Security professionals in both the U.S. government and in private industry have long feared the prospect of a cyberwar with China or Russia, two states capable of launching destructive attacks on the computer networks that control critical assets such as the power grid or the financial system.
Now they face a new cyberthreat: Iran.
"[The Iranians] have all the resources and the capabilities necessary to be a major player in terms of cyberwarfare," says Jeffrey Carr, an expert on cyberconflict who has consulted for the U.S. Department of Defense.
Iran still lags behind China and Russia in its cyber expertise, but unlike those countries, it is locked in conflict with the U.S. over its nuclear program, and the prospect of hostilities is far more conceivable. Sanctions imposed on Iran by the U.S. and its allies are so severe as to constitute a form of economic warfare, and Israeli leaders have suggested that military action may yet be necessary to keep Iran from developing nuclear weapons.
Under the circumstances, could the Iranians be tempted to consider a cyberattack on the U.S.?
"There is a great deal of worry in terms of what they may be able to do if they're pushed to the brink," says cybersecurity researcher Dmitri Alperovitch. "If they believe the regime is threatened, if they believe they're about to be attacked, [they may consider] how can they employ cyberweapons, either to deter that attack or to retaliate in a way they can't do militarily."
'Dramatically Increased' Capabilities
In congressional testimony earlier this year, the director of national intelligence, James Clapper, said Iran is now "more willing to conduct an attack in the United States," and he noted that the country's cyber capabilities have "dramatically increased in recent years."
Iranian authorities, for example, have shown an impressive ability to monitor dissidents' online communications. They have organized an "Iranian Cyber Army" and made use of pro-government hackers. Those groups have managed to shut down Twitter, block websites and carry out sophisticated cyberattacks inside Iran.
"If the Iranian hackers have demonstrated a better-than-average capability, then it's only common sense to assume that the Iranian government is at least as good and probably better," says Carr, author of Inside Cyber Warfare. "They certainly have the money, they have the desire, and they have access to some of the best schools around the world to train their engineers."
The big fear in the U.S. is that a cyberattacker could penetrate a computer system that controls a critical asset like the power grid and shut it down. Such an effort is probably beyond the capability of Iranian actors right now, according to cybersecurity experts. But a less ambitious approach would be to hack into the U.S. banking systems and modify the financial data. Alperovitch, whose new company CrowdStrike focuses on cyberthreats from nation-states, says such an attack is well within Iran's current capability.
"If you can get into those systems and modify those records, you can cause dramatic havoc that can be very long lasting," he says.
Risks Of A Cyberattack
If Iran were caught in such a caper, however, it could soon find itself in a cyberwar with the U.S. military, which has its own fearsome computer weapons. The prospect of losing such a conflict may well discourage Iran from launching a direct cyberattack on the United States.
"Like most nation-states, [Iran] may want to develop a cyber capability for the same reason it would want a nuclear capability — as a shield," says retired Marine Gen. James Cartwright, the former vice chairman of the Joint Chiefs of Staff.
But having a cyber arsenal mainly for deterrent purposes would not necessarily preclude Iran from sharing those weapons with groups less hesitant to use them.
"A country could take an offensive capability and easily hand it to somebody that has the intent to use it as a sword rather than a shield," Cartwright says. "That's what people worry about, both in cyber and in nuclear. In cyber, it's much easier. [They could say,] 'I'll just email it to you. I know you don't like the Americans. Here's a tool.' "
One obvious candidate for such a transfer is Hezbollah, the Lebanon-based Islamist group that has conducted operations around the world. Hezbollah operatives have already used cyber tools to identify informants within their ranks and launch attacks against Israeli targets.
"Iran has a long history of demonstrated readiness to employ proxies for terrorist purposes," according to Frank Cilluffo, director of the Homeland Security Policy Institute at George Washington University. "There is little, if any, reason to think that Iran would hesitate to engage proxies to conduct cyber strikes against perceived adversaries."
Cilluffo's comments are in testimony prepared for a House hearing to be held Thursday by two Homeland Security subcommittees.
"We know that [the Iranians] will do something if they feel cornered," says Rep. Patrick Meehan, R-Pa., chairman of the subcommittee on counterterrorism and intelligence. "We know they have a capacity, and I think it's realistic to try to assess the scope of that."
