For the past year, the attention of policymakers and pundits following the Middle East has been absorbed with the twin problems of Iran’s nuclear program and the Islamic State. At the same time, however, another threat emanating from the region has quietly metastasized with potentially significant repercussions for America and its allies. Consider that since June 1:
• The U.S. Army’s public website was taken offline due to a Distributed Denial of Service attack by Syrian hackers;
• Israeli Defense Minister Moshe Ya’alon publicly confirmed that Hezbollah was behind a “Volatile Cedar,” a three-year cyber-spying campaign targeting Israel, Western countries, and other Middle Eastern states;
• WikiLeaks published 70,000 documents from the Saudi Foreign Ministry believed to have been among a half million documents stolen by Iranian hackers; and
• A group of hackers claiming affiliation with the Islamic State in Iraq and the Levant (ISIL) took down the Syrian Observatory for Human Rights’ website and threatened its director.
In May, the State Department issued an unprecedented security report warning U.S. businesses operating abroad of Iran’s rapidly improving cyberwarfare capabilities. Since 2012, Iranian hackers have attacked oil and gas companies in Saudi Arabia and Qatar; launched an extended campaign against American banks (“Operation Ababil”) including Citigroup, JPMorgan Chase, and Bank of America; and infiltrated the U.S. Navy-Marine Corps’ Intranet in 2013. From 2012-2014, Iran’s “Operation Cleaver” targeted some 50 companies in 16 countries, representing 15 industries “including oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, defense contractors, and chemical” companies. A recent study by the American Enterprise Institute and cybersecurity firm Norsefound a 115 percent increase in attacks launched from Iranian Internet protocol addresses from January 2014 to April 2015.
Iran is only one of many adversaries targeting U.S. and regional allies’ computer networks. Before its take-down of the Army’s website in June, the Syrian Electronic Army (SEA) had defaced the U.S. Marine Corps’ recruiting website, knocked out websites belonging to media outlets such as the New York Times and Washington Post, and even hijacked President Obama’s Facebook and Twitter accounts. This January, on the same day President Obama delivered a major address on cybersecurity, ISIL-affiliated hackers seized control of CENTCOM’s official Twitter and YouTube accounts. The self-proclaimed “CyberCaliphate” has since hackedNewsweek’s Twitter account and replaced live programming on France’s TV5 Monde with pro-ISIL propaganda. And during both 2012’s Operation Pillar of Defense and last summer’s Operation Protective Edge, Israel came under massive cyber-attack from the hackers collective Anonymous and state-sponsored groups such as the SEA.
This is not to say the United States and its allies are helpless in this new realm of conflict. In addition to disabling insurgent computer networks, U.S. forces hacked into al-Qaida in Iraq’s cellphone network to send fake texts directing insurgents to locations where they were subsequently targeted. In February, cybersecurity researchers at Kaspersky announced the discovery of perhaps the most sophisticated cyber-attack to date, as a group of hackers labeled “the Equation Group”—and presumed to be affiliated with the NSA—hid spyware deep into computer hard drives, with the highest infection rates in Iran. Israel retaliated against Hezbollah in 2006 by hacking the terrorist group’s television station, Al Manar, and disrupting its information operations campaign. Israel also used a cyber-attack to disable Syrian air defenses in 2007’s Operation Orchard that destroyed the nuclear reactor under construction at Kibar. On the defensive side, Israel’s cybersecurity sector was responsible for at least $6 billion in exports last year, exceeding Israel’s sales in conventional weapons systems. And, of course, America and Israel (allegedly) jointly conducted the most successful cyber-operation to date—“Operation Olympic Games”—which inserted the Stuxnet virus into Iran’s Natanz nuclear facility and caused the destruction of nearly one thousand centrifuges.
It is clear that followers of events in the Middle East must now keep one eye on the cyber domain while tracking the region’s conflicts and rivalries. Less clear, perhaps, is why the broader community of cyber and national security experts should pay greater attention to cyberwar in the Middle East. After all, Russian cyber-criminals steal billions of dollars every year and have pilfered in 1.2 billion (yes, that is a “b”) passwords in a single hack, and Chinese hackers are believed to have stolen personal information on 21 million Americans who have worked for the U.S. government. Why should we care if another hacker from the Middle East has hijacked yet another Twitter site and filled it with pro-jihad, anti-Zionist/anti-American propaganda?
