Now that the US vs. Iran confrontation has entered a dangerous new phase with last night’s killing of top Iranian military commander Qassem Soleimani, I am seeing a lot of worry on Facebook and in private forums about the possibility of imminent Iranian cyberattacks on critical infrastructure, transportation, and the like.
This breathless Business Insider headline is typical: “Iran’s ‘forceful revenge’ against the US is likely to include cyberwarfare, and experts warn that the attacks could be devastating”. Some other examples of recent coverage:
- ‘A cyberattack should be expected’: U.S. strike on Iranian leader sparks fears of major digital disruption
- We Talked to Experts About Iran’s Cyberwar Capabilities
- ‘They’re going to want bloodshed’: 5 ways Iran could retaliate in cyberspace
- Here’s What a Cyber Attack by Iran Might Look Like
- Cyber War Between Iran and United States Could Have Far-Reaching Implications
I am not an information security (infosec) expert, but I am a software professional and a tech journalist (I co-founded the popular tech site Ars Technica, and have written a book on microprocessors), and I have often pinch hit on the infosec beat in the course of my career. And I have a message for anyone losing sleep at night over the prospect of the Iranians taking down the power grid, or a civilian airliner, or our banking system: it’s too soon to worry about that stuff.
When evaluating the likelihood of a cyberattack from a state actor like Iran, there are two primary factors to consider: capability and attribution.
Capability is straightforward — does this party have the expertise to pull off the contemplated attack — and it’s where most people begin and end when thinking about this issue.
Given the rickety, insecure state of so much of our critical infrastructure, the answer for most mid-tier cyber adversaries, e.g. Iran and North Korea, is “yes, they probably have the capability to do that” for a pretty wide range of nightmare cyberattack scenarios short of maybe taking down the nation’s power grid or our entire banking system.
It’s not that their hackers are that good — it’s that information security everywhere is in that bad a shape.
But fortunately for all of us, capability isn’t the whole story.
Attribution: the coverup is harder than the crime
If any group of bad guys, state or non-state, carries out a major cyberattack on the US that places lives at risk or does significant damage to critical infrastructure, and the US can attribute the attack to them with a high enough degree of confidence, then those bad guys are done for. We will treat the cyberattack like an act of war — because it is one! — and respond accordingly.
Foiling America’s efforts to attribute the attack to an adversary with enough confidence to justify retaliation, is far and away harder than merely carrying out the attack itself.
A simple analogy: Amazon’s new Go stores — where you just walk in, grab whatever you want off the shelf, and walk straight out — might be very easy to steal from. But in order to do it and stay out of jail you’d also have to know how to disable the store’s 874 face-tracking cameras.
Similarly, in order to, say, bring down a major city’s power grid, you need detailed knowledge of that city’s power infrastructure and its weaknesses; but the bar for such knowledge is only moderately high, and lots of bad guys have it.
But in order to bring down a city’s power grid and cover your tracks so that you don’t get nuked for it, you not only require the aforementioned power grid details, but you also need intimate knowledge of the US’s advanced cyber forensics capabilities, and of the forensic capabilities of any public- or private-sector groups we might bring in to help figure out who did it.
(Kind of like when the FBI couldn’t crack a criminal’s iPhone encryption, so they hired an Israeli company to do it for them.)
We’re not there, yet
So far, Iran’s modus operandi in the region has been to attack US interests through proxies — allied militias and terror groups — leaving some plausible deniability so that they don’t cross the red line of being seen as directly responsible for the loss of US lives.
Writing in the Washington Post, Afshon Ostovar, an author and analyst with deep expertise on Iran, argues that Iran is very likely to continue along this path of arms-length retaliation-by-proxy. They cannot afford an all-out military confrontation with the US, so they’ll resort to proxy wars, terror attacks, and possibly lower-grade cyberattacks like the recent ransomware attack on Atlanta that was attributed to the regime.
Many other smart analysts are saying the same thing — that Iran cannot afford to take this all the way, and that they’ll keep playing the long game and fighting by proxy:
9. What’s more likely is sustained proxy attacks against US interests/allies regionally and even globally. Iran has a long history of such attacks in Europe, Africa, Asia, and Latin America, with mixed success; regime apparatchiks are already telegraphing: https://t.co/OdlctWUIkT
— Karim Sadjadpour (@ksadjadpour) January 3, 2020
Only if the situation escalates to the point of all-out war on Iranian soil, with the regime fighting America for its survival, will they stop caring about the cyber attribution issue and throw their full cyber warfare arsenal at us.
To be clear, the current situation is very dangerous, and many level-headed, non-alarmist voices are quite worried about an escalation spiral that brings us to the point of full-blown, open conflict. But the limited nature of Iran’s options and the fact that neither the US nor Iran wants such a costly war means that, for now, the odds are that if we do see cyberattacks here in the US, they’ll be expensive and inconvenient, but not deadly and devastating.