BY JENNIFER KELTZ
Members of an Islamic Revolutionary Guard Corps cyber unit. Source: Mashregh News
In September, a drone attack crippled vital chokepoints in Saudi Arabia’s oil infrastructure. This attack, which the United States and Saudi Arabia blamed on Iran, is not an isolated incident: it occurred amidst rising tensions in a volatile region, featuring tit-for-tat attacks on conventional battlegrounds but also, increasingly, in the more opaque arena of cyber warfare. Since 2010, Iran has engaged in a series of cyberattacks on Saudi Arabia, and the two have become embroiled in a proxy war in Yemen.
There is a growing concern with cybersecurity in the policy arena, but cyberattacks are still largely treated as an element separate from traditional direct attacks (or in military parlance, kinetic attacks). The American public sees cyber as a less escalatory form of conflict, which means that it is less likely than kinetic conflict to increase in its scope of violence. But that perception might be wrong; the recent, frightening escalation in the Gulf suggests that cyber warfare might be better understood as just another mode of conflict that can spark a wider war.
The Trump administration’s National Cyber Strategy does not make a connection between cyber and kinetic attacks, but failed cyberattacks could render kinetic options attractive to combatants. The recent attack on Aramco is important because it threatens to harden the link between the two forms of conflict, a precedent which, if set, could lead to increased violence around the world. If the Aramco drone attack represents an escalation of cyber to kinetic, it suggests that cyberattacks exist along a spectrum of military options; they are part of a range of military tools, rather than a safe substitute for conventional military strikes. Alternatively, if cyber and kinetic are two different classes of conflict, cyber cannot serve as a viable means of conflict de-escalation for states.
The questions raised by Iran and Saudi Arabia’s competition – and the interaction of cyber and conventional warfare – apply widely to the many conflicts that increasingly feature cyber elements, including the conflicts between Russia and the US and those between Israel and the rest of the Middle East.
A ‘smokescreen to cover political aims’
Prior to the Iranian revolution in 1979, Iran and Saudi Arabia had a civil relationship, said Lawrence Potter, an associate professor at Columbia University’s School of International and Public Affairs whose work centers around Iran, Afghanistan, and the Persian Gulf. The two were, and still are, the dominant regional powers in the Persian Gulf. Both were US allies with similarly-structured monarchies, and friction was minimal. That changed dramatically with the Iranian revolution. Tehran confronted its regional rivals, and Iraq’s President Saddam Hussein escalated his own military ambitions in the region.
As the political situation in Iraq deteriorated under Saddam Hussein’s rule throughout the 1980s and into the 1990s, Saddam mobilized and instrumentalized sectarianism in the region. To secure his own rule, he embraced a strategy of “divide and rule,” pitting Sunni against Shia, Potter said. Potter believes that the conflict between Iran and Saudi Arabia is political, not religious, at its heart: the Gulf states are all multireligious and multiethnic.
The political conflict is compounded by relative economic strengths, weaknesses, and sanctions. While both the Iranian and Saudi economies are based on oil production, Saudi Arabia has stronger output and greater market share, said Natasha Udensiva, an attorney and lecturer at Columbia University’s School of International and Public Affairs who studies the global energy market. Oil is far cheaper to produce in Saudi Arabia, which is “blessed with great reserves and easy oil coming out from the ground,” said Udensiva. In contrast, Iranian oil reserves are smaller, and the oil is harder to extract. Sanctions on Iran have shrunk its already-less-powerful economy.
The 2015 Joint Comprehensive Plan of Action, often referred to as the Iran Nuclear Deal, was a major breakthrough for Iran, which has sought political legitimacy after years of sanctions for its attempts to covertly build a nuclear program. Sanctions primarily targeted Iranian oil, which Udensiva called its “lifeblood,” and Iran was thrilled to regain access to world markets under the 2015 nuclear deal. The World Bank says that the resumption of sanctions under the Trump administration will cause the Iranian economy to contract 8.7% this year. Economic shrinkage and political slights relative to Saudi Arabia’s stronger economy and friendly relations with the West could rest at the center of Iran’s incentives to fight back.
