ArchiveOODA Original

Why Lifting Nuclear Sanctions Will Increase Challenges for the Targets of Iran’s Cyber Capabilities

Executive Summary

The lifting of nuclear sanctions placed on the Islamic Republic of Iran based on the Joint Comprehensive Plan of Action (JCPOA) has ensured the unfreezing of approximately $150 billion in ready assets, opening of long-term trade partnerships (already extended by several nations), and lifting of technology transfer sanctions. Given the Islamic Republic’s continued emphasis on cyber-enabled operations, it is likely that significant portions of freed assets will be purposed towards expanded augmentation of these programs. Over time, augmentation will grant regime-sponsored actors the ability to conduct more sophisticated offensive computer network operations. Such operations include those traditionally understood as offensive, namely cyber espionage and computer network attack (disruptive/destructive operations), as well as those conducted under the guise of internal security and defense, such as domestic information influence operations inline with the regime’s all-encompassing “soft war” cultural doctrine. Historically, Iran has leveraged these capabilities against U.S. interests, and motivating factors for continuing will persist well beyond the nuclear agreement. Over time, these factors will likely translate to additional challenges for U.S. computer network defense, intelligence, and diplomatic efforts.

The JCPOA has granted Iran access to capital in the short term due to the unfreezing of assets, and in the long term due to trade agreements

On January 16, nuclear sanctions placed on the Islamic Republic of Iran were lifted based on the Joint Comprehensive Plan of Action (JCPOA) created between it and the permanent members of the United Nations Security Council (P5+1), which includes the United States, the United Kingdom, China, Russia, France, and Germany. The plan of action, agreed to on July 14 2015 and adopted on October 18, was designed to ensure Iran’s nuclear program was “exclusively peaceful.” In return, the Iranian regime was granted legitimate access to the world’s markets. From 2011-2015, stalwart measures on market access and technology transfer bans, industry developments were progressed extremely slowly, and the economy was stifled. Economists have estimated that $150 billion worth of ready assets was made available to the Islamic Republic immediately, with the newly acquired ability to legitimately gain more via subsequently proposed economic partnerships with a number of nations. Within two weeks of the JCPOA implementation, heads of state and high ranking diplomats from several nations, including both Italy and China, have secured long term trade agreements, the latter with which will amount to roughly $600 billion in bi-lateral trade in over the next decade.

The two way opening of Iran’s economy will almost certainly raise Iran’s GDP in the years to come, even in the face of a tumbling oil market

The short and long term increases in available capital via JCPOA-enabled trade deals are expected to increase overall GDP over the next several years. This opening will be enhanced by the Rouhani administration’s recent economic reforms designed to open up Iran’s markets to the world and promote private businesses within Iran. Some estimates suggest that within 18 months time, these new conditions may easily allow economic growth of around 8%, even with a crumbling oil market. Iran has stated that it doesn’t plan to cut production — like other nations such as Russian and Saudi Arabia — to curb plummeting oil prices.

The lifting of sanctions on transfers of dual-use technologies to Iran will make it easier to grow its cyber programs

In 2010, under the Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010 (CISADA), the regime was subjected to “asset freezes on Iranians determined to have violated human rights” and forbidden from the “sale of dual-use technologies which can be used to monitor or control the internet.” However, state-sponsored Iranian actors were able to circumvent this ban by paying companies in a number of countries, including the United States, Canada, Germany, the United Kingdom, to host websites, mail servers, e-mail accounts, and command and control infrastructure (used as the “drop off point” for stolen data). These entities were either unaware that the purchasing agent was an Iranian entity, or simply chose to turn a blind eye.

Regardless, while Iranian entities found ways to circumvent the sanctions, the methods were not long term, stable solutions. The expansion of programs (both cyber-related or otherwise), which required access to global technology markets and cooperation, progressed slowly. With the transfer ban lifted, the ability to proliferate dual-use cyber tools and infrastructure will present the Iranian government with the ability to grow its offensive capabilities more rapidly than it could have in the course of the last five years.

