In July 2015, the United States and the Islamic Republic of Iran came to an accord over the future of Iran’s nuclear program. The agreement would lift nuclear-related economic sanctions in exchange for Iran’s implementation of initiatives to repurpose some of its nuclear sites, reduce uranium enrichment, and submit to inspection, among other stipulations.
Iran’s economy suffered during the robust joint U.S., European Union, and United Nations economic sanctions; in April 2015, U.S. Treasury Secretary Jacob Lew estimated that Iran’s economy was 15 to 20 percent smaller than it would have been had sanctions not been ratcheted up in 2012 and cost $160 billion in lost oil revenue alone.
Sanction-relief is expected to impart approximately $100 billion to Iran, largely coming from oil sales that have been accumulating over the years. However, there is mounting concern that Iran will reprioritize its nuclear ambitions in favor of supporting terrorist activity and/or advancing its cyberwarfare capabilities, the latter on which this report will focus.
Private sector analysts and at least one U.S. official expressed apprehension over increased aggressive Iranian cyber activity as a result of the agreement.
Yet, given the condition of inflation, currency devaluation, and unemployment in Iran, it’s more likely that the government will use the majority of finances to revive a failing economy, leveraging initiatives that boosted investment in cyber-related technologies as a means to attract foreign interest in the Iranian marketplace.
Economic Sanctions and Iran
Prior to the July 14, 2015 agreement between Iran and the P5+1 countries (China, France, Germany, Russia, the United Kingdom, and the United States) in Austria, the United States (U.S.), European Union (EU), and United Nations (U.N.) had imposed varying degrees of economic sanctions against Iran for its nuclear aspirations.
Supporters and detractors debate the combined effectiveness of these sanctions toward influencing Iran’s behavior. Certainly there is the belief that while sanctions didn’t cripple Iran they certainly helped bring the government to the negotiating table.
According to a former U.S. deputy national security adviser, the financial impact on Iran helped “unplug” the country from elements of the global financial order. Indeed, the financial ramifications of the international sanctions became apparent throughout the course of their increased pressure on Iran’s economy. Some evidentiary findings that support this conclusion include:
- A 2013 Gallup poll reported that approximately 56 percent of Iranians believed that sanctions had impacted their livelihood significantly.
- According to findings from a Congressional Research Service report, in 2013, sanctions caused Iran’s gross domestic product to contract five percent—the first time that had occurred in two decades. According to the testimony of one U.S. official in January 2015, Iran’s economy was approximately 15-20 percent smaller than it would have been without the imposition of sanctions.
- In January 2013, Iran’s oil minister estimated that reduced oil exports cost the country between $4 billion and $8 billion per month, and by May 2013, oil exports fell to 700,000 barrels per day. In December 2014, Iran’s 2015 budget was initially based on a $72/barrel oil price, which had to be revised based on production/export restrictions.
- The loss of oil revenue combined with increased isolation from the international banking system had caused Iran’s currency to lose approximately two-thirds of its value. As of April 2015, the unofficial rate was approximately 37,000 Rial to the dollar, according to a report by the Congressional Research Service.
While the agreed upon deal will ease many of the nuclear-related sanctions, they will not remove those imposed for human rights abuses and terrorism support, according to one news report. In anticipation of trying to recapture its substantial oil losses, Iran is seeking to double its exports of oil and lobby the Organization of Petroleum Exporting Countries to reinstate the cartel’s quota system.
If accepted, the Iranian government can expect to recapture much of its oil money that has been languishing in frozen accounts and thereby calling into question how Tehran will use this substantial windfall.
Concerns Over How Iranian Oil Profits Will Be Used
While Iran’s foreign policy addresses all regions of the world, Tehran focuses its attention primarily on the Middle East, and the Near East region. According to at least one Middle East specialist, Iran appears to weigh the relative imperatives of the government’s “religious ideology” against the demands of Iran as a country.
As a result, Iran is challenged with promoting its interests as a regional leader against religious sectarian differences with its neighbors, the constant threat of U.S. influence on some Arabic states, and the antagonistic presence of Israel. Therefore, it comes as little surprise that Iran’s perception of the threat surrounding it drives its foreign policy considerations.
Two such foreign policy efforts include 1) providing financial and material support for allied governments and armed factions, some of which have been identified by the U.S. Department of State as “foreign terrorist organizations;” and 2) continuing development of an increasingly sophisticated cyberwarfare capability.
Funding Regional Interest Groups.