U.S. intelligence officials declined to comment further on Iranian cyber capabilities, though they acknowledge the threat in general terms.
"There are a number of countries developing their offensive cyber capabilities," says John Brennan, the White House counterterrorism adviser, "and there are countries where there are tensions with the United States. We are mindful of that. [For] a country that has both the capability and intent [to use cyberweapons], there is a requirement that we do everything possible to prevent such an attack from taking place."
STEVE INSKEEP, HOST:
It's MORNING EDITION from NPR News. I'm Steve Inskeep.
RENEE MONTAGNE, HOST:
And I'm Renee Montagne.
We live in a networked world. Our banking, transportation, power, and water systems all depend on computer operations. An attack on the U.S. in cyberspace could bring a halt to normal life here.
INSKEEP: So far, the countries with the greatest cyber capabilities, China and Russia, have little reason to hurt us this way. But soon there may be another country to worry about.
MONTAGNE: NPR's Tom Gjelten reports on the cyber threat from Iran.
TOM GJELTEN, BYLINE: The United States and its allies have brought tremendous pressure on Iran to give up any thought of developing a nuclear weapon. Israel says military action may be needed to destroy Iranian nuclear facilities. If that happens, the Iranians may want to retaliate. They could sponsor terrorist attacks. Or they could go to their computers and wage a cyberwar.
Security expert Dmitri Alperovitch says the Iranians' capabilities should not be underestimated
DMITRI ALPEROVITCH: There is a great deal of worry in terms of what they may be able to do if they're pushed to the brink. And certainly if they believe the regime is threatened, if they believe they're about to be attacked, how can they employ cyber weapons to either to deter that attack or to retaliate in a way that they can't do militarily?
GJELTEN: Iran until now has not been considered a big threat in the cyber domain. But that is changing, says consultant Jeffrey Carr
JEFFREY CARR: They have all the resources and the capabilities necessary to be a major player in terms of cyber warfare.
GJELTEN: In testimony early this year, the director of National Intelligence, James Clapper, said Iran's cyber capabilities have dramatically increased in recent years. Iranian authorities, for example, have organized a cyber army and made use of so-called patriotic hackers to suppress dissident communications, shut down Twitter, and block websites.
Jeffrey Carr, author of "Inside Cyber Warfare," says these are not easy things to do.
CARR: If the Iranian hackers have demonstrated, you know, a better than average capability, then it's only common sense to assume that the Iranian government is at least as good and probably better. They certainly have the money. They have the desire. And they have access to some of the best schools around the world to train their engineers.
GJELTEN: The big fear in the U.S. is that a cyber attacker could penetrate the computer system that controls a critical asset like the power grid and shut it down. If Iran were caught doing that, it could find itself in a cyber war with the U.S. military. That would probably be a losing proposition.
But there is an alternative. Retired Marine General James Cartwright, the former vice chairman of the Joint Chiefs of Staff, thinks Iran could share its cyber weapons with a group more willing to use them and less vulnerable to counterattack.
GENERAL JAMES CARTWRIGHT: A country could take an offensive capability and easily hand it to somebody that has the intent to use it as a sword rather than a shield. OK? That's what people worry about, both in cyber and nuclear. In cyber it's much easier. I mean I'll just, you know, email it to you, whatever, and say, OK, hey, I know you don't like the Americans, here's a tool.
GJELTEN: The obvious candidate is Hezbollah, the Islamist group that has conducted operations around the world, often in support of Iran. U.S. officials say Hezbollah has shown interest in developing its own cyber arsenal.
On Capitol Hill today, a Homeland Security subcommittee will hear testimony on the Iranians' potential to sponsor cyber attacks against the U.S. homeland. Representative Patrick Meehan of Pennsylvania is the chairman.
REPRESENTATIVE PATRICK MEEHAN: We know that they will do something if they feel cornered. We know they have a capacity. And I think it's realistic to try to be assessing the scope of that.
GJELTEN: U.S. intelligence officials decline additional comment on the Iranian cyber threat. John Brennan, the White House counterterrorism adviser, says only that when a country has both the capability and intent to launch a cyber attack against the United States, everything possible must be done to prevent that attack from taking place.
Tom Gjelten, NPR News, Washington. Transcript provided by NPR, Copyright NPR.