The Iranian cyber threat poses unique challenges to American security given the difficulties with properly attributing attacks, the lack of clear-cut rules with regard to response options and concerns for escalatory responses, and the thousands of vulnerable sites throughout the country and among our allies and U.S. entities abroad that make for appealing targets. Iran has crossed a major red line by recently launching cyber attacks intended to cause harm to Israel’s civilian populations by poisoning water systems. A similar attack was attempted against Oldsmar, Florida in February 2021, and while the origin of the Oldsmar attack remains unknown, it highlighted the vulnerabilities facing 151,000 municipal water treatment facilities around the U.S. The main factor preventing Iran from launching major, disruptive cyber attacks against the U.S. homeland is not necessarily lack of opportunity or ability, but the regime’s calculus as to whether the benefits of such an attack outweigh the costs it would likely incur.
To date, Iran has continually pushed the envelope in the offensive cyber realm, carrying out costly attacks against the United States and its European and Middle Eastern allies. Washington has mainly responded to increased Iranian regional provocations by engaging in its own cyber operations, for example, reportedly targeting an Iranian paramilitary database which enabled the regime to surveil and plan attacks against tankers passing through the Persian Gulf.
The levers at the U.S.’s disposal to mitigate the Iranian cyber threat are less than ideal. The U.S. has the authority under Executive Order 13694 to sanction entities engaging in malicious cyber-enabled conduct against the U.S., and is also able to issue indictments against Iranian cyber threat actors. But such actions are largely symbolic in effect.
This dynamic changed in September 2018, when President Trump issued National Security Presidential Memorandum 13 (NSPM 13), a classified directive that reportedly enables the White House to permit the military to engage in offensive cyber operations without a lengthy review process. The measure, which then-National Security Advisor John Bolton played an important role in crafting and implementing, is designed to deter adversaries from cyber campaigns targeting critical networks or interfering in U.S. elections. Bolton asserted that the directive would create “structures of deterrence that will demonstrate to adversaries that the cost of their engaging in operations against us is higher than they want to bear.” Cyber operations approved under NSPM 13 would have to fall short of the criteria for classification as “use of force,” however, meaning they cannot cause death, destruction, or severe economic impacts. Still, the directive gives the Trump administration a potent tool to respond to and prevent Iranian cyber aggression.
Despite the issuance of NSPM 13, U.S. policymakers have yet to make full and concerted use of the authorities contained within. Iran has therefore yet to be deterred, as evidenced by reports that it has continued to probe critical U.S. systems, signaling that an attack on industrial control systems remains on the table.
The primary deterrent to Iran undertaking the costliest and most destructive attacks would be the knowledge that such a cyber attack would lead to a kinetic response, but, troublingly, the U.S. has yet to define what constitutes an act of warfare in the cyber domain.
Lawmakers of both parties have grappled with the question in the wake of the Soleimani assassination and have called on the Pentagon to provide guidance. Since 2011, it has been U.S. policy that, “When warranted the United States will respond to hostile acts in cyberspace as we would to any other threat to our country.” Without clearly enumerated red lines, however, Iran is liable to test the waters in provocative ways, having already discovered it can carry out costly attacks on the U.S. financial system, on a casino, on universities, companies, and government agencies without significant pushback.
The most daunting task facing the U.S. is shoring up the defenses of the thousand soft targets around the country. The U.S. in 2018 elevated Cyber Command to a combatant command, and has made defending critical infrastructure against cyber attacks a key priority. Strategic collaboration with allied countries is an important component in ensuring that the U.S. and its allies are adopting best practices in cyber defense. In November 2019, the U.S. Cyber Command and its Israeli analog, the Israeli Defense Forces’ Cyber Defense Directorate, staged a joint exercise, dubbed “Cyber Dome,” in which the participants practiced responding to a simulated significant cyber attack. Israel has also opened its doors to other regional militaries to cooperatively share in its advanced cyber defenses. While such collaboration is useful for enhancing homeland security and protecting U.S. interests abroad, at the same time, the private sector in the U.S. has been largely left to its own devices when it comes to cybersecurity. A more proactive public-private approach is required to identify vulnerable targets and bolster cybersecurity across the board in order to achieve collective defense.