Detractors over the nuclear agreement fear that it does not address Iran’s global threat network. In the estimation of one political scientist, with new funds Tehran will be able to better fund proxies in Yemen and Iraq, as well as Hamas, which has increasingly relied upon financial support from Iran since the Syrian civil war initiated in 2011.
According to U.S. Intelligence estimates, Tehran provides an estimated $6 billion in aid to al-Assad’s government in Syria, as well as supporting Hezbollah with substantial funding, training, weapons, and modern equipment, according to a U.S. think tank analyst.
Funding Cyberwarfare Development.
While initially using its cyber capabilities to monitor and control domestic online activity, Iran understands the asymmetric value of offensive cyberattacks against superior strength adversaries. One Israeli cyber expert does not believe Iran is a third tier cyber actor but an emergent cyber-capable adversary.
Some U.S. lawmakers believe that access to significant financial reserves will advance the country’s cyber program, providing access to better technology and training, speeding the pace at which Iran can become a major cyber power. In addition to U.S. lawmakers, some experts from U.S. think tanks and private security companies have voiced similar concerns.
Iranian Cyber Spending Has Increased Over the Past Few Years
A February 2015 report published by a United Kingdom-based independent company revealed how Tehran has invested significantly in developing its Internet infrastructure under Rouhani’s administration. The report compared information and communications technology (ICT) budgets for past three fiscal years (2013-2016), tracking changes in spending priorities. Key findings in the report included:
Rise of Planned Miscellaneous Budget.
The UK report cited an increase in the Planned Miscellaneous Budget (PMB), a discretionary budget typically allocated at a later time, over the Planned Expenditure Budget (PEB).
The report stated that Rouhani’s preference was to shift the majority of ICT funds into the PMB. As a result, the PMB increased at a rate of more than 500 percent from 2013/2014 to 2015/2016, while the PEB remained fixed at less than half of the PMB figure, and only a 68 percent increase over the same three-year period, according to the same UK report.
Focus on Cybersecurity.
Since taking office, Rouhani has increased cybersecurity funding 1200 percent over the past three fiscal years, according to a February 2015 “Iranian Internet Infrastructure and Policy Report.”
The series of hostile cyber events impacting Iran including the 2010 Stuxnet discovery, the April 2012 wiper malware that WIPER malware targeting Iran Oil Ministry and National Iranian Oil Company, and the discovery in 2012 of the Flame malware, were reason enough to address cybersecurity considerations for key sectors.
Domestic ICT Production.
Iran has initiated several domestic ICT projects in an effort to reduce reliance on Western equipment, while promoting its own capabilities.
In February 2015, the first Iranian search engine “Yooz” was launched. SHOMA, Iran’s national information network, was first started in 2006, Iran’s national information network (SHOMA) was tested in 2012. The goal is that SHOMA emerges as the primary system for Iran’s information and telecommunications infrastructure.
While such advancements can be used to develop Iran’s cyberwarfare capabilities, technology advancement can also be leveraged to attract investment and development.
According to a former chairman of the U.S. Federal Reserve, “innovation and technological change are undoubtedly central to the growth process; over the past 200 years or so, innovation, technical advances, and investment in capital goods embodying new technologies have transformed economies around the world.”
Since the signing of the accord, Iran has already held discussions with France, Italy, and Germany regarding investment and technology transfers, and is seeking continued Russian partnership.
Much of what is known about Iran’s cyber budget indicates a desire to indigenously produce domestic products while increasing security capabilities. There is evidence to suggest that sanctions have enabled certain facets of Iranian IT sector to benefit from the sanction era.
Instead of relying on foreign equipment, companies have been forced to develop their own digital solutions, thereby raising their market share, according to one news source. In a country whose Internet penetration rate is approximately 73 percent (according to Iran’s National Interne Development Center), the opportunity to further develop this sector to be a regional leader is enticing.
Iran’s Cyberwarfare Capabilities
This is not to say that Iran cannot or will not use some of the freed financial assets toward supporting an ongoing development of its cyberwarfare capability.
Some have intimated that Iran’s aggressive investment in cyber-related technologies and its large government funded university system in which IT and scientific infrastructure have benefited greatly may certainly be leveraged for this purpose.
However, based on observed hostile cyber activity that is believed to be Tehran sponsored, conducted, or directed, suspected Iranian agents have yet to use weapons of the caliber executed against Iranian systems (e.g., Stuxnet, Gauss, Duqu), despite alleged leaked U.S. documents to the contrary.
