On Friday, President Trump announced that he will not certify Iran’s cooperation with the 2015 nuclear agreement negotiated by the Obama Administration. The move doesn’t eliminate or rework the deal, possibilities its proponents feared given Trump’s longstanding criticism of the agreement. But it does kick the accord to Congress for reconsideration. There, lawmakers could leave the agreement the same, impose tweaks, or go all the way to reinstating sanctions against Iran, effectively ending the deal.
But while the fulfillment of Iran’s nuclear ambitions remain years away even if the deal falls apart, Trump’s actions raise questions about whether increased tension will in turn lead to increased Iranian cyber operations. Observers say that while the current diplomatic instability likely won’t impact Iran’s hacking purview, further decisions—particularly around sanctions—could fuel offensive plans directed at the United States.
Iranian hackers were very active in targeting US and European targets a few years ago, launching waves of powerful DDoS attacks against dozens of financial institutions in 2011 and 2012, and laying groundwork for possible critical infrastructure attacks, including against a dam in New York state. Though these initiatives haven’t completely abated, experts note that the country has seemingly shifted its focus in the past couple of years, turning to largely Middle Eastern targets like Saudi Arabia. Solidifying the nuclear agreement in 2015 may not have been the direct cause of the shift, or even related. But experts say it seems as though Iran has taken the last few years to centralize and organize its hacking initiatives, adding more government control and developing more sophisticated operations.
“One could argue that because we had this deal in place maybe they had some motivation to not be aggravating,” says Isaac Porche, a senior engineer and the director of the Homeland Security Operational Analysis Center at the RAND Corporation. “But their actions have already been in the US, and Iran has been implicated in attacks on other countries. So they made a decision some time ago to be active.”
‘One could argue that because we had this deal in place maybe they had some motivation to not be aggravating.’
Isaac Porche, RAND Corporation
And evidence indicates that Iran’s more focused government investments have paid off. Reports about an elite hacking group, called Advanced Persistent Threat 33 by the security firm FireEye, say that Iranian hackers have breached numerous aerospace, defense, and petrochemical companies around the world over the last 18 months. The group, which may have been originally founded in 2013, notably carried out recent reconnaissance and malware distribution attacks in the US, South Korea, and Saudi Arabia.
President Trump nodded to this context in his speech on Friday about the decision to decertify the nuclear agreement and send it to Congress for consideration. “The Iranian dictatorship’s aggression continues to this day,” he said. “It imprisons Americans on false charges, and it launches cyberattacks against our critical infrastructure, financial system and military.”
House Republicans said in a statement after the President’s speech on Friday that they plan to push for new sanctions against Iran, not those currently removed by the nuclear deal, but others with the same intent to deter Iran from building nuclear weapons. “Simply enforcing a fatally flawed agreement is not sufficient,” said Speaker Paul Ryan. “I support President Trump’s decision to reevaluate this dangerous deal, and the House will work with his administration to counter Iran’s range of destabilizing activities.”
Hopefully Congress will consider potential long-term impacts before pursuing a plan to establish any new sanctions or additional limitations. Stopping Iranian nuclear proliferation is important, especially in light of ongoing tensions between the US and North Korea. But even if the near-term impact of decertification is minimal, provoking Iran now could have ramifications in a number of spheres in the future.
“The potential is there, but I don’t think we would see anything huge from Iran right now,” says Jeff Bardin, the chief intelligence officer of the threat tracking firm Treadstone 71, which monitors Iranian hacking activity for clients, including some in Saudi Arabia. “I don’t think they would use this opportunity to expose any inroads they may have made into the US critical infrastructure. They’re taking a longer-term approach and will play the waiting game instead of just exposing their hand.”
It’s worth remembering, too, that analysts trace much of Iran’s recent focus on expanding its offensive hacking capabilities back to the digital Stuxnet attack that the US and Israel carried out in 2010 to sabotage Iran’s nuclear centrifuges. Cyberattacks also potentially provide Iran an avenue to push back long-term against sanctions outside of the scope of the nuclear deal itself.
Cyberspace “is a convenient domain because much of the activity does not necessarily violate international law—it’s still murky,” RAND’s Porche says. “There’s so much cyberactivity that is not classified as an armed attack or an act of war like espionage. So there’s no reason that it won’t continue. The status quo is already pretty bad, this won’t necessarily push it one way or the other.”
Tension in cyberspace is far from the only factor in nuclear deterrence, of course, but as Congress mulls next steps on Iran, it’s that “status quo” that’s important to have in mind.