Experts are warning that the US should expect more cyberattacks by Iranian hackers in retaliation for the death of General Qasim Soleimani. Maybe they’re right. But let’s not kid ourselves: Iran would be launching lots of cyberattacks anyway.
And the danger of escalation would be ever-present.’
So far, despite the warnings, security researchers report that little has yet materialised. But that doesn’t mean nothing major will happen. Iranian’s official and semi-official hackers are among the best in the world, and both the US government and private industry are bracing for possible attacks. Crucial sites are much better protected than they were a few years ago, but no protection will ever be perfect.
So far, the cyber-blows exchanged by Iran and the US haven’t been hard enough to hurt in any deep and profound sense, even during the current atmosphere of crisis. The canoes have stayed afloat. One expert suggested that all we’re likely to see is small-scale interruptions and nuisance activities with limited impact
Infrastructure, always an attractive target, has long been a focus of Iran’s hackers, particularly the group known as APT33 or Refined Kitten. Recent news reports have singled out Refined Kitten’s constant “password-spraying,” the relatively low-tech tactic of flooding infrastructure targets.
Last June, for instance, the US retaliated for Iranian attacks on oil tankers and the downing of a drone by launching cyber assaults against “an Iranian intelligence group” believed to be involved. The US action also followed a spike in efforts by Iranian hackers to breach computer systems at, among others, the Energy Department and US national laboratories.
Previously Iranian hackers have infiltrated the control system of a small dam less than 20 miles from New York City. They attacked a Las Vegas casino owned by Sheldon Adelson. In 2016, the US announced indictments against seven hackers said to be working on behalf of Iran’s Revolutionary Guard who were alleged to have “conducted a coordinated cyberattack on dozens of US banks, causing millions of dollars in lost business.”
No provocation needed
Moreover, Iran never needed any provocation to unleash its hacking squads. In November of 2015, the New York Times reported “a surge in sophisticated computer espionage” by hackers based in the Islamic Republic, including “a series of cyberattacks against State Department officials.” Those attacks came four months after the signing of the Iran nuclear deal.
In the Middle East, for better or worse, the US and Iran are rivals, each seeking to exercise influence in the world’s most volatile region. As every disciple of conflict theory knows, rival powers often find it in their interest to cooperate on particular issues. But the fact that rivals sometimes cooperate — as the US and Iran did, for example, in the battle against Daesh — doesn’t suddenly make them allies. Neither did the nuclear deal.
From the point of view of both countries, a battle in cyberspace feels far safer than one fought out with force of arms. One might suppose that because the US is the dominant online player, a fight in the digital realm would be to its liking. But there are reasons to be wary.
In an important recent essay in The Atlantic, Stanford’s Amy Zegart points to the paradox of US tech dominance: “The United States is simultaneously the most powerful country in cyberspace and the most vulnerable country in cyberspace,” she writes. The more widespread and complex your systems, she argues, the greater the possibilities for a hacker to find a way in: “In the virtual world, power and vulnerability are inextricably linked.”
And exploiting the opponent’s online vulnerabilities is a tricky and dangerous business. Few conflicts stay in the shadows forever. The trouble is, it’s impossible to predict when or how the battle will burst into the open.
Here one is reminded of Nobel laureate Thomas Schelling’s description of “limited war” as being like fighting while in a canoe. “A blow hard enough to hurt,” he wrote in Arms and Influence, “is in some danger of overturning the canoe.” Once both canoes capsize and everybody’s in the water, there’s no way to tell who’ll drown.
So far, the cyber-blows exchanged by Iran and the US haven’t been hard enough to hurt in any deep and profound sense, even during the current atmosphere of crisis. The canoes have stayed afloat. One expert interviewed by the Washington Post suggested that all we’re likely to see is “small-scale interruptions and nuisance activities with limited impact”.
In a word, vandalism. That’s what happened earlier this month, when Iranian hackers successfully defaced the website of the Federal Depository Library Program with a tribute to Soleimani. And if by chance you haven’t heard of the Federal Depository Library Program, that’s the point.
But the fact that the cyber war between the US and Iran has remained in the shadows so far doesn’t mean it always will. No matter who wins the 2020 presidential election, the battle war won’t go away.
Neither will the risk of overturning the canoe.
Stephen L. Carter is a professor of law at Yale University. His novels include ‘The Emperor of Ocean Park’.