Iranian cyber activity originating from Iran increased prior to the nuclear negotiations under President Hassan Rouhani, but drastically decreased during the talks. This further confirmed that Iran’s cyber activities are politically motivated. In other words, Tehran dials its cyber activities up or down depending on the signal it wants to send to its adversaries. During the talks, Iran was trying to maximize its chances of reaching a deal so it dialed down its attacks. In fact, such attacks decreased further following the July 2015 nuclear agreement. But today, they’re back.
Iran hasn’t just been focused internationally when using cyber; its capabilities — allowing for control, deniability, distance and asymmetry — have become a valuable tool in both Iran’s domestic politics and foreign policy toolkit.
Tehran’s cyber capabilities aren’t new. Today, Iran is easily in the top 10 countries in the world in terms of cyber capability, and developed its cyber capabilities on two fronts: offensive and defensive. Iran initially used its cyber capabilities on the domestic scene: monitoring and restricting the use of cyberspace to target the opposition and ensure the survival of the Islamic Republic.
But its focus on, and investment in, its cyber capabilities resulted in the advancement of its offensive cyber capabilities, particularly abroad. Two key events further spurred Iran’s increasing interest in cybersecurity and warfare.
The first was domestic: the contested 2009 presidential elections, which became to be known as the Green Movement. Hundreds of thousands of young, educated Iranians used the Internet and social media to organize themselves, and the regime was further pressed to control the virtual political space.
The second was the increase in cyberattacks targeting Iran, both for intelligence-gathering purposes and as an offensive measure meant to degrade its nuclear program. The 2010 Stuxnet attack targeting centrifuges at Iran’s Natanz facility was the first state-sponsored attack of another country’s critical infrastructure — and it caught Tehran off-guard. The malware set Iran’s nuclear aspirations back by two years.
Iranian decision-makers responded by doubling down on their defensive posture, and invested significantly in offensive capabilities. Iran made considerable progress in a short amount of time, helped by the critical mass of an educated, Internet-savvy population.
What’s more, cyber operations fit neatly into the Iranian government’s modus operandi, which emphasizes use of proxies, asymmetric warfare and deniability. In September 2015, U.S. Director of National Intelligence James Clapper said: “Iran very likely views its cyber program as one of many tools for carrying out asymmetric but proportional retaliation against political foes, as well as a sophisticated means of collecting intelligence.”
Today, a number of organizations under the supervision of different parts of government — including the Supreme Leader’s office, the Revolutionary Guards and the Basij militias, as well as a variety of affiliates and hacker groups — are tasked both to defend the national cyberspace and monitor and target the international cyberspace. But the nature of the work performed by each, the degree of cooperation and the division of labor between them is unclear, as in other defense arenas. And Iran wants to keep it that way. Iran also draws on the research and capabilities of universities and the private sector, inside and outside the country.
It’s difficult to say how much money Iran allocates to such activities. The total budget for the Ministry of Information and Communication Technology in 1393 (2014-15) was 34,081 billion IRR (approximately $1.36 billion USD), a 95 percent increase from the previous year, while the 1394 (2015-16) budget increased by 34 percent. Needless to say, this capability is only on the rise. And the deal curbing Iran’s nuclear activities is likely to accelerate this trend to allow the security establishment to posture.
The recent cyberattacks come at an interesting time. First, the nuclear deal adopted in October, shortly after it passed both the U.S. Congress and Iranian parliament, was endorsed by Iran’s Supreme Leader Ayatollah Khamenei. Tehran completed its part of the roadmap, agreed to with the International Atomic Energy Agency, and started to remove centrifuges. The deal was a success for Rouhani’s team.
But success for one side inevitably results in defeat for the other. Some factions within the elite view the nuclear agreement as tantamount to selling off Iran’s rights and technological prowess. For these factions, reopening Iran’s market and allowing it to normalize its status internationally is out of the question.
Instead, they seek ways to discredit the perceived winners: Rouhani’s administration. Things are further complicated by Iran’s recent inclusion in the Syria talks, which aim to find a solution endorsed by both regional and important international players.
Tehran now sits across the table from the United States and one of its regional rivals, Saudi Arabia. This engagement, albeit limited and so far unsuccessful, is a step too far for the opponents of regional engagement and détente with Washington.
The attacks against the private sector and individuals serve to scare potential investors who want to explore the reemerging and promising Iranian market. They also serve to check the Iranians who try to facilitate change and bridge the gaps between the West and Iran, while sending a signal to the West that Tehran is not open to change and can and will continue to oppose U.S. interests and activities in the Middle East and beyond.
Since 2012, Iran has been targeting U.S. financial institutions, in publicized attacks using relatively low-tech strategies. Iran has also demonstrated interest in U.S. critical infrastructure, but it is well aware that any such attack is akin to a declaration of war and an invitation for retaliation, for which Tehran is not ready.
Tehran will likely continue disruptive small- to medium-scale attacks, where it can continue to maintain some form of plausible deniability and not trigger significant retaliation. For Washington, being the victim of attacks targeting private sector companies without causing damage that is significant enough to invite retribution makes it difficult to address and therefore dissuade future attacks. The Iranian government — in addition to sending signals to domestic constituencies — sees its cyber capabilities as a key potential leverage point in its international relations, especially with the implementation of the nuclear deal underway.
Dina Esfandiary is a MacArthur Fellow in the Centre for Science and Security Studies in the Department of War Studies, King’s College London.
Ariane M. Tabatabai is a visiting assistant professor in the Security Studies Program in the Georgetown University School of Foreign Service.