We need to prepare. With the deployment of the USS Abraham Lincoln and a group of B-52 bombers to the Middle East, tensions with Iran have reached a critical phase. While Iran poses a very real threat to the world’s supply of oil, the current situation also underscores that we must be prepared — immediately — to counter Iranian-sponsored terrorism and to respond to the threat that Iran’s growing cyber capabilities pose to the United States and our allies in the region.
The stark reality is that Iran is constantly putting our interests and those of our allies at direct risk. We’ve seen this happen in a wide range of ways: For nearly four decades, Iran has funded Hezbollah, a terrorist organization responsible for the deaths of hundreds, if not thousands, of Americans; Iran’s support, along with Russia’s, for the Syrian regime has made that conflict hugely bloody; and Iran’s meddling in Yemen has created one of the worst humanitarian crises of our era. Moreover, Iran’s covert and illegal pursuit of nuclear weapons is precisely why we are now in the current situation.
{mosads}With the U.S. applying maximum pressure by terminating our sanctions waivers and cutting off Iran’s oil exports, it is not surprising that Iran, in turn, is threatening the nearly one-third of the world’s ocean-shipped oil supply that passes through the Straits of Hormuz. That fact alone makes the White House’s decision to deploy U.S. forces to protect this critical artery exactly the right move.
At the same time, we must be ready to deal with two highly likely scenarios.
Rather than directly attacking merchant shipping in the Gulf — which Iran knows would provoke a swift, severe response from the United States — it most likely will revert to asymmetric warfare, using terrorist tactics (including sabotage) and cyber attacks.
When it comes to terrorism, Iran’s resume is long; indeed, during the recent Iraq conflict alone, it is estimated that Iranian proxy terrorists killed or injured one in six allied troops.
While Iran’s cyber efforts are a newer form of asymmetric warfare, it is one that Iran is perfecting. In the last decade, Iran has repeatedly struck the United States and our allies in the cyber domain with relative impunity. From the destructive wiper virus attacks on the Saudi Arabian oil industry in 2012 and again in 2018, to the increasing drumbeat of distributed denial of service (DDOS) attacks on U.S. banks between 2012 and 2013, the destructive attacks targeting the Las Vegas Sands corporation in 2014, the major intrusion campaign targeting U.S. companies and others between 2016 and 2017, and more recent activities targeting the global domain name service infrastructure for manipulation, Iran’s cyber activities have been getting more and more aggressive, with precious little response from the United States.
{mossecondads}Our intelligence community has outed Iran a number of times for cyber activities; the Justice Department has indicted various Iranian hackers and their colleagues. And, as recently as this year, the Treasury Department has targeted sanctions against Iranians for conducting malign cyber activities. Yet, the reality is that Iran has not let up and its attacks continue to be relatively successful.
Given the increasing tensions in the region, recent history tells us that Iran almost certainly will wage a low-level war against us and our allies again in cyberspace, and soon. It also is highly likely that these attacks will be serious, and they will seek to exact a very real price on American companies and our people.
There are a number of things that should be done immediately.
First, the government should take immediate action to help the U.S. private sector to shore up its defenses. There can be little doubt today that our government has some significant measure of insight into what Iran might be planning — after all, we wouldn’t have acted so quickly to deploy forces, had we not had some credible threat reporting. It therefore stands to reason that we may eventually get credible reporting about Iranian planning in the cyber realm. Given the threat we face, and Iran’s clear willingness to target the U.S. private sector, there can be no excuse for the U.S. government not sharing what it knows immediately — and in actionable form — with industry.
Second, we should make common cause with our allies in the Middle East. More than any other nations, our friends in Saudi Arabia, Bahrain, Kuwait, Qatar and the United Arab Emirates are on the front lines of Iranian attacks. We should extend sharing of potential cyber threats to them and work to collect information about Iran’s activities targeting our regional allies. Because these nations often are a test-bed for Iranian hacking, such an effort could better help to protect our allies and provide our government and industry with early warning of potential attacks.
Third, our government needs to make clear to Iran that it will leverage the full spectrum of national power to respond to a cyber attack, just as we would in the event of a physical attack. We need to be willing to stand by that position — and exact consequences in cyberspace or elsewhere — if and when Iran does attack again. Just as Israel recently responded to Hamas attacks, the U.S. needs to make clear that all options are on the table for responding to cyber attacks. While some have suggested that deterrence doesn’t work in the cyber domain, the reality is that if an attacked party is willing to deliver real consequences and is seen to do so, deterrence can in fact work.
Fourth, our cyber warfighters need to be freed up to get ahead of the conflict and start taking action now to stop the nascent Iranian threat. Congress recently provided the president and the Department of Defense (DOD) with clear authority to take action to disrupt, defeat and deter cyber attack campaigns by Russia, China, North Korea and Iran, and DOD has made clear that its new policy is to “defend forward” and persistently engage our cyber enemies. Now is the time to put this new authority and policy to use to defend our nation.
While none of the above steps is a panacea, there is little question that if we don’t act now to get ahead of this very obvious threat, Americans can and should legitimately question whether we are doing enough to protect them and our vital interests.
Gen. Keith Alexander retired in 2014 as a four-star general of the U.S. Army. He directed the National Security Agency (2005-2014), was the first commander of the U.S. Cyber Command (2010-2014), and served on President Obama’s Commission on Enhancing National Cybersecurity. He is founder, president and co-CEO of IronNet Cybersecurity, which provides cybersecurity services to the private sector. Follow on Twitter @IronNetCyber.
Jamil N. Jaffer is vice president of strategy and partnerships at IronNet Cybersecurity and the founder and executive director of George Mason University’s National Security Institute. He previously served in a variety of national security roles in federal government and worked on President George W. Bush’s Comprehensive National Cybersecurity Initiative. Follow him on Twitter @jamil_n_jaffer.