The international agreement reached last week on Iran’s nuclear program may stall the country’s aspirations to build The Bomb. But U.S. officials and cyber security experts aren’t betting that Iran will give up its pursuit of another strategic arsenal: cyber weapons, which the country has been rapidly acquiring and using against U.S. targets.
And the American cyber espionage campaign against Iran? The experts and officials expect that to continue, as well.
Last week, as the Obama administration prepared its latest offer to lift some economic sanctions on Iran as part of the tentative nuclear deal, the White House issued a new executive order that allows the United States to sanction countries and individuals who conduct cyber operations that pose a “significant threat” to national security. One provision of the order, which covers threats to “economic health or financial stability,” looks deliberately tailored to Iran, which U.S. intelligence officials blame for a series of massive denial-of-service attacks that shut down the websites of American banks in 2012.
Sanctionable offenses include “causing a significant disruption to the availability of a computer or network of computers.” As an example, the White House listed denial-of-service attacks. And the day he issued the order, President Obama wrote in a blog post for Medium that “Iranian hackers have targeted American banks” and said the U.S. government needed new tools “to go after bad actors” who are beyond the reach of U.S. law enforcement or whose governments won’t stop them.
A former U.S. intelligence officer who worked on cyber operations told The Daily Beast that the United States was putting Iran on notice, that while the nuclear negotiations may have borne fruit, the U.S. was still ready to punish Iran anew over its aggressive cyber programs, which include espionage targeting U.S. energy companies. “As a country, we’re saying, ‘Enough, we’re not going to tolerate it,’” the former official said.
“Iran, of course, is already subject to heavy sanctions, but if those sanctions were to be loosened as part of a nuclear deal, the new cyber sanctions might have more bite,” Kristen Eichensehr, a former special assistant to the State Department’s legal adviser, observed on the blog Just Security.
U.S. officials have been eager to publicly blame Iran for some of the most damaging cyber attacks in the United States in recent memory. Director of National Intelligence James Clapper has said that Iran was responsible for an attack on the Sands casino company in 2014, in which intruders stole and destroyed data from the company’s computers. In testimony before the Senate Armed Services Committee in February, Clapper put that attack in the same category as North Korea’s assault on Sony, which prompted retaliatory cyber strikes from the United States, as well as a new round of sanctions on individuals and companies in the Hermit Kingdom.
The bank attacks and the Sands operation amounted to a show of force by Iran, which only a few years ago had merely aspired to build a world-class offensive cyber force. U.S. officials and experts have been alarmed by the speed with which Iran built up its offensive cyber capabilities and then used them.
“It’s probably been one of the fastest evolutions we’ve seen” among national cyber forces, Dmitri Alperovitch, the co-founder and chief technology officer of CrowdStrike, a cybersecurity company founded by ex-law enforcement and intelligence officials, told The Daily Beast.
But with the potential easing of nuclear-related sanctions, Iran is likely to back off some of its cyber attacks.
“Their more aggressive activities, like [denials of service], I expect will come down because those were largely in retaliation for the sanctions, and there’s no reason to continue that,” Alperovitch said.
James Lewis, a senior fellow at the Center for Strategic and International Studies who led a comprehensive study on cyber security at the beginning of Obama’s first term, told The Daily Beast he also expected to see a slight ratcheting down from Iran’s side. “They’ll continue to improve their cyber attack capabilities but be a little more cautious in using them so as to not upset the deal,” Lewis said.
The former intelligence official predicted that Iran will “continue with what we call breaches—stealing information, conducting espionage. But not attacks.”
White House officials declined to comment on how they expect Iran to react in cyberspace now that a nuclear deal is at hand.
At the same time, the former official noted what he called the “hypocritical” U.S. position—namely that the government expects other countries to cease cyber spying on the United States even though it routinely hacks foreign governments and corporations.
The U.S also launched a major cyber attack on the Iranian nuclear facility at Natanz beginning in 2007, taking an estimated 1,000 Iranian centrifuges out of commission and temporarily slowing Iran’s progress toward a bomb. (The country is now about three months away from being able to amass the fissile material for one nuclear weapon, experts and U.S. officials have said.)
The former official said U.S. cyber activity against Iran is unlikely to stop insofar as it’s directed at trying to determine whether Iran has restarted efforts to build a bomb.
Indeed, in public testimony Clapper said it was U.S spying on Iran that had helped negotiators know how far Iran was from building a weapon.
A second former senior U.S intelligence official who maintains close ties to current leaders said the last thing spy agencies will do now is decrease the amount of intelligence-gathering against Iran. He said intelligence-gathering will be central to verifying whether Iran is living up to its end of the deal. And, he said, those close to Clapper are speculating that he may actually want to collect more intelligence on Iran.