From ‘keeping an eye on dissidents’ to a ‘tit for tat’ external focus
Prior to 2010, Iran focused its cyber capabilities internally, said Jason Healey, a senior research scholar at Columbia University’s School of International and Public Affairs who focuses on the dynamics of cyber power and conflict and a senior fellow with the Cyber Statecraft Initiative at the Atlantic Council, an influential international relations think tank in Washington, D.C. Iran fixated its efforts on internal “troublemakers,” Healey said, and used external hacks to understand and control what was happening domestically.
This changed with the discovery of Stuxnet, the name given to the malware used in a series of cyberattacks started by the Bush administration and continued under the Obama administration. In this operation, the US and Israel compromised Iran’s Natanz uranium enrichment centrifuges and damaged Iran’s nuclear program in lieu of a conventional air strike out of fear that Iran would build nuclear weapons. Iran realized that this was “how the game is played,” said Healey. Cyber was a new way to demonstrate military might. Stuxnet completely shocked Iran and “unleashed a new form of warfare,” said Potter, with offensive cyber operations now used against perceived opponents to the state.
From late 2012 until 2016, Iran carried out external attacks and turned itself into a major player in cyberspace, said Healey, conducting far more cyberattacks against Saudi Arabia than the Saudis conducted against Iran.
In the spring of 2012, a wiper disrupted the Iranian energy sector, causing several of its oil terminals to go offline. Wipers “wipe” information from computer hard drives, rendering the machines worthless. Healey speculated that Israel was behind the attack.
On August 15, 2012, a few days before the end of Ramadan, Iran carried out an extremely disruptive cyberattack, now called Shamoon, on Saudi Aramco. The attack also struck the Qatari oil company RasGas. Healey said that Shamoon was “almost certainly a response to Stuxnet” and the wiper attack from earlier that year.
Shamoon wiped 30,000 Aramco computers and replaced all their files with pictures of a burning American flag, sending Aramco on a massive mission to quickly buy as many hard drives as possible to rebuild its ruined networks. Healey viewed the attack as a tactical success but a strategic failure. Iran destroyed the computers it targeted, but the “target [Aramco] was able to bounce back,” he said.
Amongst other external attacks during this time period, Iran continued to attack Saudi Arabia. Iran is widely suspected of conducting an attack in 2016 that targeted Saudi state targets with a variant of the 2012 Shamoon wiper. A picture of Alan Kurdi, a three-year-old refugee who drowned when his family fled the war in Syria, had replaced the burning American flag picture.
Healey said that after the signing of the 2015 nuclear deal, many of Iran’s disruptive attacks abated, and its focus shifted toward “intrusions and espionage, rather than rabble-rousing and hooliganism.” Of note, the Iranian group APT33 (Advanced Persistent Threat group 33) conducted cyber espionage against “a business conglomerate located in Saudi Arabia with aviation holdings,” according to FireEye, a leading cyber threat intelligence firm.
When the US backed out of the nuclear deal in 2018, disruptive attacks by Iran resumed, with a marked increase in capability, possibly aided by an influx of money that came when sanctions were originally lifted.
Getting physical
Conflict in the Gulf has not been confined to cyberspace. The civil war in Yemen has gone on for years. Saudi Arabia, which supports the Yemeni government, depicts the war in Yemen as a proxy war for Iran, which backs the Houthi militias in their uprising against the regime. On April 22, 2019, an Iranian Islamic Revolutionary Guard Corps commander threatened to close the Strait of Hormuz, an important waterway for oil shipping. US Vice Admiral Michael Gilday, Director of the Joint Staff in the Department of Defense, linked Iran to a May attack on two Saudi oil pipelines. In June, US Secretary of State Mike Pompeo tied a missile strike on Saudi Arabia’s Abha International Airport to Iran. Over the summer, numerous oil tankers in the Gulf region were attacked, and the State Department blamed Iran.
At 4 a.m. on September 14, 2019, drones and cruise missiles struck the Saudi Aramco oil production facilities at Abqaiq and Khurais. The attack forced Aramco to immediately suspend production of 5.7 million barrels of oil a day, half of the country’s total oil output. While Iran has denied involvement, Saudi Arabia and the US have both placed responsibility on Iran.
