Richard Harrison is research fellow and program officer at the American Foreign Policy Council in Washington, D.C.
Late last month, many Americans experienced difficulties accessing their digital bank accounts and the Web sites of their financial institutions. The culprit wasn't a simple computer glitch, but a series of coordinated cyberattacks aimed at the U.S. financial sector.
Although definitive attribution has not yet been made, early reports suggest that the cyberattacks originated in the Middle East. And policymakers in Washington already have a good idea of who was behind the cyber offensive: the Islamic Republic of Iran. Sen. Joseph Lieberman of Connecticut, the chairman of the Senate's Homeland Security Committee, told reporters on September 26 that the Quds Force, the paramilitary arm of Iran's Revolutionary Guards, was behind the recent cyberattacks against at least two leading U.S. financial institutions: Bank of America and JP Morgan Chase.
Lieberman's contention is credible. For over a year, scholars have been warning about Iran's burgeoning capability to carry out cyberattacks—and its increasingly robust and formidable cyber force. Belatedly, these predictions have been confirmed by the U.S. government; according to a September 14 report released by the Pentagon's Joint Staff, the Iranian regime is now "waging a covert war against the West," and cyberwarfare is one dimension of this conflict.
There are several additional reasons why Tehran is a credible suspect for the recent attacks on our banks.
First, Iran may be seeking retribution for Stuxnet and other viruses that have infected its uranium enrichment facilities. The West, after all, has been waging war of the cybernetic variety against the Iranian regime for years in what amounts to a coordinated attempt to derail Tehran's nuclear program. And while there is still much debate publicly about who, exactly, is responsible for the five separate cyberworms that have eaten their way into Iran's nuclear effort, there is ample evidence to suggest to the Iranians that it was the United States and its allies.
Second, Iran may be lashing out as a result of international sanctions. The past year and a half has seen a marked expansion of U.S. and European economic pressure against Iran. While these measures have not yet changed the Iranian regime's strategic course, they have succeeded in exerting a heavy financial toll—one for which Iran's leadership might wish to retaliate.
Third, rhetoric surrounding a potential military strike on Iranian nuclear facilities is at an all-time high. Iranian officials have begun to talk seriously in recent weeks about a potential conflict with Israel and/or the West, and about the devastating consequences that would be visited upon Jerusalem or Washington if hostilities ensue. The recent cyberattacks on U.S. financial institutions, in this context, could be something of a warning shot by the Iranian regime.
Finally, the attacks may indeed simply be a symptom of the larger furor over the controversial "Innocence of Muslims" video now sweeping the Muslim world, as has been alleged. Cyber experts, however, deem this to be the least likely of all options, in large part because a coordinated and sustained attack of this magnitude would have had to have been planned long before the video was released.
Working under the assumption that Iran is, in fact, the culprit, the inescapable conclusion is that Tehran is pursuing a "scorched earth" asymmetric strategy that does not distinguish between the American people and the U.S. government. Attacking U.S. banks only serves to underscore that the Iranian regime is both willing and able to hold American civilian targets at risk.
Worse still, it is abundantly clear that we are not prepared for such an offensive. For months now, new and important cyber legislation has been at a virtual standstill in Congress, held hostage to political bickering and the electoral cycle. And while the Obama administration is on the verge of unveiling an executive order that will impose voluntary measures for minimum security standards on critical infrastructure, it is already clear that it will not go far enough to rectify current vulnerabilities—or to deter future cyber attacks. The United States is still months, if not years, away from coming to a consensus on how to protect the private sector from cyberattacks.
This begs the question: If it is definitively determined that Iran was behind the recent disruptions of banking websites, how should the United States respond? At least for now, our responses are limited, with retaliation the most likely option. That, of course, could take America's current stand-off with Iran to a new and considerably more dangerous level.