On 03 Jan 2020, the United States conducted a targeted killing of Major General Qasem Soleimani, commander of the elite Quds force of the Islamic Revolutionary Guard Corps of Iran. The massive outpouring of public grief for Soleimani in Iran was followed by a retaliatory rocket strike mounted by Iran on the Al-Asad airbase in Iraq. But as of the date of this publication, many analysts see the situation as de-escalating in intensity. The possibility of Iran and the US engaging in an all-out “hot conflict” is becoming increasingly unlikely.
So what’s the status of the cyber threat posed by Iran? Increased or decreased, along with the physical “bomb and bullet” threat? Ultimately, the precise future in such a highly volatile situation is anyone’s guess. Still, there are useful precedents that can assist when we consider how this will unfold in the near-term future.
Symmetric vs. asymmetric conflict and the role of cyber power
We could spend a lifetime studying the difference between symmetric and asymmetric warfare, but for this blog: Symmetric warfare is a style of conflict in which combatants are roughly equal in terms of raw military capability―think allies versus axis power in World War Two. In contrast, asymmetric warfare is characterized by the involvement of combatants who have drastically uneven capabilities in terms of military power, leading to the use of unconventional tactics characterized by terms such as guerrilla warfare, terrorism, and proxy war activity.
Cyber warfare, defined here as one opponent having some effect on another’s computer networks, is employed in both symmetric and asymmetric warfare. But it’s most commonly associated with the field of asymmetric warfare, principally because of the high level of deniability the cyber operations have.
Symmetric warfare seems to be off the table for both the US and Iran; neither seems to have the appetite for another hot war in the Middle East region. This now puts asymmetric warfare and all its cyber options firmly on the table as a mechanism to strike and influence the opponent. One of the critical objectives of almost any asymmetric warfare campaign is to influence the behavior of a state through methods that target the views and outlook of that state’s population. For example, the US public’s withdrawal of popular consent for the Vietnam war is widely acknowledged to have directly led to a withdrawal of US forces from the country.
Within a cyber context, this facet of asymmetric warfare is dangerous, as the industrial sector of a state’s economy often dwells within the civilian sector of the country’s population. Shown below is a graphical model of how symmetric and asymmetric warfare work and the role that the civilian sector can play within this dynamic.
Of course, on the ground, the situation is somewhat different than the simplistic model shown above. Precisely, the US conforms to the State A model shown above (its industrial complex primarily nested within the civilian population and the democratic system dictating who is in power). Still, the Iranian state does not follow this model. Within Iran, the industry is under state control, with the autocratic political model not requiring popular consent to govern. This leads to an edge for Iran over the US in terms of asymmetric warfare, influence, and particularly in terms of the cyber warfare approach―owing to the high level of deniability attached to it.
In superficial terms at least, the current absence of overt conflict between the US and Iran implies an increased risk of Iranian cyber-attacks on the US private sector. A future threat narrative (albeit a simplistic one) could go something like Iran, not wishing to engage in a potentially devastating war with the US, participates in a protracted cyber campaign targeting the US economy.
Iranian cyber capability versus vulnerability
One important aspect to remember when considering the cyber threat posed by Iran is that cyber power differs in form and function for each state that wields it. For example, the People’s Republic of China (PRC) cyber power is more focused on achieving espionage-based objectives. In contrast, the Democratic People’s Republic of Korea (DPRK) appears to be more focused on raising funds to feed volumes’ black economy of North Korea.
Iran’s cyber power has evolved rapidly from an initial flurry of patriotic hacktivism directed at the US banking sector in the wake of the Stuxnet incident in 2010 to the destructive attacks by the Shamoon malware on Saudi Aramco 2012 to a shift to more clandestine intelligence-gathering operations heralded by the creative Newscaster campaigns. This has seen the capability move from enthusiastic but amateurish pro-Iranian civilian hackers to more formalized elements of the Iranian military driving the form of the capability. While Iran certainly has the appetite and capacity to conduct destructive cyber attacks against its opponents, it could be argued that it gains more tangible benefits from cyber espionage operations rather than the transient effects derived from the spectacular destructive cyber-attacks.