Udensiva said that, while the September attack was “scary and unexpected,” it may not have caused as much damage as the initial news reports indicated. The attack had little effect on global energy markets. Crude oil prices rose only slightly, and the resulting price spike was temporary. Aramco said that oil production was fully restored by October.
The geopolitical impact
The drone attack could have been labeled an act of war and triggered a United Nations Security Council (UNSC) response. However, despite many initial reports describing the strike, there has been very little follow-up and no UNSC resolution, leaving the door open for speculation.
Potter thinks that the Middle East will see a rapprochement between Iran and Saudi Arabia. He said that this attack placed the Saudis in a “vulnerable position.” While the kingdom has “spent a fortune on arms,” he said, “their main economic resource was not protected.” The US did not respond to Iran with a kinetic attack on behalf of Saudi Arabia, opting instead to launch a cyberattack aimed at Iran’s ability to spread propaganda. Potter said that this has served as a wake-up call to the Saudis that they must learn to work with Iran, because the US will not protect them. A war would be a “major disruption for the whole region,” Udensiva said, agreeing with Potter. “There would be no winners.”
Cyber and the escalation game
One possible interpretation of the drone attack is what defense analysts call “single-ladder escalation.” Under this interpretation, cyber and kinetic are part of the same military toolbox. Cyberattacks can increase a conflict’s intensity and provoke kinetic attacks. Iranian cyberattacks against Saudi Aramco and other state targets failed to achieve Iranian political goals of causing lasting damage, despite their operational success. In response, Iran chose to escalate along a single escalation ladder from cyber to kinetic attacks, thus indicating that cyber, which is conventionally viewed as less escalatory because it operates along a different ladder, can actually lead to physical attack.
Healey was quick to point out that there may be alternative explanations. For example, Iran may simply have wanted to test the capabilities of newly purchased missiles.
Another possible interpretation of the drone attack is that of simultaneous escalation along two separate escalation ladders (two separate toolboxes). Along a cyber ladder, Saudi Arabia saw an Iranian escalation from crude denial of service attacks to persistent espionage campaigns and wiper attacks, which are vastly more destructive. Along a physical ladder, Saudi Arabia saw an Iranian escalation from proxy fighting in Yemen to attacks on Saudi soil.
Under the second interpretation, kinetic attacks could continue along their own escalation path, only marginally linked to escalation in cyber battle. Cyber as an option would be unable to cause or prevent kinetic attacks. While this could be the case, Potter said that kinetic escalation in the Iran-Saudi conflict is unlikely. Although cyberattacks will probably continue, “the [Saudis] are going to be very careful about taunting Iran,” he said.
Whereas the second interpretation conforms to commonly accepted norms of cyber and physical conflict, the first interpretation threatens to spin these norms on their heads. Cyber is typically viewed as safer and less escalatory. If it becomes merely the first tool militaries use against adversaries, with physical attack being a likely conclusion, the probability of war breaking out across the globe rises dramatically.
The world is becoming increasingly networked, with exponentially more people able to access the internet. Should kinetic attacks become more common following failed cyberattacks, constant cyber engagement in so many places implies greater potential to attack and to be attacked in physical space. This danger is particularly acute between countries like the US and Russia, the US and China, and Israel and the rest of the Middle East, where one or multiple players in each conflict have nuclear weapons and all are major players in the cyber arena.
Regardless of which interpretation is closer to the truth, if states regard cyber as non-escalatory, cyber actors will carry out more and more disruptive attacks. Eventually, Healey said, one attack will finally be so brazen or destructive that someone responds kinetically, but this red line – the point at which an attack has been so damaging that it warrants a kinetic reaction – has not yet been defined. This means that no one knows when, where, or by whom such a response will occur. The uncertainty is chilling, because ultimately, Healey said, “there’s a lot worse than a cyberattack.” Cyberattacks can disrupt systems and networks; they can ruin lives. Kinetic attacks kill.