Development Of Iran’s National Cybersecurity System

Support SouthFront

Development Of Iran’s National Cybersecurity System

ILLUSTRATIVE IMAGE

Written by Colonel N. Turchik; Originally appeared at Foreign Military Review 2021 #1, translated by AlexD exclusively for SouthFront

The development of a national cyber security system in the Islamic Republic of Iran (IRI) is driven by the following factors:

  • the necessity for domestic political stability;
  • the ongoing cyber operations (cyber-attacks) against Iran’s critical infrastructure;
  • the necessity to establish and develop national information and cyber security structures.

The IRI is in a difficult geopolitical position and global confrontation with its main foreign policy rivals – the USA, Israel and the Gulf states, especially Saudi Arabia and the UAE.

This is reinforced by the increasing dependence of the public administration, military, social, economic and transport sectors of Iran on the sustainability and capacity of the information infrastructure that supports them.

However, for the Republic, the spectrum of threats in cyberspace emanating from external sources is complemented by an internal factor: the sustainability of the Iranian state system depends on the domestic political situation, which, in turn, is linked to domestic economic problems and a complex socio-political atmosphere subject to negative information impact.

The continued use of the Internet by external forces to influence the internal political situation in the country also focuses Tehran on prioritising the development of effective mechanisms to ensure control over the Internet space, monitoring the content posted and the activity of users.

Iran, officially listed by the US as “axis of evil”, is one of the main targets of cyber-attacks by US intelligence agencies and their allies – most notably Israel. This could not but encourage Tehran to develop its own cyber security capabilities, both in terms of countering cyber threats and developing systems for cyber espionage and cyber-attacks on the critical infrastructure of potential adversaries.

Therefore, cyber security capabilities are seen by Iran as a key and effective tool (so-called soft power), and the targets of Iranian cyber operations include the United States Israel, the Gulf states, and leading western European states.

The development of national cyber security competencies is reflected in government policy documents. In particular, as part of the implementation of the national economic development plan for 2016-2021, IRI plans to become a regional leader in cyber security.

Iranian officials, in assessing the national cyber security system, point to its progressive growth, while consistently noting that it is immune from foreign interference.

Thus, as recently as 2013, the IRI’s capacity in this area was estimated to be the fourth largest in the world. The leadership of the country’s Armed Forces General Staff has repeatedly noted that “the republic is fully prepared to confront cyberspace” and stressed that despite constant US threats against Tehran, Washington has to take into account Iran’s information technology capabilities. The country’s capabilities are generally praised by most western experts, who place it among the six nations with the most advanced cyber security structures in the world, along with the United States, Russia, China, Israel and the United Kingdom.

The Israeli think tank INSS noted that the IRI has significant cyber-attack capabilities and could be used against critical infrastructure of the US and its allies should a confrontation between Iran and western countries break out.

Iran was positioned among the top five countries in the world with the most advanced cyber security and cyber operations competencies, according to a 2015 report published by US cyber security company LLC. Equally high praise was given in 2016 by the head of the NSA and the US Army Cyber Command, who noted that the IRI was becoming one of the most dangerous adversaries in this area along with Russia and China.

In 2017, the US Defence Science Board published a report concluding that Iran and the DPRK have an increasing capacity to conduct cyber-attacks against the United States as well as the need to take measures to deter them, similar to countering the development of those countries’ nuclear programmes.

Development Of Iran’s National Cybersecurity System

Click to see the full-size image

The US estimates that Iran is ready to conduct cyber operations to block the control systems of critical US military facilities. Similar assessments were made by US administration officials, who stated that Tehran has paved the way for massive cyber-attacks on relevant US, western European and Middle Eastern infrastructure.

At the same time, despite Iran’s obvious potential to counter cyber-attacks and conduct its own actions, a number of foreign experts note Tehran’s limited capabilities in this area compared to the United States, Russia and China, primarily due to a significant technical lag.

Most foreign researchers have pointed out that cyber-attacks against US defence information assets have had very limited success. Nor were reports of Iranian theft of sensitive information corroborated. Similar assessments were made when analysing the capacity of Iranian hackers to attack Israel.

