected by Israeli defense forces.
Given Israel’s radar and defense capabilities, this statement is almost certainly a fabrication. Although, as the Council on Foreign Relations’ Micah Zenko points out, Hezbollah has long flown surveillance drones over the occupied territories and the peripheral of Israel proper, these missions were closely monitored by Israeli authorities. Indeed, Iran and Hezbollah undoubtedly realized that in this case too its rudimentary unmanned aircraft would be quickly tracked and, given its apparent mission to gather intelligence on Israel’s nuclear site, destroyed by the Israeli Air Force.
Their rationale for conducting the mission was therefore largely symbolic. Specifically, they were mimicking the United States own extensive program to gather intelligence on Iran’s nuclear facilities through drones launched from Afghanistan, which came to light last December when one of the drones malfunctioned over Iranian territory last December. Although Iran likely knew about the U.S. intelligence operation for some time before then, the downing of the drone brought these “secret” missions out into the open. Moreover, a mere two weeks after the incident occurred, U.S Defense Secretary Leon Panetta stated, matter-of-factly, that the surveillance missions would “absolutely” continue. Iran was therefore pressed to respond in kind.
It is in this context that Iran’s alleged cyber attacks against America’s largest banks and Middle Eastern energy companies must be viewed. To begin with, it is widely reported that the U.S. and Israel were behind the various sophisticated computer viruses that have targeted Iran’s nuclear program in recent years. Indeed, it is believed that the IRGC first began organizing a cyber unit for the purpose of carrying out offensive operations in 2009, shortly after Iranian officials discovered the Stuxnet computer virus. As Ilan Berman explained to Congress earlier this year, “For the Iranian regime, however, the conclusion [from Stuxnet] is clear. War with the West, at least on the cyber front, has been joined, and the Iranian regime is mobilizing in response.”
Moreover, the targets of the most recent cyber attacks were hardly picked at random. Instead, they were undoubtedly chosen as a response against the U.S. and EU sanctions that aim to cut off Iran’s oil exports, the revenue from which is the largest source of hard currency for the Iranian regime.
From the Western perspective, one of the biggest impediments to instituting these sanctions was the fear that the loss of Iranian oil from the global market would precipitate a supply shortage and, consequently, a spike in prices. Indeed, the U.S. legislation Congress passed explicitly directed the Obama administration to study the effect the sanctions would have on global oil prices before implementing them. Despite Iranian warnings against doing so, many Arab Gulf oil producers, most notably Saudi Arabia, began increasing their own production in order to offset the loss of Iranian oil. Iran’s cyber attacks against Saudi Arabian and Qatari oil companies were a response to these actions
The massive denial-of-service attacks against U.S. financial industry also fit this pattern. It’s particularly noteworthy that only American banks have thus far been the target of these attacks. Although both the EU and the U.S. sought to drastically curtail Iranian oil exports, their methods of doing so differed. In the case of the European Union, an oil embargo prohibiting its member nations from purchasing Iranian oil was imposed, as were other measures like prohibiting the European maritime insurance companies that dominate the global industry from covering tankers carrying Iranian crude.
By contrast, Washington’s efforts to undermine Iran’s oil sales were complicated by the fact that the U.S. itself was not a consumer of Iranian crude. In light of this, the Washington turned to the U.S. financial sector’s centrality in international commerce to indirectly target Iranian oil sales. Specifically, Washington threatened that any entity conducting business with Iran’s central bank—the mechanism through which Tehran processes most of its oil sales—would be denied access to the U.S. financial sector, thereby crippling its ability to participate in the global economy.
In this situation Iran was unable to respond in kind given that its own financial institutions are of little importance to global trade. It therefore turned to sustained denial-of-service attacks on the websites of many of the largest U.S. banks, which denied these banks’ customers electronic access to their services.
In short, because Iran’s current cyber attacks are part of its “copycat” strategy, it’s likely to act with a healthy degree of self-restraint in the near-term. Especially with upcoming negotiations, whether bilaterally or multilaterally, and the U.S. and Israel in disagreement over “red lines,” Iran will be careful not to provoke Washington and its allies into escalating the conflict— whether kinetically or in cyberspace.
Depending on the potency of its capabilities, however, it’s likely that Iran will increasingly rely on cyberwarfare in the long-term. Indeed, cyberwarfare fits nicely into its existing military doctrine that primarily relies on three capabilities to deter its stronger adversaries: its ability to carry out asymmetric attacks often by acting through surrogates like Hezbollah, its growing ballistic missile arsenal, and its ability to threaten oil shipping in the Strait of Hormuz.
With the exception of its missile arsenal, these capabilities have become “wasting assets” over the past eighteen months. In particular, Iran’s ability to carry out asymmetric attacks will be severely curtailed if Bashar al-Assad’s regime falls in Syria, given that Iran relies heavily on Syrian territory to ferry supplies to Hezbollah in Lebanon. Should it be denied its ability to carry out asymmetric attacks, cyberwarfare would be an attractive replacement given that both share a plausible deniability component that limits the likely retaliation Iran will face from its conventionally superior adversaries.
Zachary Keck is Assistant Editor of The Diplomat. You can find him on Twitter: @ZacharyKeck.