There are at least three reasons why this advent of cyberwar in the Middle East has troublesome implications for U.S. strategic interests. First, whereas Russia and China have the resources to build conventional army, air force, or ballistic missile programs unthinkable for most Middle East actors, the entry costs to acquiring a significant cyber-capacity are low enough to allow the Middle East’s weaker states—or nonstate actors—to obtain capabilities that threaten U.S. and allied interests. Terrorist groups like Hamas or the Islamic State might not have good enough hackers in-house, Rami Efrat, former head of Israel’s National Cyber Bureau recently told a conference at Georgetown University, but “unfortunately they are able to go to the dark net, to the deep web, to get it as a service and to buy the most sophisticated zero-day attacks.” David DeWalt, former chief executive of McAfee, concurs: “Offensive tools are so available that sometimes they can be purchased on eBay and sometimes on the dark net. It takes thousands or tens of thousands of dollars; it doesn’t take a lot of means or expertise.”
Second, cyber-attacks allow potential adversaries to bypass America and its regional allies’ military forces in order to directly target civilian infrastructure and economic targets. Experts point out that although Russia and China have greater capabilities for cyber-warfare, they have focused largely on stealing U.S. military secrets or cybercrime. Conversely, Iran’s hackers are targeting critical infrastructure and developing the ability to cause serious damage to the U.S. power grid, hospitals, or the financial sector. “The Chinese are engaged in cyberespionage,” says Richard Bejtlich, chief security officer at Mandiant. “We know what lines they will and will not cross. But a country like Iran is much more willing to be destructive. They go ahead and delete computers, they corrupt them, and they cause a lot of trouble.” Iran’s attack on Saudi Aramco destroyed 30,000 computers, and the 2014 attack on the Sands Corporation’s computer servers—presumably in retaliation for tough anti-Iran rhetoric by chairman Sheldon Adelson—caused $40 million in damages. Iran’s cyber army is controlled by the Iranian Revolutionary Guard Corps, which not coincidentally also oversees Iran’s support for terrorism abroad. Thus, Director of National Intelligence James Clapper told a Senate hearing in February that although Iran has “lesser technical capabilities in comparison to Russia and China,” its pattern of destructive attacks demonstrates it is a “motivated and unpredictable” cyber-actor.
In fact, recent history suggests that Tehran’s offensive cyber-capacity has dramatically evolved in sophistication and scope. For example, a normal DDoS attack involves between 10,000-15,000 packets per second, a number that refers to the amount of data flowing into a system. The “Brobot” botnet that the Iranian “Izz ad-Din al-Qassam Cyber Fighters” utilized in the 2012 bank hacks, however,attacked at a rate of 50 million packets per second, a figure dwarfing the 2007 Russian cyber-militia attack that crippled Estonia. Whereas prior to 2012 Iranian cyber-attacks were largely limited to simple website defacements, FireEye says that by 2014 the Iranian-based “Ajax Security Team” had transitioned to malware-based espionage. One former U.S. official described the 2013 Navy attack as “a real eye-opener in terms of the capabilities of Iran to get into a Defense Department system and stay in there for months.” And during Operation Cleaver, Iranian hackers employed a sophisticated set of cyber tools, allowing them not only to conduct surveillance and gather intelligence on various entities, but also to potentially disrupt and destroy targeted systems. These advances prompted security firmCylance to dub Iran “the new China.” Although this may be an exaggeration, former Google Executive Chairman Eric Schmidt nevertheless told CNN that Iranians are “extremely talented” in cyber warfare.
In sum, Iran’s demonstrated willingness to conduct destructive cyber-attacks, its ability to offset U.S. and allied military superiority in the region through cyber-war, its dearth of equivalent targets for deterrence or retaliatory attacks, and the Islamic Republic’s strategic culture favoring asymmetric or indirect conflict over conventional war mean that it poses at least a great a threat of initiating a “catastrophic” attack against U.S. or allied critical infrastructure as technically superior Russian and Chinese hackers. As Stewart Baker, former general counsel for the National Security Agency, argues: “Cyber-war just plain makes sense. … We used to worry about Russia and China taking down our infrastructure. Now we have to worry about Iran and Syria and North Korea. Next up: Hezbollah and Anonymous.”