This is not to serve as conclusive proof of capability or lack thereof; rather, it is merely a gauge by which to broadly measure developmental achievements in suspected Iranian cyber activity.
Timeline of Notable Suspected Iranian-Involved Cyber Activity
The following timeline of cyberattacks of suspected Tehran involvement potentially reveals the quick evolution of a nation state that was once considered a “third tier” cyber power. While an argument can be made that increased cyber activity transpired during times when the Iranian cyber budget increased, there is little corollary evidence linking the two in a cause-effect relationship.
At best, it serves only as a point of interest that bears further investigation, as there is no visibility into how the funding directly supported the operations or the organizations/groups behind them.
2011: The theft of digital certificates for secure communications from a Dutch company. These were later used to hack Iranian citizens communications and e-mail. The fallout of the breach is believed to have been instrumental in the company declaring bankruptcy shortly after.
2012: A cyberattack destroyed approximately 30,000 computers at the Saudi oil company Aramco; a similar attack was directed against Qatari energy company RasGas. Aramco was forced to Aramco was forced to shut down the company’s internal corporate network in order to stop the virus from spreading.
Also in 2012, the first of several phases of a distributed denial-of-service attacks (DDoS) targeted U.S. banks. While not damaging, the DDoS was a greater magnitude than any that had been seen up to that point. The severity and persistence of the DDoS prompted a senior U.S. official to point the blame at Tehran.
2013: The infiltration of U.S. navy’s internal network is believed by U.S. officials to have been carried out by actors working on behalf of Tehran. Although no information of value was taken, it did demonstrate a more potent hacking capability associated with Iran than was previously believed.
2014: A computer security company published a report that attributed cyber espionage activity directed against U.S. defense industrial base companies to an Iranian group called the Ajax Security Team.
Although the report didn’t conclusively link the group to the Iranian government, it did intimate state responsibility based on a 2012 Atlantic Council paper on the subject.
Also in this year, another computer security company published a report on Iran-based cyber espionage activity targeting government agencies and major critical infrastructure companies (energy, airline, military intelligence, hospitals) in 16 countries.
Unlike previous suspected Iranian activity, the intent of this activity was to establish entry points to conduct sabotage, according to the company. The report stops short of implicating Tehran, and reserved connections in a section marked “Speculation.”
2015: The latest Iranian activity report combined the efforts of a computer security company and a U.S. conservative think tank.
The report called attention to substantial attacks directed against model supervisory control and automated data systems, and identified Iran as a capable cyber power, increasing in sophistication.
However, the report could not directly link Tehran to the attacks it detailed and admitted that its definition of attribution was in an academic sense, rather than in a law enforcement one.
Also in 2015, a near nation-wide blackout of Turkey’s power was attributed to an Iranian cyberattack. Computers, airports, air traffic, traffic lights, hospitals, lights, elevators, refrigeration, water and sewage, everything simply stopped.
What Will Happen?
Even though it is uncertain when or how Iran will receive the frozen assets that sit in foreign banks, improving the nation’s stagnant economy is in Iran’s strategic national interests when the money becomes available.
In anticipation of the agreement, a secret U.S. intelligence assessment focused on potential uses of the $100 billion dollar reserve. According to the controversial assessment, Tehran is expected to use the majority of the money to bolster Iran’s economy.
Moreover, the assessment concluded that even if Tehran increased financial support to its global terror network, it would not contribute significantly in gaining advantage in Lebanon, Yemen, or Syria.
The intimation is that even increased spending would have little impact in conflict areas. Similarly, the same can be said for the cyber domain. Increased funding does not necessarily equate to increased activity using more sophisticated and potentially damaging cyber weapons.
While intelligence assessments have had varied levels of success throughout history, there is substantial evidence that supports the contention that Tehran will focus on economic interests rather than the more volatile options:
Tehran’s leadership says so.
In August 2015, Iranian President Hassan Rouhani directly correlated the landmark nuclear deal with the revival of Iran’s economy, and the easement of political tensions in the region. The frozen money would be used to promote domestic industries rather than spent on imports, according to one news report.
While the Supreme Leader has not publicly acknowledged that freed-up funds will be dedicated to economic considerations, he did not contradict Rouhani’s statements. The Supreme Leader has constitutional authority and influence over the executive, legislative, and judicial branches of government, as well as the military and media. Therefore it can be assumed that public statements from government leaders have received his blessing.
Furthermore, leaked documents further indicate that the Supreme Leader’s private views on the nuclear compromise were more flexible than his public posturing, suggesting that the Supreme Leader is more pragmatic with respect to Iran’s interests.
