Eight years after we had uncovered that Stuxnet was a targeted cyber-physical attack against the Iranian nuclear program, both the United States and Israel find themselves threatened by the prospect of an Iranian breakout towards nuclear weapons production. This given, should we anticipate another significant cyber attack against the Islamic Republic?
One thing can be taken for granted: Present offensive US cyber capabilities are much more advanced than the first actual cyber weapon deployment that we had seen with Stuxnet, which, in all its sophistication, was experimental and bold.
Our crystal ball tells us that, given the way that the Iran policy of the Trump administration is heading, you shouldn’t hold your breath for a Stuxnet encore. Policy-wise, we’re seeing a major thrust on economic pressure, in an effort to rise the cost of the Iranian nuclear program beyond the price that the Islamic Republic is willing to pay.
Not that their domestic Uranium enrichment program ever made economic sense, since the fuel needed for their nuclear power plant, if it was ever needed for the electricity of a country that is sitting on gigantic oil reserves, can be purchased on the international market cheap and reliably. The cost for the enrichment program was out of proportion from day one, and strong sanctions may get it beyond the tipping point. That is, unless Iran is willing, and politically capable, of eating grass like Pakistan when they developed their nuclear bomb.
In this scenario, would another run of messing up their centrifuges with cyber make a difference? Absolutely not. And as pointed out in To kill a centrifuge, the objective to physically destroy a couple thousand of these machines will not make a difference, given the fact that Iran’s core strategy relies on low-tech components that can be produced at industrial scale.
At the same time, cyber retaliation can be taken for granted. Over the last couple of years, Iran became a major player in offensive cyber operations, especially targeting US critical infrastructure, second only to Russia. The problem with these intrusions is that virtually nobody, including Iranian perpetrators, have a good idea which damage they can cause if activated. If Iranian cyber operations have succeeded at anything, it is the creation of a credible deterrent.
While we don’t see Stuxnet 2.0 on the horizon, the situation is different in respect to Nitro Zeus, the codename of a large scale infiltration of Iranian critical infrastructure that was uncovered in 2016. It’s a safe bet to assume that as of today, US and Israeli cyber forces have infiltrated more critical systems in Iran than ever before.
Will that capability be leveraged to add further grief to the sanctions? No. But it will be leveraged in the case that old school (analog) military action starts, which President Rouhani has dubbed “the mother of all wars”. A mother that will need to deal with emergency power generators, non-functional transportation systems, and faulty communication links.
It could be the first war in which cyber plays a decisive role. But don’t wait for a show of cyber force until stuff gets real.