Given its declared intent to strike civilian targets in America, Israel, and other U.S. regional allies, one could add ISIL to that list as well. FBI Director James Comey told the Aspen Forum on July 22: “We’re picking up signs of increasing interest” in the use of cyberspace as a vector for terror attacks. “Logic would tell us, as we make it harder and harder for human beings to get into our country to do bad things, they will hit on photons entering our country to do bad things.” Yet as Israeli cyber-war expert Gabi Siboni notes, ISIL’s “main effort to date in cyberspace has focused on psychological warfare by generating fear through flooding the Internet with video clips portraying the brutal acts of beheading and mass executions.” The jihadists’ skill at conducting information operations by exploiting social media thus far has outstripped their capacity for cyber-attacks. ISIL’s media arm Al Hayat has produced hundreds of films—including many high-quality productions involving Hollywood-style techniques and special effects—to promote the group’s propaganda. The militants are adept at spreading their message using Western-based social media sites such as Twitter, Facebook, Tumblr, YouTube, Instagram, and SoundCloud. ISIL has a vast network of “fanboys” who do nothing besides watching social media and disseminating the group’s online propaganda, and it is estimated that ISIL’s followers have as many as 90,000 accounts on Twitter, allowing it to disseminate links to digital content hosted on other online platforms. If their accounts get closed down, they simply register under new names. ISIL has also cleverly organized “hashtag campaigns” to raise its online profile and uses social media “bots” to hijack popular hashtags such as #Brazil2014 during the World Cup. The number of Westerners fighting alongside ISIL in Syria and Iraq could number in the thousands, thanks in large part to Twitter and Facebook. Al-Qaida’s leader Ayman al-Zawahiri trumpets the importance of information operations, famously telling Abu Musab al-Zarqawi in a 2005 letter, “We are in a battle, and more than half of this battle is taking place in the battlefield of the media.” Governments are thus beginning to see winning the Internet as central to the fight against terrorism.
The Internet may be particularly important in the Middle East, where the United States depends on information communications technologies for critical military and civilian services far more than our strategic rivals or potential adversaries. This asymmetric vulnerability is less pronounced toward Russia and China, whose economies are more closely integrated with America’s and who would have more to lose from retaliatory cyber-attacks. As former Director of National Intelligence Mike McConnell warned Congress in 2010: “We’re the most vulnerable. We’re the most connected. We have the most to lose.”
To its credit, the Obama Administration has acknowledged the dangers cyber-war poses to America’s interests and allies in the Middle East—President Obama pledged support to the Gulf States to defend against cyber-attacks from Iran, and during his recent trip to Saudi Arabia to sell the Iran nuclear deal Secretary of Defense Ash Carter discussed cyber security with King Salman. Gen. Lloyd Austin, the head of U.S. Central Command, has reportedly tried to persuade America’s Gulf Cooperation Council allies into working together to protect against cyber-attacks, and CENTCOM has issued a request for information for contractors to help its Joint Cyber Center with all aspects of “theater planning synchronization. And Deputy Secretary of Homeland Security Alejandro Mayorkas recently visited Tel Aviv and signed an agreement promoting cooperation on cyber security with Israel.
Yet our regional allies are understandably skeptical of the president’s promises. Besides past retreats from redlines in Syria and the P5+1 negotiations with Iran, during 2012’s “Operation Ababil” attacks on the U.S. financial sector, the Obama Administration not only rejected an option to hack into the adversary’s network in Iran and squelch the problem at the source, but refused to even deliver a diplomatic demarche to Tehran for fear of prompting more attacks. The massive OPM breach came after the president issued an executive order on cyber security in February 2013 with the declared purpose of securing federal computer networks, suggesting that although the administration talks a good game on cyber security it is less adept at translating directives and statements into effective policies.
Finally, given that Iran reportedly devoted $1 billion dollars to its cyber-warfare efforts while under the yoke of sanctions, the sanctions relief provided by the nuclear deal with Tehran provides the IRGC with a financial windfall for its growing cyber-warfare endeavors. Unlike obtaining weapons of mass destruction or other prohibited weapons systems, this dangerous capacity can be developed outside the watchful eye of inspectors and without concern for U.N. Security Council resolutions. Maintaining vigilance and working with our regional partners to address the widening array—from Iran to ISIL to Anonymous—of cyber threats emanating from the Middle East will remain a significant challenge for the remainder of this administration and for the next president as well.