Increases in GDP will translate to more funds devoted to Iranian military expenditure, including, and perhaps most especially, for the IRGC

Iran’s recent overall defense budgets have hovered around 2.5% of its $400 billion GDP. While the proportion devoted to defense spending may not increase, given the current geopolitical climate in the Near East, along with multiple regional and proxy conflicts in Syria, Lebanon, and Yemen in which the regime is engaged, it is unlikely that this proportion will shrink. If defense budget proportions remain roughly equivalent to that of recent years, a $2 billion increase in military-related funding should be expected. In recent years, the Iranian Revolutionary Guard Corps (IRGC) has received at least half (usually more), of the overall defense budget. With this increase, the IRGC could get over a billion additional USD over the course of the next two years alone.

Allocation of increased funds may be purposed towards enhancing cyber capabilities. The Iranian regime has recently emphasized the importance of advancing the nation’s cyber access, tangibly demonstrated by considerable fiscal support

By one account, Iran’s information and communications technology (ICT) budget has grown almost 30 percent since the 2015-2016 fiscal year. Reported ICT-related expenditures also constitute over 2.4% of Iran’s total budget for the next fiscal year. This trend is not limited to the past year, and is part of a larger pattern of emphasis on advancing the nation’s access and capacity to interact in cyberspace. In late 2011, Iran invested at least $1 billion USD in cyber-related infrastructure and talent, a figure which previously hovered around 76 million in the years leading up to 2011. Researchers at Security Affairs indicate that Iran has boosted its cyber security-specific spending 12-fold since 2013. Increased investment into ICT will translate to expanded and improved internet access, an essential component to conducting remove operations.

In 2014-2015, the IRGC had a portion of its budget equaling about 19.8 million USD devoted to cyber, a significant (reported) increase from the previous year. Money spent on Tehran’s government and military cyber programs is used to purchase new tools, expertise, and training, which are essential components to enhancing overall capabilities. The IRGC also reportedly has a robust cyber recruitment program for Iranian university students. Along these lines, in mid-2012, the IRGC claimed to have recruited approximately 120,000 personnel for cyber operations. While this number may be inflated, and the term “cyber operations” encompasses more than just offensive ones, the figure is nonetheless alarming.

Iran continues to view the U.S. as one of its primary adversaries, and is judged to have high intent to uncover and subvert U.S. regional objectives

The regime’s identity is one which is negatively defined; its ideologically murky underpinnings center on the political concept of “revolution”, which emerged after the events of the late 1970s and early 1980s. There is a notion of a constant struggle against external forces and influences, influenced by a combination of forces including Shia Islam, Iran’s definitive geographic placement between West and East, Persia’s former prestige, and European colonialism.

According to Fredrick Kagan of the American Enterprise Institute, the revolution is a fusion between Ayatollah Ruhollah Khomeini’s theological construct of the “guardianship of the juris- prudent,” (velayat-e faqih) and anti-Zionism and anti-colonialism. As an Islamic theocracy, the regime’s central principles are wholly incompatible with liberal democratic notions of free speech and pluralism, which define U.S. and Western European societies. From a secular perspective, the regime’s ideology attributes the decline in Persian prestige and the Gulf’s perpetual state of instability to Western imperialism. During the 1990s, the anti-colonial lines were transitioned towards anti-Americanism.

Of the Gulf States, Iran sees itself as the natural dominating political, military, and cultural force. This belief informs its domestic disposition, foreign policy, and military posture. Tehran’s main objectives are preserving the regime and revolution through ensuring internal stability and spreading its influence throughout the region. By definition this means countering U.S., Saudi, and Israeli influence. It has done this directly, but more often it is achieved through subterfuge and support of Shia militias and proxies.

Despite the arrangement between the P5+1 “moderate” President Rouhani, the U.S. remains one of Tehran’s primary adversaries. The U.S. aligns and cooperates heavily with Israel, and frequently with Saudi Arabia, and Iran views these two nations as its greatest enemies. ODNI Clapper recently highlighted this during a statement before Congress in February, stating the U.S. Intelligence Community’s belief that Tehran views the U.S. as a primary counterintelligence threat. The regime will, therefore, continue to use all the resources at its disposal, including its cyber capabilities, to advance its goals and undermine U.S. interests.