In assessing Iran’s actual cyber security capabilities, foreign experts make two main points. First, despite the stressed need to merely ensure their own cyber security, Tehran seeks to position its cyber warfare capabilities as a significant influence on geopolitical rivals. Second, western, primarily US, policymakers seek to portray Iran’s growing cyber capabilities (as well as its nuclear programme) as a national threat to justify increasing pressure on Tehran and demanding additional funding for their own cyber development programmes.

It is clear, however, that Iran has demonstrated an additional range of capabilities to respond to potential external aggression by conducting fairly large-scale cyber operations against government, military and scientific institutions in the United States, Saudi Arabia, western Europe and elsewhere.

Foreign sources acknowledge that Iranian cyber operations can serve as an example of a fairly successful Third Word counterpower to the world’s leading powers in this area. It is also pointed out that the achieved cyber capabilities could well be used by Tehran as a significant argument in the negotiation process with Washington and other geopolitical opponents.

At the same time, there has been some decline in cyber activity against the United States since the 2015 international agreement on Iran’s nuclear programme. Meanwhile, cyber operations at the regional level against US allies (primarily Saudi Arabia and Israel) increased, which was perceived by some western observers as maintaining indirect pressure on Washington. After the Trump administration’s de facto démarche in May 2018 in rejecting compliance with the nuclear deal, US intelligence agencies predicted the risk of Tehran resuming large-scale cyber-attacks against Washington.

Previously, the most devastating (first major) cyber-attack against Iran was Operation Olympic Games, which most researchers assume was planned and executed by the US and Israel. As part of this operation, the Stuxnet virus software was introduced into one of the country’s most important nuclear infrastructure, a uranium enrichment facility, in 2010. Stuxnet’s reconfiguration of the facility’s control systems resulted in the failure of 1,386 of the 5,000 available uranium enrichment centrifuges. A programme in shadow mode altered their operation to critical values, eventually leading to wear and tear and failure.

In doing so, the operators received distorted equipment performance data generated by the virus, which corresponded to normal indicators. As noted by foreign experts, the attack set back the development of Iran’s nuclear programme by two years. As the virus spread further, more than 30,000 industrial computer systems were affected, according to the Information Technology Council of Iran.

The Stuxnet operation was a cyber-attack in the classical sense (i.e. remote), as the initial introduction of software into an information network from a medium by embedded or recruited agents took place.

This is indicated by the fact that the information network of the facility was local without any possibility of external access.

The cyber-attach against Iran’s nuclear infrastructure is believed to have been a threshold moment for Iran’s military and political leadership to force the development of its own cyber security capabilities.

The next major incident was the detection of a new malware, Flame, in 2012 by the National Cyber Emergency Response Team (MAHER) and the technical assistance provided by the Russian company Kaspersky Laboratories. They estimated that the software was presumably linked to the Stuxnet virus because of its focus on finding similar vulnerabilities.

As reported by Iranian sources, Flame initially hit around 1,000 computers in Iranian government agencies, higher education institutions and private companies.

Throughout 2012, Iranian officials have repeatedly claimed to have uncovered massive cyber-attacks on the information resources of Iranian organisations, in particular nuclear facilities, the Central Bank of Iran and oil companies. For example, it was reported that Iranian financial institutions were attacked by malware in the autumn of 2012. In October of the same year, Iran’s information minister said experts were detecting some 500 cyber-attacks on its information resources every day.

After a series of cyber-attacks in 2012, Tehran periodically declared a progressive increase in capacity and capability to counter external cyber threats. At the time, it was noted that Iran was among the most successful countries in countering cyber threats. Up to 60% of cyber-attacks are detected, while in other countries the figure does not exceed 25%.

Iranian officials noted that more than 1,000 cyber-attacks were repelled daily in 2014, and as many as 10,000 in 2015. In February 2015, Iranian media reported that a series of cyber-attacks on scientific and industrial infrastructure were successfully repelled, and in March 2015, the DIS Cyber Threat Response Centre successfully repelled US cyber-attacks against Iranian production facilities.

As noted by foreign sources, it was noted that that Iranian intelligence agencies failed to prevent a cyber operation carried out in May-June 2016 (as pointed out by Saudi hackers), which resulted in the blocking and hacking of websites of Iran’s statistics centre, the Ministry of Culture, as well as several embassies (notably Russia, the Ukraine, Argentina and Kyrgyzstan).

