Iran: How a Third Tier Cyber Power Can Still Threaten the United States | Atlantic Council
I read the SitRep so you don’t have to. Unless you have time for silliness. In which case maybe you can read some other situation report that’s done by actual intelligence analysts. Anyway, the paper starts off with an interesting premise:

But what if the response came in the form of an anonymous cyber attack that shut down the New York Stock Exchange for a few hours? Or an assault that cut off electrical power in a major US city, froze civilian air traffic, or interfered with further military strikes on Iran by conveying incorrect information to American military commanders?”

NYSE is stopped for trading quite often. Yes, the shock of “it happened” would be there, and the markets would be unsettled for a bit. But markets, irrational beings that they are, get unsettled at every little thing - from false tweets by @AP to variety of other rumours. This would be nothing loss-making in the long term.

Cut off electrical power? Well, that’s actually not as easy to do as people say, otherwise it would’ve been happening more often. As @RidT said in his Foreign Policy article: cyber sabotage is easy: so why isn’t everyone doing it?

Froze civilian air traffic? Now that would be quite a feat, and whilst it was done to a small airport that’s not quite scalable. But a good scare tactic - almost as good as Richard A. Clarke’s “planes falling from the sky”.
And we come to the first mention as Iran being a “Third Tier” cyberpower.
Tier 1: US and Western allies (no names), Russia.
Tier 2: China
Tier 3: Iran, …

Many US officials and experts on cyberspace say Iran is probably not yet in a position to mount such a damaging assault against the United States. Iran, they say, is a “third tier” cyber power compared to the United States, its Western allies, or Russia and China.”

There’s no reference to back up who those “many US officials” are. Nor who those “experts” on cyberspace are.

And we get to Stuxnet:

"Even so, while Stuxnet may have caused a year or two of delay and unsettled Iranian nuclear engineers, it did not stop Iran’s nuclear program.”

Need to check that “year or two delay” because others disagree with that statement: at best it is half a year and Iranian nuclear enrichment programme is proceeding at a faster pace because old and less efficient centrifuges got replaced with newer ones. How many of those would be replaced had Stuxnet not damaged them?

"How advanced is Iran and how much should we worry about its cyber capabilities? According to Dmitri Alperovich, cofounder and chief technical officer of the cyber-security firm CrowdStrike and a senior fellow at the Atlantic Council, the most effective cyber warriors—what he terms the “tier one actors”—are the United States, Russia, and US allies such as Great Britain. Alperovitch puts China a step behind at tier two and says that Iran is tier three.

And we have our answer to the question above: unless more are named later in the piece, Dmitri Alperovich is acting as both “many US officials and experts on cyberspace”. That’s quite a lot of roles for a single person.

This made me laugh:

"Iran does not need the equivalent of a Ferrari to inflict damage on US infrastructure: a Fiat may do."

I’m sure there’s better analogies, especially seeing that Fiat owns Ferrari and has for decades. Surely if we were looking for analogies Ferrari would be the US and Fiat China. But I digress.

And we get to the “Iranian retaliation” by DDoSing US bank websites, which at least one expert (to my knowledge) with access to evidence clearly attributed to a different actor and different goals.

Just one bank estimated spending least $10 million mitigating the attacks. (attributed to the co-author of the paper, no other reference)

And then there’s this passage:

US allies have also been targeted. An individual with access to employees’ desktop computers at Saudi Aramco infected them last year with a virus that destroyed data on three quarters of the machines and displayed a picture of a burning US flag. These computers became paperweights, entirely useless with all their data destroyed —a significant escalation from attacks that entail only stealing information or causing short-term disruption.

Quick, someone get on the hot line with Atlantic Council and let them know that modern IT treats desktop computers as little more than very powerful terminals. Corporate desktops store their sensitive data (that is the one they created or accessed or modified or …) in a central place that is backed up just for such reasons. Just because data on a computer was deleted that doesn’t mean that computer suddenly disappears and its hardware value gets written off - those computers don’t suddenly become paperweights. Their worth is approximately the same as it was just before the attack - the data they had access to is not included in the value of a computer to the company. It could be included in the value o the computer to the attacker, it would be included in the value of the computer had the company lost that computer and it became available on the market, etc. That’s ABC’s of risk management and information valuation.

