Cyber Strife Between U.S. and Iran Is Nothing New

Stephen L. Carter

(Bloomberg Opinion) -- Experts are warning that the U.S. should expect more cyberattacks by Iranian hackers in retaliation for the death of General Qasem Soleimani in a targeted drone strike. Maybe they’re right. But let’s not kid ourselves:  Iran would be launching lots of cyberattacks anyway.

And the danger of escalation would be ever-present.

So far, despite the warnings, security researchers report that little has yet materialized. But that doesn’t mean nothing major will happen. Iranian’s official and semi-official hackers are among the best in the world, and both the U.S. government and private industry are bracing for possible attacks. Crucial sites are much better protected than they were a few years ago, but no protection will ever be perfect.

Infrastructure, always an attractive target, has long been a focus of Iran’s hackers, particularly the group known as APT33 or Refined Kitten. Recent news reports have singled out Refined Kitten’s constant “password-spraying,” the relatively low-tech tactic of flooding infrastructure targets with common passwords(1) in the hope that some will work. However, those attacks aren’t a response to the current crisis; they’ve been going on at least since 2018.(2)

The dates matter. What’s often called the “shadow war” between the U.S. and Iran has been going on for a long time. Last June, for instance, the U.S. retaliated for Iranian attacks on oil tankers and the downing of a drone by launching cyber assaults against “an Iranian intelligence group” believed to be involved. The U.S. action also followed a spike in efforts by Iranian hackers to breach computer systems at, among others, the Energy Department and U.S. national laboratories.

It’s tempting to blame the shadow war on the policies of President Donald Trump, but the battle was joined long before he took up residence in the Oval Office. The Iranian efforts are usually dated to 2009, when the “Iranian Cyber Army” successfully attacked Twitter, proclaiming on the site’s homepage “U.S.A. Think They Controlling And Managing Internet By Their Access, But They Don’t, We Control And Manage Internet By Our Power.”

The hacks continued throughout the Obama administration. In 2013, for instance, Iranian hackers “infiltrated the control system of a small dam less than 20 miles from New York City.” The next year, they attacked a Las Vegas casino owned by Sheldon Adelson. In 2016, the U.S. announced indictments against seven hackers said to be working on behalf of Iran’s Revolutionary Guard who were alleged to have “conducted a coordinated cyberattack on dozens of U.S. banks, causing millions of dollars in lost business.”

Moreover, Iran never needed any provocation to unleash its hacking squads. In November of 2015, the New York Times reported “a surge in sophisticated computer espionage” by hackers based in the Islamic Republic, including “a series of cyberattacks against State Department officials.” Those attacks came four months after the signing of the Iran nuclear deal.

My point isn’t that the accord somehow caused the attacks, perhaps by emboldening Iran. That’s nonsense. My point is that the existence of the accord didn’t prevent the attacks or even reduce their frequency or scope. 

Nor should anyone have expected such a result. In the Middle East, for better or worse, the U.S. and Iran are rivals, each seeking to exercise influence in the world’s most volatile region. As every disciple of conflict theory knows, rival powers often find it in their interest to cooperate on particular issues. But the fact that rivals sometimes cooperate – as the U.S. and Iran did, for example, in the battle against Islamic State — doesn’t suddenly make them allies. Neither did the nuclear deal.

From the point of view of both countries, a battle in cyberspace feels far safer than one fought out with force of arms. One might suppose that because the U.S. is the dominant online player, a fight in the digital realm would be to its liking. But there are reasons to be wary.

In an important recent essay in The Atlantic, Stanford’s Amy Zegart points to the paradox of U.S. tech dominance: “The United States is simultaneously the most powerful country in cyberspace and the most vulnerable country in cyberspace,” she writes. The more widespread and complex your systems, she argues, the greater the possibilities for a hacker to find a way in: “In the virtual world, power and vulnerability are inextricably linked.”

And exploiting the opponent’s online vulnerabilities is a tricky and dangerous business. Few conflicts stay in the shadows forever. The trouble is, it’s impossible to predict when or how the battle will burst into the open.  Here one is reminded of Nobel Laureate Thomas Schelling’s description of “limited war” as being like fighting while in a canoe. “A blow hard enough to hurt,” he wrote in Arms and Influence, “is in some danger of overturning the canoe.” Once both canoes capsize and everybody’s in the water, there’s no way to tell who’ll drown.

So far, the cyber-blows exchanged by Iran and the U.S. haven’t been hard enough to hurt in any deep and profound sense, even during the current atmosphere of crisis. The canoes have stayed afloat. One expert interviewed by the Washington Post suggested that all we’re likely to see is “small-scale interruptions and nuisance activities with limited impact” – in a word, vandalism. That’s what happened earlier this month, when Iranian hackers successfully defaced the website of the Federal Depository Library Program with a tribute to Soleimani. And if by chance you haven’t heard of the Federal Depository Library Program, that’s the point.

But the fact that the cyber war between the U.S. and Iran has remained in the shadows so far doesn’t mean it always will. No matter who wins the 2020 presidential election, the battle war won’t go away.

Neither will the risk of overturning the canoe.

(1) If your password is on this list, then it’s common, and you should change it.

(2) Refined Kitten, like other Iranian hacker groups, has also targeted companies involved with national security. One “soft” Refined Kitten technique involves posting fake notices about jobs in the defense industry, evidently in the hope of vacuuming up information from applicants.

To contact the author of this story: Stephen L. Carter at scarter01@bloomberg.net

To contact the editor responsible for this story: Sarah Green Carmichael at sgreencarmic@bloomberg.net

This column does not necessarily reflect the opinion of Bloomberg LP and its owners.

Stephen L. Carter is a Bloomberg Opinion columnist. He is a professor of law at Yale University and was a clerk to U.S. Supreme Court Justice Thurgood Marshall. His novels include “The Emperor of Ocean Park,” and his latest nonfiction book is “Invisible: The Forgotten Story of the Black Woman Lawyer Who Took Down America's Most Powerful Mobster.”

For more articles like this, please visit us at bloomberg.com/opinion

Subscribe now to stay ahead with the most trusted business news source.

©2020 Bloomberg L.P.