BY ELIAS GROLL
With U.S. President Donald Trump considering ways to retaliate against Iran for an attack against Saudi oil infrastructure—but desperate to avoid getting entangled in a shooting war—cyberattacks against Iranian targets have emerged as a potentially bloodless way to flex American power.
But experts in cyberwarfare worry that the administration’s apparent eagerness to rely on digital weapons to strike back against Tehran for a missile and drone attack that briefly ground Saudi oil output to a halt carries with it a great risk: normalizing the militarization of cyberspace.
The risk is twofold. The United States and its massive digital economy would be exposed to attack—with more vulnerabilities than most other countries. And Washington would be lowering the bar for engaging in a new domain of warfare, exposing the broader digital economy to new types of threats.
With the United States making cyberweapons a larger part of its military arsenal, such attacks are becoming a routine feature of the ways that countries interact with one another in cyberspace. And that has even veterans of U.S. hacking units worried.
“The normalization of destructive attacks is what concerns me,” said Jake Williams, the founder of the cybersecurity firm Rendition Infosec and a veteran of the U.S. National Security Agency’s elite hacking corps.
Iran is not America’s only front in cyberspace. Russia, China, and North Korea have all made significant investments in their hacking capabilities. Russia has meddled in American elections, fiddled with the U.S. power grid, and blacked out Ukraine and other Eastern European neighbors. Chinese hackers have been accused of widespread intellectual property theft, especially from U.S. technology firms, and researchers have documented how Beijing has used its sophisticated digital army to surveil minorities and dissidents. North Korea, meanwhile, has carried out a series of daring digital heists to generate funds for the cash-strapped regime.
Military and intelligence activity online has become a fact of contemporary life, but the United States—after years of relative caution in its use of digital weapons and even as it urges the rest of the world to practice greater restraint—has recently grown more aggressive. The Trump administration has delegated to the NSA and U.S. Cyber Command, the military unit charged with carrying out offensive operations online, greater authority to strike at targets and carry out reconnaissance.
Ahead of the 2018 midterm elections, Cyber Command knocked the main Russian troll operation offline. A joint task force set up to target the Islamic State is continuing to go after the group online after it was largely militarily defeated in Iraq and Syria. And earlier this summer, after Trump scotched plans for a military strike, American hackers struck Iranian computer systems instead.
Like drone strikes, which became an integral part of the U.S. arsenal a little over a decade ago, cyberweapons seemingly offer a standoffish, bloodless way to target enemies—with the risk that they become an automatic fallback, not just for the United States, but for everyone else as well.
“It’s increasingly part of the arsenal that states are using against each other,” said Sergio Caltagirone, the vice president of threat intelligence at the industrial cybersecurity firm Dragos. “The issue in the long term is that the United States using cyber consistently leads to the idea that it can be used any time.”
The growing use of cyberweapons has a host of unpredictable consequences. Caltagirone, a former senior intelligence analyst at the NSA, likens it to prying open Pandora’s box a bit further with each attack.
The consequences of breaking into a computer system or launching a cyberattack can be highly unpredictable. When Russian intelligence unleashed the NotPetya ransomware in Ukraine in 2017, for example, it probably did not expect that it would eventually shut down the Danish shipping giant Maersk and even British hospitals.
The United States is no stranger to the unexpected consequences of digital weapons, either. Its landmark cyberattack on Iran’s nuclear infrastructure was only discovered in 2010 after the Stuxnet malware spread to other computer systems that it never intended to target. Indeed, Stuxnet was a pioneering weapon in the history of cyberwarfare, illustrating the possibilities of digital weapons to covertly attack key targets—and to use cyberweapons to cause physical havoc in the real world.
But U.S. use of cyberweapons has generally been more restrained than that of its adversaries. Unlike Russia, for example, the United States has refrained from using cyberweapons to target civilian infrastructure, at least as far as is publicly known.
NSA Director Paul Nakasone, who also heads Cyber Command, has articulated a new philosophy that he calls “persistent engagement” that involves “defending forward” against U.S. adversaries online. While the details of those operations remain shrouded in secrecy, they are understood to involve additional forays into enemy networks.
U.S. adversaries are observing the consequences of that shift. Speaking to reporters at the United Nations this week, Iranian Foreign Minister Mohammad Javad Zarif appeared to acknowledge that his country is increasingly observing cyberattacks against it. “Daily there may be cyberattacks against one or another Iranian facility,” Zarif said. “Cyber is one of the most serious areas of warfare, unfortunately.”
The use of digital weapons in the ongoing conflict between Iran and the United States has clear advantages. Hacking computer systems has a much lower probability of bloodshed than military action. “The old warfighter in me loves that we aren’t putting people in harm’s way,” Williams, the former NSA hacker, said.
That fact has heightened the appeal of cyberweapons to Trump; hesitant to inflict casualties, he canceled at the last minute a retaliatory military strike against Iran after the downing of a U.S. drone in June. Instead, Trump launched cyberattacks against Iranian computer systems that were used in organizing the seizure of tankers. Once again, this time in retaliation for an attack earlier this month on Saudi oil facilities, Trump is reportedly mulling the use of cyberweapons.
But for every cyberattack that the United States launches, it must also make hard choices about the intelligence value of such a move. Attacking digital systems typically requires breaking into them ahead of time, which can provide key intelligence. When one moves from surveilling a system to destroying it, that access is lost.
“You can’t attack something and stay in that network,” Williams said. And for every cyberattack that the United States launches, it will have less access to networks and fewer targets to hit in cyberspace. “It’s not like you’ve got a thousand cyber-cruise missiles.”
Unlike traditional military action, cyberattacks can cause collateral damage far from the battlefield. American computer security experts worry their clients will be the target of potential Iranian retaliation.
“Even if Cyber Command will deliver the first blow, they won’t be absorbing the response,” said John Hultquist, the director of intelligence analysis at the cybersecurity firm FireEye. “My customer is going to get caught in the crossfire in a scenario like that.”
Hultquist said his company has observed Iranian hackers probing critical infrastructure systems in Saudi Arabia in recent weeks, including by sending spear-phishing emails, which are attempts to trick users into giving access to their computers, to company employees. The activity observed by FireEye may be an indication of preparation to launch an attack.
But even as the United States increasingly reaches for the cyberweapon to counter aggression from Iran and other countries, it is encouraging other states not to do the same. In a statement issued Monday at the United Nations and signed by the United States, a coalition of 27 states urged countries not to target one another’s critical infrastructure systems.
“State and non-state actors are using cyberspace increasingly as a platform for irresponsible behavior from which to target critical infrastructure and our citizens,” the states declared. “We call on all states to support the evolving framework and to join with us to ensure greater accountability and stability in cyberspace.”
Senior staff writer Colum Lynch contributed reporting.