Interestingly, whilst “Tier 1” cyber powers may believe they have the capability this capability has never actually been tried and proven. The rest of the passage is spot on.

Cyber incidents have so far tended to have effects that are either widespread but fleeting, or persistent but narrowly focused. No attacks, thus far, have been both widespread and persistent. Moreover, as with conflict in other domains, cyber attacks can take down many targets. But keeping them down over time in the face of determined defenses has thus far been beyond the capabilities of all but the Tier 1 cyber powers.

After we built Iran up to be some massive power, it’s time to tear it down:

This means that Iran has the ability to take down important targets—for example, 30,000 computers at Saudi Aramco —but mounting a more strategically significant cyber attack may be well beyond its capabilities. After all, if the goal of the attack was to not just damage desktop computers but to disrupt Saudi oil production, the 2012 attack was a clear  failure.

So those 30k computers that became paperweight overnight aren’t really that important and the attack didn’t really do much damage. Just for the scale 30k computers at a decently corporate rate of $1k each = $30m damage overnight. Not huge for Saudi Aramco, but not a small feat to replace them all at a quick pace, either - going on the base that they were turned into a paperweight, i.e. were written off as useless for future use. Note for future: when writing whitepapers and serious analyses exaggerations don’t help.

And we come to this gem. Whilst possible that it is correct, it hinges on the idea that the previous attacks were politically, technically or legally (i.e. forensically) attributed to Iran. Which they weren’t.

The most likely and most damaging possibility is a campaign of attacks that creates a new political crisis which the American leadership may be loath to escalate.

But attribution doesn’t matter when politicians are baying for blood …

An Iranian cyber attack on US companies or allies, even if not damaging in itself, could, however, create headlines and renewed demand for cyber or kinetic retaliation. Politicians in the United States and Israel, looking for harsher actions against Iran, could seize the moment to push an escalation far beyond the scale of the actual disruption

There’s some good recommendation, but again tainted with the “cyber” prefix:

The United States should also enhance cyber surveillance of Iran’s nuclear program while continuing to improve both US cyber offense and defense.

And the paper ends with a cracker of a paragraph that needs to be broken up to digest properly:

Cyber war, like sanctions, may be preferable to so-called “kinetic” action that puts American forces at risk, but it is not a silver bullet against Iranian centrifuges or any other target.

In other words, “cyber war” where financial systems, national critical infrastructure (transport, electricity, gas, water, …) is a fair target by both sides, is preferable to sending troops overseas and limiting the theatre of war to a far off land. Somewhat I doubt anyone would agree to this new face of war. This paper first talked up what ‘cyber war” can do, and what a “Tier 3” cyber power such as Iran can do to “Tier 1” cyber power - US, then turns around and says all that damage inflicted to home soil in a drawn-out low intensity conflict is preferable to a conflict overseas. Anyone want to go to the population with that proposal?

As US intelligence authorities have publicly stated, Iran is already at the point where it could quickly build nuclear weapons if it so chose. The determining factor is the political will of the Iranian leadership.

Right. The political will, which will be hardened with all the sabre rattling and future “cyber incursions”.

There are other ways to influence Iran—through sanctions and diplomatic outreach— that may have fewer unintended adverse consequences and that could lead to more progress in resolving overall disputes between the international community and Iran, although cyber warfare should remain an option if Iran continues to move toward a nuclear weapon.

Sanctions have shown, time and again, to hurt the people and do very little to the ruling structure, yet Atlantic Council calls for more sanctions. Sanctions are a hit and miss, too. They can either strengthen the resolve of the populace to support the rulers in the face of the external threat, or they can weaken the populace to the point where they can’t effectively overthrow the rulers. Wait, that didn’t sounds right, did it?

Tags: atlantic council, cyberwar, iran, stuxnet, espionage, industrial espionage, crowdstrike