Iran's Islamic Revolution could play out, in part, online. On Jan. 4, the Carnegie Endowment for International Peace published a report describing the country as a "third-tier cyberthreat." The report's authors note that despite Iran's success with cyberattacks such as Shamoon and a spear-phishing campaign that hit Deloitte and several other companies, Iranian attacks generally feature poor tradecraft. As a result, investigators haven't had much trouble tracking cyber operations back to the Islamic republic, whether because the attack code contained Farsi terms or because its associated IP address traced to Iran. Iranian spear-phishing attacks, likewise, frequently suffer from their perpetrators' poor command of the English language.
But even if its capabilities pale in comparison with those of Russia or China, Iran is still a cyberthreat, albeit a third-tier one. The Carnegie Endowment's report about the country's adoption and use of an asymmetrical weapon such as hacking called to mind the way governments and their agents have come to embrace and employ terrorism. Looking at the manner in which state sponsors, proxies and non-state actors have practiced terrorism can offer a useful framework for understanding how countries could turn hacking into a more dangerous tool of asymmetrical warfare.
Augmenting, Not Replacing, Terrorism
Before we begin though, I want to be clear: Hacking will not replace terrorism as an asymmetrical weapon. Terrorism is not going anywhere, and it remains a popular tool for state and non-state actors alike, as a glance at the battlefields in Syria, Afghanistan and Libya will attest. Instead, cyberattacks are a supplement to terrorism — just another wrench in the toolbox of Machiavellian statecraft. Many of the features that make terrorism attractive as a conduit for state power also apply to cyberattacks.
Both tactics offer the state employing them plausible deniability, for example. Iran exemplifies this strategy with its robust support of a global network of militant organizations. Among them, the Lebanese paramilitary group Hezbollah executed attacks throughout the 1980s under the banner of the Islamic Jihad Organization, the Revolutionary Justice Organization and the Organization of the Oppressed on Earth. By operating variously under so many different names, Hezbollah managed to create confusion while deflecting blame from its senior leaders and clerics and while hiding the role of its benefactors in Iran and Syria. Pakistan has taken a similar approach, throwing its support behind militant groups in India and Afghanistan and sheltering senior al Qaeda figures within its own borders. The shadowy operations of their terrorist proxies largely keep these sponsor states free from blame, though not necessarily suspicion, for attacks. And even when evidence reveals a country's role in terrorism — such as Iran's involvement in the Israeli Embassy bombing in Argentina in 1992 or Pakistan's part in the 2008 attack in Mumbai, India — the repercussions are usually too slight to offset the perceived benefit of this asymmetrical weapon.
So far, state-sanctioned cyberattacks have met with even less blowback. Though the exploits have caused significant disruptions for their targets — many of them major corporations — the state actors behind them have gotten off scot-free. More troubling is the lack of consequences for hacks against government and political targets. Authorities have implicated nation-states in high-profile attacks on institutions such the U.S. Office of Personnel Management and the Democratic National Committee. Yet despite the preponderance of evidence against them, the countries behind these hacks have faced little in the way of punishment. The low costs associated with cyberattacks doubtless will encourage more states to use this tactic, like terrorism before it.
Beyond the legal and political price, the financial cost of hacking, like that of terrorism, is also far more affordable than the cost of traditional warfare. A successful terrorist act or cyberattack, moreover, can have a disproportionate effect on its target, relative to the time and effort required to conduct it. Consider the staggering number of people affected by the attack on the credit reporting agency Equifax, for instance, or the enduring fallout of Russia's cyber meddling in foreign elections. In the realm of cyberattacks, a small investment can yield an outsize return.
The Tool Is Only as Good as the Craftsman
But a weapon is only as effective as the person (or country) wielding it. Just as levels of terrorist tradecraft vary widely from one state-sponsored militant group to the next, the skills and abilities of state-backed cyber operatives differ. Concerns are growing that as cyberattacks mature as an asymmetrical weapon, countries will emerge as state sponsors of hacking that can help propagate the technique. Along with the conventional weapons it sells to Iran and Syria, for example, Russia may one day supply them with cyber tools and training. Signs suggest that the United States and Israel have already collaborated on a cyber operation: the Stuxnet attack that debilitated Iran's uranium enrichment site in 2010.
Like state sponsors of terrorism, state hacker-backers could provide operatives with training and protection to carry out attacks. They might even arm proxy groups with cyber tools, much as Libya trained, sheltered and equipped terrorist groups such as the Abu Nidal Organization. Transferring knowledge in this way could enhance the skills and abilities of cyber operatives the world over. The Soviet-trained bombmakers of the Provisional Irish Republican Army, after all, passed their know-how on to fellow militant groups, including the Revolutionary Armed Forces of Colombia, and former Russian weapons scientists have helped nurture North Korea's nuclear program. In much the same way, cybermercenaries who have worked with Russian or Chinese hacking groups could provide training and tools to client states and proxy organizations far and wide. Countries such as Russia provide legal cover for patriotic criminal hackers as it is. The rise of state-sponsored proxy hackers could also make the world of cyberattacks even murkier.
To develop advanced cyber capabilities, though, a state needs many of the same assets necessary for building a first-tier military: a robust higher education system, investment in research and development, public-private cooperation, and scalability among them. Countries like Iran and North Korea, which fall short in some of these areas, will have a hard time cultivating or attracting world-class cyber talent as a result. But what they lack in resources, these states make up for in ambition and drive, as they have demonstrated in their quest for nuclear weapons. With a little outside expertise, this relentless focus could help them overcome their constraints and turn a third-tier cyberthreat such as Iran into a far more serious menace.