For the overwhelming number of Americans who have little interest in adding a war with Iran to the list of ill-advised, modern U.S. military conflicts, this week brought only confusion about what lies ahead.
On the one hand, leaders from both countries veered from full-throated antagonism to wary rapprochement, like a pair of guys who’d traded punches outside a bar, but then decided they wanted to head home before things got really ugly.
Yet the international brinkmanship that arguably began when President Donald Trump ordered a Jan. 3 airstrike that killed Iranian Maj. Gen. Qassem Soleimani seems unlikely to have reached its end with Iran’s casualty-free missile attack on U.S. bases in Iraq. Bullets and bombs, after all, are just one way of waging war — inelegant, violent, primitive.
Intelligence analysts, cyber security experts, and former U.S. officials worry that Iran’s next retaliatory move will be quieter and more sinister: a devastating cyberattack on U.S. infrastructure, or against private companies whose operations are intertwined with so many people’s daily lives.
It’s not difficult to conjure visions of blackouts, dead phone lines, or the chaos that could spring from a crippling strike on banking systems. Iran has flirted with such activity before; in 2016, the United States indicted seven Iranians who allegedly knocked off-line the computer networks of nearly four dozen financial institutions, and tried to gain control of a dam’s operational system in Westchester County, N.Y.
“Most people are much more concerned about an attack they can see and feel, and can’t relate to this idea of a clandestine war,” said Tom Ridge, the Republican former governor of Pennsylvania, who served as the first U.S. secretary of Homeland Security in the early 2000s.
“But there’s a digital war going on that’s basically undeclared, the potential consequences of which — if it gets out of control — are far greater than a physical attack.”
Ridge knows better than most the challenge of trying to predict a foreign adversary’s next moves. He had to get the newly created Department of Homeland Security off the ground in the first years that followed the attacks of Sept. 11, 2001, a period marked by deep paranoia about additional terrorist plots.
His mornings often started in the White House, where he waited with then-FBI Director Robert Mueller and then-Attorney General John Ashcroft to be ushered into the Oval Office. The three men reviewed, with President George W. Bush, the dozens of daily threats that had been gleaned from intelligence-gathering operations.
“Were we anxious? Yeah. Some of the threats seemed more credible than others,” Ridge said.
“This was 15 years ago. There wasn’t the same concern about terrorists having cyber capabilities. Fast forward, and now everyone has that capability: nation states, hackers, terrorists.”
In 2009, a U.S. intelligence assessment concluded that Iran had the motivation to carry out a cyberattack of some kind, but lacked the necessary know-how, according to the New York Times. Three years later, Iran was accused of launching a cyberattack against Saudi Aramco, one of the world’s largest oil companies, that wiped out 75% of the data on Aramco’s computers.
“We really gained an understanding of how their activities evolved from their activity in the Gulf region,” said Luke McNamara, a principal analyst with FireEye, a California-based cybersecurity firm. “We’ve seen them grow in their capability over the years.”
Between 2011 and 2013, Iran directed denial-of-service attacks at 46 companies, including American Express, JPMorgan Chase, Wells Fargo, and AT&T. Customers were unable to access their accounts, sometimes for hours at a time.
“I just take it as a foregone conclusion that our enemies know the most vulnerable sectors of our economy,” Ridge said, “where they can do enormous damage.”
Global Guardian, an international security and intelligence firm, produced a report for some of its clients in the wake of Soleimani’s death, summarizing some of Iran’s cyber capabilities and methods. The three-page document was filled with sobering information, according to a copy obtained by The Inquirer.
Previous cyberattacks have left Iran with access to millions of computers around the world, Global Guardian found, and the country relies on at least four distinct espionage groups — with names like CopyKittens and APT33 — that each have areas of specific focus, from telecommunication and travel industries to countries that include the United States, Turkey, Germany. and Jordan. One group, Charming Kitten, tries to access email and Facebook accounts of people who work in academia, human rights, and the media.
Last weekend, a government website — the Federal Depository Library Program — was hacked, its home page replaced with an image of a fist clobbering Trump in the face, with blood trickling down to his chin. “Hacked by Iran Cyber Security Group!” read part of a message posted on the site.
Global Guardian wrote in its report that it would take seven to 10 days “before we begin seeing more sophisticated cyber activity.”
But Dale Buckner, the company’s president and CEO, noted that Iran might not want to take credit for a more serious strike that could invite a heavy military response from the United States. “They can utilize their proxies throughout the world, which could make it really difficult to attribute an attack to Iran,” he said.
Buckner wasn’t swayed by the more cautious tone that both U.S. and Iranian officials seemed to adopt after Iran’s missile attacks on U.S. bases in Iraq.
“I don’t think that changes the calculus on a cyberattack,” he said. “I don’t think they’ll miss a beat on that.”
While the odds seem heavily weighted in favor of Iran pursuing something more serious than digital graffiti on one government website, none of the experts who spoke to The Inquirer seemed ready to stuff their savings under their mattresses or begin hoarding firewood and water bottles.
This is simply the new normal — governments and corporations can always expect that someone will be digitally casing their operations, poking and prodding for hidden vulnerabilities that can be exploited at just the right moment.
Buckner said the United States had, for a time, lagged behind in its defense of critical infrastructure, like electrical grids, but has “surged in the amount of time, money, and effort dedicated to locking those things down during the last seven or eight years.”
Ridge noted that Homeland Security had only a handful of cyber defense experts during his time leading the agency. “Now they have hundreds.”
According to retired U.S. Gen. David Petraeus, the chief question is whether the United States will be moved to “respond with direct attacks on Iranian forces and infrastructure, at a time when the Iranian economy is already seriously damaged by sanctions, and when the Iranian people have already been demonstrating against the regime in very considerable numbers.”
The United States will undoubtedly continue its own covert activity, which has found varying degrees of success in recent years. In 2010, a malware attack led by the United States and Israel reportedly caused nearly 1,000 centrifuges in an Iranian nuclear facility to self-destruct. Iran responded by beefing up its cyber capabilities even more.