The most notable cyber-attack on Iran was the June 2017 hack by the Saudi cyber group Team Bad Dream of the country’s foreign ministry website.

Tehran also reported a series of cyber-attacks in February 2018 targeting Iranian media websites and servers from IP addresses in the US and the UK. In April, the server centres of a number of Iranian IT companies were hit by a cyber-attack, which resulted in a factory reset of some 35,000 routers and switches manufactured by the US company Cisco. In November of the same year, Iran reported a series of cyber-attacks on telecommunications infrastructure. There was a high probability of Israeli involvement in these attacks.

The growing negative information impact on the domestic political situation in the country, the Armed Forces and other structures prompted the Iranian leadership to form national special services of information and cyber security and cyber technologies, cyber impact on foreign targets.

At the end of 2002, a committee was set up to take action against banned Internet resources, a committee to oversee banned web resources, which included representatives from the Ministry of Intelligence, Culture and Islamic Guidance. In 2003, the Supreme Council for Information Security developed a cyber surveillance plan that became a policy document for comprehensive monitoring and control of cyberspace; in 2005, the Supreme Council for Technological Innovation was created to develop a policy and strategy for technological development.

As part of a further policy to tighten control over cyberspace, a committee to identify unauthorised sites was set up by the Supreme Council of the Cultural Revolution under the head of state in 2009. Its members included the attorney general, the DIS command, the ministers of intelligence, justice, telecommunications and science.

Later, a committee was set up to detect criminal Internet content, also made up of representatives of relevant ministries and agencies.

The IRGC and the Ministry of Information were initially in charge of cyber security and cyber operations, but their cyber services were autonomous and rather isolated, mainly focused on tasks for departmental interests, often without notification or coordination with the rest of the government.

The creation of a cyber security force within the IRGC dates back to 2008-2009. This decision was initiated at the level of the Supreme National Security Council. The same period also includes the establishment of direct control by the Corps over the activities of identified Iranian hacker groups.

The need for a centralised national cyber security system, led by the IRGC, was proposed in December 2010. In addition to cyber structures reporting directly to the Corps, it was also proposed to form cyber groups within the Basij Resistance Force.

Major core organisations for cyber security research and training include the Centre for Information Technology and Cyber Security at Tehran University, the Cyber Research Institute at Shahid Beheshti University, the Centre for Advanced Information and Telecommunication Technologies and the Institute of Advanced Communication Studies established at Sharif University of Technology.

Despite the organisation of a hierarchical information and cyber security management hierarchy on a national scale, key competencies resources and capabilities (especially in terms of cyber operations) in this area remain concentrated in the IRGC.

The Cyber Security Command is responsible for dealing directly with cyber security and cyber operations. It has the Amar Cyber Base, cyber operations units, dedicated electronic warfare and cybersecurity structures. These units have about 2,400 specialists and an estimated budget of $76 million.

The Basij Resistance Force has its own coordinating structure, the Cyber Security Council, which focuses on information security and Internet monitoring.

In Iran’s Ministry of Information, cyber security is the responsibility of the Technology Department. A similar in-house structure also exists in the “Organisation of the Electronic Industry of Iran”.

In January 2011, FATA, a special unit to combat cybercrime, was established within DIS. In early 2016, Iran’s SOP command announced the creation of a special cybercrime response centre within FATA. It was later reported that a Cyber Emergency Response Centre had been set up to repel cyber-attacks. In early 2018, a parliamentary commission on national security and foreign policy was scheduled to be established to provide legal and legislative support for national cybersecurity policy.

In addition to the development of information networks and resources, serious efforts are being made by Iran in software development, including anti-virus software.

Foreign researchers point to an increasing shift in the focus of Iranian intelligence agencies towards cyber operations to collect data on anti-Iranian foreign parties, dissident non-governmental organisations and national diasporas.

The priority targets are the United States (primarily American high-tech and defence companies that supply arms to Israel and Saudi Arabia), virtually all Middle Eastern countries (especially Israel and Saudi Arabia), western European and North African states, and some central and south Asian countries.

Thus, the development of Iran’s cyber security system is aimed at improving the relevant national structures, expanding their capacity and the range of their tasks, while at the same time, influencing the targets of interest with information.

MORE ON THE TOPIC:

Support SouthFront