With the United States pulling out of the Iranian nuclear deal, the cybersecurity teams at companies large and small are bracing for a renewed round of attacks. Iran should think twice before restarting its campaign of disruptive and destructive attacks against U.S. companies.
From 2011 through 2013, the Iranians engaged in a low-level cyber conflict with the United States. Iranian proxies carried out a sustained campaign of distributed denial of service attacks against the U.S. banking system. Working on a predictable schedule during U.S. business hours on Tuesdays and Thursdays, Iranian actors targeted JP Morgan, Bank of America and others with hundreds of gigabytes of traffic intended to block legitimate user access to banking websites.
While the banks demanded action, the Obama administration was neither inclined to loosen the sanctions regime so carefully constructed with allies nor to disrupt then secret negotiations with the Iranians that would lead to the now canceled nuclear deal. With its eyes on the prize, the message to the banks was clear: deal with it. As the attacks were ongoing, the Obama administration did not acknowledge that Iran was behind the attacks or authorize U.S. Cyber Command to counter the threat.
Only after the ink was dry on the deal did the Justice Department indict the attackers behind it. In doing so, the U.S. government admitted that the attacks had cost the banking industry tens of millions of dollars, and that it had collected sufficient intelligence on the attackers to know who they were and therefore to disrupt their activities.
With no clear policy objective and with John Bolton running the National Security Council at the White House, it is unlikely that the Trump administration will demur in the face of further Iranian provocations in cyberspace. Pulling out of the Iran deal is not a strategic move with a different outcome in mind; it is policy nihilism.
For its part, the Trump administration should recognize that a positive outcome in a tit-for-tat cyber conflict with Iran is far from certain. Few would suggest that Iran’s offensive cyber capabilities are on par with Cyber Command but they are not insignificant. Beyond the disruptive attacks on the banks, Iran has carried out destructive attacks targeting Saudi Aramco and RasGas, a natural gas company in Qatar, and the casino magnet Sheldon Adelson. Indictments unsealed by the Justice Department in March detailed a multi-year sustained global campaign of economic espionage.
Cyber Command could no doubt inflict harm on Iranian interests with cyberattacks. Yet, because Iran is less technologically dependent on the internet than advanced economies, there is not a rich target set for Cyber Command to go after. Contrast that with the United States, where the kind of destructive malware attack carried out by Iran against Saudi Arabia and Qatar would find plenty of targets, most of which would be poorly defended.
Without the ability to respond in kind, the prospect that a flood of Iranian packets sent over the internet will be answered with a barrage of U.S. cruise missiles is all too real. President Trump may genuinely be interested in a new and different deal that simply does not have his predecessor’s fingers all over it. But the Iran hawks in his inner circle are looking for an excuse to escalate conflict. Iran’s leadership should avoid giving them what they want.