Keep the Public Happy.
Preserving the theocratic regime is a goal for Iran, and to do that effectively it must maintain some element of control over its population. Ensuring prosperity through reduction of inflation and unemployment are ways that an improved economy can reduce social discontent.
The economy has been a central factor in shaping Iran’s political revolution, which explains why it has been targeted by international sanctions attempting to influence Tehran’s behavior. Increased civil unrest has occurred in Iran in the past, primarily manifested through a dismal economic environment and heavy headed controlling actions by the regime.
In 2009, Tehran saw first-hand of what unrest could do when 3 million people protested the outcome of the Iran presidential elections. Focusing on ameliorating domestic conditions serves to keep the public happy, and curb anti-regime sentiment.
The Time is Ripe for Foreign Investment.
Iran being reconnected to the world will provide many opportunities for foreign investment. The information technology (IT) sector is one such area that Tehran has committed funding to, a development that has given some pause as to whether such funding is being used to support cyberwarfare development.
Such investment can be interpreted as a means to modernize civilian technology with the aim of helping build a more modern economy, a goal of Rouhani’s since he ascended to Iran’s Presidency in 2013.
Iran’s telecommunications sector is eagerly seeking foreign investment. In April 2014, Iran’s Minister of Communications and Information Technology invited advanced countries telecommunications companies for consultations. He believed that Iran’s telecommunications development would benefit from technology and interaction with technologically advanced countries.
Potential partners and investors are posed to invest in Iran, with the EU having scheduled a conference to discuss post-sanction opportunities for cooperation in July 2015.
On the energy front, the National Oil Company of Iran is planning to introduce 40 projects after the removal of sanctions, with Asian and European oil companies positioning themselves for competitive bidding. Absent any political or geopolitical setbacks, foreign investment offers possibilities for Iran as well as the region.
Going Forward
Iran is not an unpredictable state. Despite a beaten-up economy, Iran has managed to remain stable in a region struck by war and instability. It has continually demonstrated the ability to refrain from questionable activity in order to promote its more practical geopolitical interests.
This is clearly seen in Iran’s willingness to negotiate with the United States—“the enemy”—over its nuclear program in favor of lessening sanctions, rather than maintaining the hardline position that nuclear development is its sovereign right.
Despite fallouts and walkouts during the nuclear negotiation process, there was little evidence of any significant hostile Iranian cyber activity, according to one security firm’s findings.
As cited by a 2014 Congressional Research Center report, another, albeit non-cyber, example of Iran’s pragmatism is its willingness to not back Central Asian Islamic movements in order not to offend Russia, its most important weapons supplier, despite being a fervent supporter of regional Shi'ite groups.
Finally, if Iran is observed using the majority of funding to substantially fund armed groups, there is the possibility that terrorism-related sanctions currently in place could increase significantly. One security area that China, Russia, and the United States all share strategic interests in mitigating the threat of terrorist organizations that directly and indirectly affect all three countries.
While it is prudent to expect that some funding may funnel to its offensive cyber capability pursuits, the degree with which that will happen does not warrant a paranoid clarion call. Businesses associated with Iran’s Revolutionary Guard Corp are expected to receive some of the money, an inevitability that has failed to instill fear in the highest levels of the U.S. government.
The U.S. Director of National Intelligence downplayed such concerns at a July 2015 security conference, reminding the audience that these organizations never lost funding even when sanctions were in place. The same can be applied to cyber, where some believe that there is little evidence that Iran’s IT progress is intended to bolster its cyberwarfare capabilities at all.
It should be noted that there is concern that U.S. government failure to pass the accord through Congress could elicit repercussive cyber activity reminiscent of the suspected Iran-backed Operation Ababil distributed denial-of-service attacks or the Saudi Aramco wiper malware attacks.
Should it not gain consensus, low level attacks from proxy groups is the likely course of action, well insulating Tehran from implication while still communicating frustration at the United States having failed to live up to its end of the bargain. More destructive attacks would encourage the United States to level additional sanctions against Iran and use it to set an example for what it deems “unacceptable” behavior by nation states in cyberspace.
Emilio Iasiello has more than 12 years’ experience as a strategic cyber intelligence analyst, supporting U.S. government civilian and military intelligence organizations, as well as a private sector company providing cyber intelligence to Fortune 100 clients. He has delivered cyberthreat presentations to domestic and international audiences and has published extensively in peer-reviewed journals.