Spokespersons for Clapper didn’t respond to a request for comment.
This former official echoed the assessment of other experts that Iran isn’t likely to conduct more attacks against the United States for fear of incurring retribution and disrupting the delicate agreement.
But Iranian officials had been rattling their cyber swords while the so-called P5+1 negotiators were trying to hammer out an agreement. In February 2014, a senior officer in the Iranian military, which both runs the cyber warfare programs and owns a controlling interest in Iran’s largest telecommunications company, threatened the country’s adversaries with a cyber attack.
“One of the options on the table of the U.S. and its allies is a cyber war against Iran. But we are fully prepared to fight cyber warfare,” said General Mohammad Aqakishi, the commander of the information technology and communication department of the armed forces’ general staff, according to Iran’s Tasnim news agency.
Iran’s supreme leader, Ali Khameini, who must give his blessing to any final deal, has exhorted Iranian students, whom he calls “cyber war agents,” to prepare for battle against Iran’s enemies in cyberspace.
Some analysts think that by launching cyber operations against the United States, Iran was trying to send a message that it wouldn’t be bullied at the nuclear negotiation table and that, regardless of how those talks turned out, cyberspace was a new territory that Iran wouldn’t cede.
On that score, U.S. officials concur. In February, Clapper testified that even if the nuclear talks ended with an agreement, Iran wasn’t likely to adjust its regional strategy of extending power and influence, of which cyber operations are a key tool. (U.S. officials say Iran also launched a major attack in 2012 against Saudi Arabia, its chief regional adversary, completely erasing data on 30,000 computers at Saudi Aramco, the state-owned petroleum and natural gas company.)
And in January 2014, General Martin Dempsey, the chairman of the Joint Chiefs, said in an interview that if the United States used cyber force against Iran—as it did beginning in 2007 with the so-called Stuxnet virus—it should expect Iran to retaliate in kind.
Last year, the cybersecurity company Cylance issued a report (PDF), which it said was based on two years of research, that showed Iran had penetrated systems controlling a range of critical infrastructure in the United States, including oil and gas, energy and utilities, transportation, airlines, airports, hospitals, telecommunications, and aerospace companies.
“A lot of the work they were doing was quite sloppy, almost to the point that they wanted to get caught,” Stuart McClure, the CEO and president of Cylance, told The Daily Beast. The Iranians may have been trying to send a signal to the United States and their partners in the nuclear negotiations that they were capable of inflicting harm if they didn’t get a favorable deal, McClure said. “Coming to the table and knowing your adversary is in your house influences the negotiation.”
Now that the negotiations have resulted in a deal, McClure sees no reason to think that Iran will stop its cyber operations. But, he says, they won’t be so sloppy.
“They’ll be far more targeted and careful,” he said. Since the deal was reached, Cylance hasn’t tracked any attacks by the group it was monitoring of what the company dubbed Operation Cleaver. McClure estimates that Cleaver probably accounts for a third of Iran’s total cyber activities.
But the competition between the U.S. and Iran is likely to continue—online and in the real world. In his first extended interview since the deal was reached, President Obama notably did not mention the areas where the U.S. and Iran remain at odds: Iraq, Yemen, Lebanon, and cyber warfare.
Indeed, the president, who sat down Saturday for nearly an hour with New York Times columnist Tom Friedman, described an Iran engaged in several proxy wars in the Middle East, anti-Semitic rhetoric and aggression with Sunni states for hegemonic dominance.
The deal was not intended to address those issues directly, the president said, but to lead Iran to shift its resources from engaging in warfare to building its economy. Rather than demand Iranians change their posture in the Middle East and then open the door to negotiations—as past administrations have done—the U.S. was prepared to make a deal and hope it leads to policy change, the president said.
“Iran’s regional policies have remained virtually unchanged since 1979,” said Karim Sadjadpour, senior associate at the Washington, D.C.-based Carnegie Endowment for International Peace. “The U.S. government has increasingly agreed to disagree with Iran’s regional policies.”
Should the lifting of sanctions lead Iran to, for example, not train and advise Shiite militias in Iraq, the relationship between the U.S. and Iran could be similar to that which exists between the U.S and Russia, Sadjadpour said—“two countries who were once sworn adversaries becoming sworn rivals”—and that is a “best-case scenario.”
But the president stressed that he did not enter the deal for a domino effect in Iran’s approach to the region, or unequivocal rapprochement.
“It is a good deal even if Iran does not change at all,” the president said.
—with additional reporting by Nancy A. Youssef