Kevin Allison is a Senior Editor for Signal. Based in Washington DC, he looks at how technology is reshaping global affairs. Kevin is also a Director in the Geo-Technology practice at Eurasia Group. Kevin holds degrees from the University of Missouri and from Harvard's Kennedy School of Government. He was also a Fulbright Scholar in Vienna, Austria and a 2015 Miller Journalism Fellow at the Santa Fe Institute. Prior to GZERO Media and Eurasia Group, Kevin was a journalist at Reuters and the Financial Times. He has lived in eight US states and has been an expat four times.
Let’s say that right now you are Iran. The US has torn up a deal you were abiding by, and reimposed crippling sanctions that are exacerbating a currency crash and broader economic crisis. You’re in no mood to roll over for Uncle Sam – Washington’s demands are beyond the pale – but what are you gonna do about it?
You have options. You could threaten oil shipments through the Strait of Hormuz, or encourage your proxies in Yemen, Syria, and elsewhere in the Middle East to step up their attacks against US allies and interests. But why go to all that trouble and expense when you could inflict pain on the Great Satan and its friends with a tap or two on a keyboard and the click of a mouse?
Iran has done cyber-damage before. Back in 2012 Tehran launched a series of cyberattacks against the US and Saudi Arabia as tensions were on the rise. This time around, Tehran will almost certainly be tempted to do the same. Here’s one reason why it might not want to do anything too provocative – along with two reasons why you should be worried anyway.
First, the “good” news: Unlike the Obama Administration, Donald Trump and his hawkish national security adviser John Bolton are almost certainly ready (if not actively itching) to respond ferociously to any Iranian cyberattacks, particularly if they cause any serious damage to people or property in the US. Iran knows this and may reason that it’s better to go after something in the neighborhood and relatively low-risk, like Saudi companies’ business networks, rather than to invite US wrath by going after something more sensitive in Uncle Sam’s own house, right?
But here’s where things get dicey: Cyber weapons aren’t like missiles that you can just stockpile and pull out whenever you want. Hackers’ access to networks comes and goes as their targets discover and defend against new threats. So if Tehran thinks it has a shot on goal, it might feel pressure to take it. Iran will step carefully, but it may be more likely to consider a riskier attack on a higher value American target – if the opportunity presents itself.
There’s another problem: Cyber weapons can be hard to control once you make the decision to use them. As an example, when suspected Russian hackers hit Ukraine with a big ransomware attack last year, the malware – which had beenaugmented with weapons-grade code stolen from the US National Security Agency -- spread well beyond its initial target. It caused billions of dollars of damage and wiped out IT systems in dozens of countries, including Russia. No one was killed. The attack didn’t destroy the computers that regulate control systems in a power plant or take down the intensive care unit of a major hospital. But next time might not be so lucky.
Put together, Iran’s incentive to retaliate while it can, and the potential for unintended, even deadly, consequences adds a dangerous new dimension to an already-tense standoff.