Iran Doesn’t Need Missiles to Hurt the U.S.

The U.S. Department of Homeland Security said this week that the conflict in the Middle East creates a “heightened threat” of Iranian cyber-attacks on the U.S. (SAUL LOEB / AFP / Getty Images)

About the author: Justin Sherman is the founder and CEO of Global Cyber Strategies, a research and advisory firm, and a nonresident senior fellow at the Atlantic Council.

Shortly after President Donald Trump announced that the U.S. military bombed three Iranian nuclear sites, the Department of Homeland Security warned that Iranian cyber retaliation against American networks are “likely” and may be imminent.

Cyber operations have already been used in the conflict between Israel and Iran. Hackers tied to Israel claimed they wiped $90 million from an Iranian cryptocurrency exchange. Iranian hackers have reportedly targeted Israeli infrastructure and telecommunications.

But the rate and impact of cyber operations could get much worse and, should tensions escalate, spill out into regional supply chains and possibly impact U.S. infrastructure. The pace of kinetic strikes in the coming weeks will considerably shape how the two countries use cyber capabilities against one another. And Iran’s interest in signaling to Washington may be one of the biggest factors in its execution, or lack thereof, of greater cyber operations against the U.S.

Iran is widely considered a leading cyber power. Its Islamic Revolutionary Guard Corps and the Iranian Ministry of Intelligence and Security each have prominent cyber units with the expertise and capabilities to carry out sophisticated espionage and disruptive, damaging operations. Iran can also leverage proxies to hack foreign critical infrastructure and deface websites with pro-regime messages. Tehran has allowed these proxy “hacktivists” to operate while claiming—plausibly or not—some deniability.

Israel is likewise home to a highly sophisticated cyber ecosystem. It has invested heavily in cybersecurity education and start-up culture and is the base of spyware firms like NSO Group. When it comes to state espionage and disruption, Israel maintains well-known hacker teams such as the Israel Defense Forces’ Unit 8200—the largest single military unit in the IDF. Unit 8200 is suspected to have worked on major cyber operations like Stuxnet, the 2005-10 effort to damage and degrade Iranian nuclear enrichment at Natanz. Alumni of the unit have founded so many successful cybersecurity companies that recent departees-turned-entrepreneurs are well on the radar of Silicon Valley investors.

Yet both countries must contend with cyber trade-offs. As Russia’s war on Ukraine and other conflicts have clarified, governments launching cyber operations must often reconcile competing priorities. For example, if Iran or Israel hacked into a missile strike-enabling system in the other’s country, hackers might be on orders to shut it down to prevent or delay further launches. If hackers got into a commander’s mobile phone in the other country, however, or a closed network used to store battle plans, the respective agencies might want to siphon data from the target rather than fry its hard drive—after all, it could provide more value as a digital eavesdropper than a paperweight. These sorts of tensions can even play out in a single system. If Israel or Iran got into the other’s border camera networks, internal fights could easily ensue about whether to covertly monitor or loudly disrupt the feeds.

And for all their respective cyber prowess, an Iranian or Israeli state hacker spending time and resources to break into one system means, at least temporarily, forgoing another. No country has unlimited hacking power. It is difficult for outside observers to see these constraints—or to know every option one’s adversaries are weighing.

In the coming weeks, the pace of kinetic strikes will considerably affect how Iran and Israel navigate these trade-offs and apply their limited resources. Faster, more frequent, or increasingly severe missile strikes, assassinations, and other violence from either party would accelerate the need to know exactly what the other is doing next. Cyber espionage would likely escalate. Shifts in the kinetic threats’ speed, frequency, or severity could simultaneously increase each state’s resolve to disrupt the other’s digital systems to stall or repel attacks. Conversely, slowdowns in strikes could shift cyber resources toward more espionage or provocations, such as disrupting domestic television broadcasts, rather than big attacks.

One of the biggest open questions is the near-term cyber threat to the U.S. Iran’s interest in launching attacks on U.S. critical infrastructure—directly, through proxies, or by sitting back and letting “hacktivists” channel their anger—will depend in part on the signal it wants to send to Washington. Some believe Iran’s missile strike on a U.S. military base in Qatar this week signaled de-escalation to the White House.

But then Trump criticized Iran and Israel when they broke their supposed cease-fire. If Iran wanted to send a strong retaliatory signal to the White House for the renewed Israeli bombings or for any shifts in American messaging, it has many advanced cyber intelligence and disruptive capabilities it could use to damage the U.S. economy or at minimum grab some flashy headlines.

Even if the U.S. doesn’t bomb Iran further, Iran might encourage or welcome low-level hacktivism against U.S. businesses, such as distributed denial of service attacks and defacements of bank websites. Tehran’s goal would be to inflict damage below the level that would prompt Trump respond harshly with the tremendous cyber capabilities of the U.S.

Iran is a sophisticated, well-resourced, and persistent cyber actor. U.S. businesses and government agencies cannot ignore that risk. Action now with network hardening, threat intelligence, phishing awareness, and breach response planning is the best preparation.

Guest commentaries like this one are written by authors outside the Barron’s newsroom. They reflect the perspective and opinions of the authors. Submit feedback and commentary pitches to ideas@barrons.com.