Tehran will continue to conduct extensive offensive cyber operations against U.S. interests well into the future

According to the DNI James Clapper’s recent Worldwide Threat Assessment of the US Intelligence Community, Tehran employs cyber-enabled “espionage, propaganda, and attacks to support its security priorities, influence events, and counter threats — including against U.S. allies in the region.” Multiple open sources indicate that suspected Iranian entities have previously conducted cyber espionage and influence operations against U.S. interests, and have tested computer network attack capabilities against U.S. infrastructure. Offensive operations include those traditionally understood as offensive, namely cyber espionage and computer network attack (disruptive/destructive operations), as well as those conducted under the guise of internal security and defense, such as domestic information influence operations. in line with the regime’s larger “soft war” cultural doctrine aimed at preserving the revolution and the regime.

Through the regime’s insistence on a pervasive atmosphere of cultural siege, it is able to assert that, in order preserve the revolution, Iran’s ever-present enemies must be perpetually countered. Methods of cultural revolution are also referred to as “soft war”, and the regime has made it clear that cyberspace is one of the critical domains in which this conflict is manifested. The regime’s ideological framework drives suspected Iranian entities’ previous cyber espionage operations against systems and networks associated with political dissidents, media, and human rights organizations internally and abroad. It also provides motivational context for the regime’s aggressive monitoring and vetting of internet platforms and content, to filter ideas and opinions it deems counter-revolutionary. The cyber security firm CrowdStrike recently disclosed that in 2015, Iranian officials were leveraging a monitoring device known as BlackSpider to facilitate investigations and arrests by revealing which citizens were circumventing the regime’s content filters. Tehran is also using ICT to populate the information space with alternative media sources and platforms to inorganically remove dissent and proliferate regime-approved perspectives. Tehran’s take on soft war has evolved, so that art, culture, and media are now viewed as opportunities, instead of only threats, to counter perceived attempts to subvert Iran’s Islamic culture and national identity. In this way, Tehran’s stake in its so-called “soft war” has become primarily offensive. Former IRGC commander Hossein Hamadani, who was killed by alleged ISIS forces this past October in Aleppo, stated that “Defense in the context of soft war is doomed to fail. So, one must attack instead.”

Regional geopolitical and military dynamics drive cyber espionage attempts with potential links to Iranian organizations against the networks of U.S., European, and Near Eastern networks associated with organizations in sectors such as government, defense, and non-proliferation. Attempts by Iranian actors to develop computer network attack capabilities – those designed to disrupt or destroy information assets and cyber enabled systems – may be a reflection of Tehran’s desire to develop a capability which will provide backing for deterrence and coercive diplomacy, similar to the doctrine of the North Korean regime with respect to nuclear weapons.

More sophisticated Iranian cyber adversaries will present greater challenges to security, intelligence, and diplomatic efforts

Cyber espionage operations can be conducted through a number of tactics, including but not limited to spear phishing, social media exploitation, strategic website compromises, and device compromise (usually those on a network’s periphery, such as a router). Greater sophistication in Iranian offensive cyber operations typically translates to greater adversary operational security, including obscure and changing infrastructure, stealth when inside a network via advanced obfuscation techniques, and lateral movement and adaptability (the ability to spread throughout a network and/or hide, deploy a range of malware, etc).

A more sophisticated adversary means greater operational security and stealth. This makes visibility into operations more difficult, effectively limiting how much can be observed during computer network exploitation attempts and events. From a security perspective, decreased visibility makes tracking adversary lateral movement and persistence methods much more difficult. From an intelligence perspective, without attribution, motive and context remains vague, and therefore renders crafting optimal understanding, prediction, and counter strategies arduous.

Tehran’s internal internet blocking and monitoring capabilities are being leveraged constantly to block views assessed as harmful to the revolution and internal stability. Additionally, regime-approved iterations of social media and other media-related services are being developed and released. This environment makes free information exchange, effective communication, and coordination with trusted partners in Iran exceptionally difficult.

Iran is some time away from being able to effectively administer disruptive and destructive cyber attacks against critical infrastructure. But a boost in these programs, in part helped along by sanctions relief, could allow the development of such a capability sooner than anticipated. A capability of this nature could afford Iran significant backing with which to complicate the diplomatic efforts of U.S. representatives. In terms of hypothetical military confrontation, Iran could use computer network attack methods in conjunction with kinetic operations to achieve operational or information advantage.

OODA Analyst

OODA Analyst

OODA is comprised of a unique team of international experts capable of providing advanced intelligence and analysis, strategy and planning support, risk and threat management, training, decision support, crisis response, and security services to global corporations and governments.