This separation of destructive attacks versus more conventional espionage operations is essential when considering the broader geostrategic context of the issue. Soleimani’s killing was very public, and Iran has to be seen to mount a continuing response to the assassination. If their response is destructive cyber attacks, this will stand in sharp contrast to Iran’s currently favored cyber capabilities, which seem at the moment to be more focused on espionage, a practice that, by default, aims to be unseen by all.
An additional point to consider when gauging a state’s overall cyber power capability is how vulnerable a state’s infrastructure is to retaliatory cyber attacks. Just as in the case of the PRC and DPRK, Iran’s cyber vulnerability probably outweighs its ability to conduct an offensive cyber warfare operation. Given that the US likely has one of the most advanced cyber warfare capabilities in the world, and that deniability is a factor of asymmetric warfare that cuts both ways, Iran faces a difficult choice when considering the option of destructive cyber attacks on the US.
This boils down to the assessment that warnings of an increased cyber threat from Iran should be caveated. If Iran engaged in offensive cyber operations against the US, this would be both a significant departure from the campaigns it has recently conducted and would open the country up to potentially devastating retaliation from the US.
Shown below is a SWOT (strengths, weakness, opportunities, and threats) analysis of the possibility of an Iranian cyber attack on US civilian infrastructure.
The duality of conflict modes
So far, we’ve looked at two modes of conflict and sought to understand how cyber warfare activity sits within one of these modes. Of course, in reality, state policy is not so simplistic; there’s always the option of combining symmetric and asymmetric warfare (dubbed hybrid warfare) and opening multiple modes of conflict simultaneously.
A recent example is Russia’s activity in Ukraine that has combined multiple interlocking strands of symmetric and asymmetric warfare into one unified effort to control the region. Iran will most likely pursue this course of action, and Soleimani was a master of this style of warfare. Within this context, Iran’s cyber capability will probably receive a boost in terms of funding and human resources, but will likely remain within its traditional boundaries as another espionage capability within the broader portfolio of asymmetric capabilities fielded by Iran.
The event in context: That big a deal?
Returning briefly to the broader geopolitical context, let’s take a step back from the recent rhetoric that has surrounded the incident and attempts to place the events in the broader context of US/Iranian relationships.
Soleimani was a uniformed combatant deeply involved in clandestine warfare operations for decades, and the manner of his death can’t have come as a big surprise to his chain of command in Tehran. “Live by the sword, die by the sword” is a common sentiment for people involved in this kind of work. Conversely, US service personnel in Iraq have been killed in large numbers by explosives originating from Iran since the initial invasion in 2003. Notably, the rocket attack on the Al-Asad air base caused no casualties. From a soldier’s perspective, it’s just another day in Iraq.
Taking this view of the event, the Soleimani killing and Iran’s response may be nothing more than another comparatively small move in the long game the US and Iran have been playing for decades. For the cyber threat, this could imply various outcomes, one of which is―quite possibly―no change at all in the cyber risk. So then how do we evaluate the cyber threat from Iran?
An important point to note is that cyber operations have been perpetrated both towards and against Iran for several years, and even without the Soleimani incident, these operations would have continued regardless. The point that this piece intended to consider was, would the Soleimani incident change the form and objective of Iranian cyber power?
The key to assessing these questions is to understand what a winning state looks like for each side of the conflict. For Iran, the position would appear to be as it has been since 2003: Make the US’s position in the Middle East as weak as possible while amplifying Iranian regional power as much as possible.
The US position seems more opaque; a shadow conflict between the two countries has been running since at least 1979. However, this does mark a very public escalation of the conflict.
How does cyber power projection potentially play into each of these strategies?
The exact details remain to be seen; however, viewing developments in the situation through the lens of symmetric and asymmetric warfare theory, although abstract, has the potential to inform the dynamics that underpin the conflict.
Further Reading on Iran Cyber Threats
Practical Advice around Iranian Cyber Threats: https://www.digitalshadows.com/blog-and-research/iranian-cyber-threats-practical-advice-for-security-professionals/
Iranian APT Groups’ Tradecraft Styles: https://www.digitalshadows.com/blog-and-research/iranian-apt-groups-tradecraft-styles-using-mitre-attck-and-the-asd-essential-8/
Iran and Soleimani: Monitoring the Situation: https://www.digitalshadows.com/blog-and-research/iran-and-soleimani-monitoring-the-situation/