Iran and Cyber Power

Iran has rapidly improved its cyber capabilities. It is still not in the top rank of cyber powers, but it is ahead of most nations in strategy and organization for cyber warfare. Iran has a good appreciation for the utility of cyber as an instrument of national power. Its extensive experience in covert activities help guide its strategy and operations using cyber as a tool for coercion and force, and it has created a sophisticated organizational structure to manage cyber conflict. This means any attack on the United States will not be accidental but part of a larger strategy of confrontation. 
Iran sees cyberattacks as part of the asymmetric military capabilities it needs to confront the United States. Iran’s development of cyber power is a reaction to its vulnerabilities. Iran is the regular target of foreign cyber espionage. Iran and Israel are engaged in a not-always covert cyber conflict. Stuxnet, a cyberattack on Iranian nuclear weapons facilities, accelerated Iran's own cyber efforts. What Iran’s leaders fear most, however, is their own population and the risk that the internet will unleash something like the Arab Spring. Iranian security forces began to develop their hacking abilities during the 2009 “Green Revolution” to extend domestic surveillance and control. These domestic efforts are the roots of Iran's cyber capabilities. 
Iran’s trajectory shows how a medium-sized opponent willing to allocate resources can build cyber power. Three military organizations play leading roles in cyber operations: the Iranian Revolutionary Guard Corps (IRGC), the Basij, and Iran’s “Passive Defense Organization (NPDO).” The IRGC is the perpetrator behind a series of incidents aimed at American targets, Israeli critical infrastructure, Saudi Arabia, and other Gulf States. The Basij, a civilian paramilitary organization controlled by the IGRC, manages what Basij leaders say are 120,000 cyberwar volunteers. The number is probably exaggerated, but the Basij uses its connections with universities and religious schools to recruit a proxy hacker force. The NPDO is responsible for infrastructure protection. To ensure coordination between cyber offense and defense, Supreme Leader Ali Khamenei created a “Supreme Council of Cyberspace” composed of senior military and intelligence officials.    
Years of constant engagement with Israeli and Saudi Arabia have improved Iran's cyber capabilities, and experience with covert action gives Iran the ability to conceptualize how cyberattacks fit into the larger military picture. The tools used by Iran are usually modified malware from the criminal market that do not have the destructive effect of more advanced cyber "weapons." As an Israeli general put it in 2017, “They are not the state of the art, they are not the strongest superpower in the cyber dimension, but they are getting better and better.”
Iran sees cyberattacks as part of a continuum of conflict. Earlier this year, IRGC Deputy Commander Hossein Salami said, "we are in an atmosphere of a full-blown intelligence war with the US and the front of enemies of the Revolution and the Islamic system . . . This atmosphere is a combination of psychological warfare and cyber operation, military provocations, public diplomacy, and intimidation tactics."
Iran has probed U.S. critical infrastructure for targeting purposes. How successful an attack would be is another matter. The kind of massive denial of service attacks Iran used against major banks in 2011-2013 would be less effective today given improved defenses. The most sophisticated kinds of cyberattack (such as Stuxnet or the Russian actions in the Ukraine) are still beyond Iranian capabilities, but poorly defended targets in the United States (of which there are many) are vulnerable—smaller banks or local power companies, for example, or poorly secured pipeline control systems. What stops Iranian action is not a shortage of targets but rather questions about the utility of such attacks.      
How likely is an attack against the United States? A decision for a cyberattack on the United States will depend on Iranian calculations of the risk of a damaging U.S. response. While the Iranians may appear hotheaded, they are shrewd and calculating in covert action and will consider how to punish the United States without triggering a violent response. If we look at Iranian cyber actions against U.S. targets—the actions against major banks or the more damaging attack on the Sands Casino—Iranian attacks are likely to be retaliatory, intending to make the point that the United States is not invulnerable but without going too far. Attacking major targets in the American homeland would be escalatory, something Iran wishes to avoid. It wants to push back on U.S. presence in the region and demonstrate, to both its own citizens and its Gulf neighbors, that the United States can be challenged. If Iran does act in the United States, crippling a casino makes a point. Blacking out the power grid or destroying a pipeline risks crossing the line. 
What the United States is doing is not deterrence. The new U.S. approach is to engage cyber opponents on their own networks. The genesis of this tactic is the realization that U.S. networks are unavoidably vulnerable. By imposing consequences (ranging from sanctions and indictments to various levels of cyberattack), the United States can change opponents’ calculations of risk and reduce the chances of a serious cyberattack. There is also a sense that having "stood up" Cyber Command, the United States should make use of it, particularly since cyber operations are perceived as not posing the same risk (of either escalation or casualties) as a conventional attack.
Iran is engaged in a delicate game of "chicken,” and how the United States reacts will shape the likelihood and scope of cyberattacks. If the United States launches air strikes on Iranian targets or leadership, Iranian cyber action is likely. This shows the need for a finely calculated U.S. response. The "Tanker War" of the 1980s is instructive, even though it predated cyber warfare, as both sides were able to use limited force in a defined space while avoiding a larger conflict, and the steady use of measured force by the United States ultimately led the Iranians to end their attacks on tankers.
How far the United States and Iran can go in cyber operations and how public they can be requires an unavoidable period of trial and error. This is a space for conflict where the rules are unclear, and the risks not yet measured.  
James Andrew Lewis is a senior vice president at the Center for Strategic and International Studies in Washington, D.C.
Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).
© 2019 by the Center for Strategic and International Studies. All rights reserved.

James Andrew Lewis
Senior Vice President; Pritzker Chair; and Director, Strategic Technologies Program