The Iranian Cyberthreat Is Real

There’s trouble in the Gulf, where a hijacked news website has helped kick off a blockade of Qatar. Saudi Arabia, the United Arab Emirates, and their allies have cut off a fellow member of the Gulf Cooperation Council (GCC), citing as justification fake news stories that the Emiratis themselves allegedly planted.

The conflict started when several statements attributed to Qatari Emir Tamim bin Hamad Al Thani appeared on the Qatar News Agency’s website and the government’s official Twitter feed. The comments, which the Qataris quickly dismissed as the result of a hack, strayed from the Arab Gulf consensus on hot-button issues such as relations with Iran, Hamas, Hezbollah, and Israel. The Saudi-led bloc rejected that explanation and on June 5 severed diplomatic relations with Doha and also halted air, sea, and land transportation to the gas-rich state. Despite the mounting evidence that the offending news stories were contrived, the blockade has remained in place through extensive diplomatic intervention from abroad.

The confrontation, which threatens stability in a region critical to U.S. interests, is bad enough. But far more ominously, it shows how future crises can be sparked by cyberoperations to manipulate information. Operations of the kind used against France in 2015 and the United States during the 2016 presidential election take advantage of preexisting tensions to drive political change. In the case of the Gulf, these fake news stories exploited regional hostility and the Iranian boogeyman to push the region into conflict.

The recent hack didn’t occur in a vacuum; tensions among the Gulf Arab monarchies have been simmering for years. The Saudis, with support from Kuwait, Bahrain, and the UAE, have struggled for nearly half a decade to prop up the central government in Yemen against the Iranian-supported Houthi rebels. In Syria, many of the GCC states support Syrian rebel groups against the Islamic State, while Iran provides Bashar al-Assad’s government and groups like the Syrian Electronic Army with training and technical assistance. In the eyes of their neighbors, the Qataris also maintain an uncomfortably close relationship with the Muslim Brotherhood, which they see as a movement that threatens established rulers across the region.

While internal GCC differences over Iran are a key driver of the current crisis, the next conflagration might be sparked by Tehran itself. The country has demonstrated growing maturity in offensive cybersecurity, conducts extensive espionage against its neighbors, and is actively engaged in harassing Israeli government websites with regular distributed denial of service (DDoS) attacks. In a 2013 speech, Israeli Prime Minister Benjamin Netanyahu also claimed that Iran, together with Hezbollah, was carrying out “nonstop” attacks on Israeli industrial sites like water treatment facilities and power stations.

Iran’s capabilities have been strongly influenced by its own experience as the target of cyberoperations. In the years after Stuxnet, the U.S.-Israeli effort to stymie Iranian nuclear enrichment efforts, Tehran began making repeated efforts to gather information on industrial control systems in both countries. After a 2012 attack on an Iranian oil facility by malware designed to wipe computer systems of data, Iran responded by conducting precisely the same sort of attack against the back-office computer systems of oil giant Saudi Aramco and Qatari natural gas producer RasGas, which forced the replacement of tens of thousands of computers.

Iran is capable of causing a lot of havoc through cyberspace. Moving from web defacements and crude censorship in the early 2000s, through sophisticated internal information controls and sustained espionage campaigns, to complex multistage attacks today, Iran’s evolution in cybersecurity has been rapid. More recent Iranian operations have leveraged extensive reconnaissance of social media to successfully compromise American government organizations and critical infrastructure facilities. In 2016, the U.S. Justice Department unsealed an indictment against seven Iranian nationals accused of engaging in the costly digital harassment of American banks, one of whom was also charged with trying to hack into upstate New York’s Bowman Avenue Dam.

All this means that the next hack in the Gulf might not simply exploit Iran’s reputation as a regional boogeyman — it might be launched by Iran itself. There are limits to our ability to assign attribution for incidents in cybersecurity, which suggests that future information operations may be able to operate under the cloak of relative anonymity — or at least plausible deniability.

This isn’t the last time information operations are going to roil the region. The Gulf states need to be better equipped to defend themselves against these sort of attacks, and the first step is investing in their domestic cybersecurity capabilities. Their best bet is to leave aside surveillance and censorship to develop the technical capacity to identify and mitigate weaknesses in their own networks.

The episode demonstrates how the Gulf is ripe for exploitation via information operations. Through a fairly low-risk compromise of the Qatar News Agency, an actor managed to fracture one of the primary political blocs arrayed against Iranian action in the region. The Gulf has more than its share of political rivalries and long-standing antipathies, and Iran’s status as a growing power in cyberspace means that these vulnerabilities only appear poised to worsen. The damage done so far was likely the result of internal political fragmentation in the Arab bloc — the potential fallout that could result from external interference is daunting.