Incoming: The Iran Nuclear Deal and Our Cyber Options
Regardless of how the deal to restrict Iran’s nuclear capabilities unfolds, we need to be thinking aggressively about how to mitigate the effects of it.
Let’s review the bidding. The deal provides a weak verification regime; a limited 10- to 15-year shelf life; an immediate boatload of cash to the Iranians as sanctions are lifted without any real restrictions on their actions; and a deeply upsetting turn of events to our allies in the region. That’s the bad news.
Despite the difficulties ahead, most observers assess that the deal ultimately will be implemented. This reflects the overwhelming desire of the international community for the agreement, fueled largely by global commercial ambitions and the realization by the Iranians that the deal is quite good for them. (Iranian President Hassan Rouhani tweeted that their prayers had been answered.) In addition, the deal will move forward because of the inability of the Republican majority in Congress to override a promised presidential agreement and the hope that over time the agreement will lead to the reduction of Iranian imperial ambitions and the rise of a more democratic and cooperative regime. While unlikely, the latter outcome is not impossible, but that moment seems a long way off.
The good news, such as it is, centers around our ability to leverage cyberspace to monitor, disrupt and—at the far end of the spectrum—kinetically impact Iranian nuclear activities. Our immediate focus should be on creating a coherent, integrated, long-range cyber operations campaign that permits the U.S. president and his successors to have all of those options.
In terms of monitoring, our actions are obvious. Given the porous verification regime, we cannot allow the International Atomic Energy Agency (IAEA) alone to be the bulwark against Iranian cheating. In addition to both open-source and U.S. clandestine intelligence gathering—to include dangerous but necessary human intelligence (HUMINT), or spies on the ground—we need a robust cyber surveillance campaign directed against every aspect of potential Iranian cheating.
This necessitates using all U.S. cyber means. That includes the Defense Department and its intelligence agencies; the intelligence community broadly, especially the CIA; and other cabinet agencies with international cyber surveillance abilities, such as the Department of Homeland Security, the FBI and the Commerce Department, to create an interagency cyber task force to focus on finding sources and methods of potential Iranian cheating.
We also need to be working closely with allies, especially those in the region—Israel, Saudi Arabia and the Persian Gulf States—on how to optimize our use of cyber in “seeing” Iranian activities throughout the procurement and purchasing pipeline and on the transportation path into Iran. This will be an incredibly complex mission that will require international, interagency and public-private cooperation in the cyber realm.
Disruption is, of course, even more contentious and difficult. As we see Iranian activities proliferate both in potentially acquiring nuclear weapons and in general activities in the region and globally—think Hezbollah, Iranian support to Shia regimes and so on—we should determine how we can use cyber to counter them. This again will involve exchanging cyber information and intelligence with international partners such as the European Union, Israel and the Sunni states as well as formulating a specific set of offensive cyber actions to diminish Iranian prospects.
This type of action could run the gamut from erasing or blocking the electronic movement of cash to extremist organizations or regimes to rendering equipment inoperable. The third and potentially most controversial activity would be kinetic destruction of Iranian capabilities, either in the nuclear space—attacking their facilities—or in the military infrastructure that could be used to deliver a nuclear weapon. This action is tantamount to an act of war and should be explored by the president only in the event of provable Iranian cheating or unacceptable Iranian behavior toward the United States or its allies. The assassination attempt against the Saudi ambassador in Washington in 2011 or the massacre of Israeli tourists in Bulgaria in 2013 come to mind. If repeated, this kind of Iranian-sponsored illegal behavior requires a response beyond simply monitoring and disrupting capabilities. It calls for a high level, offensive response. Cyber should be on the list of options presented to the president.
Activities in this realm could include acts against Iranian internal military infrastructure that might cause real and permanent kinetic damage to specific portions of the country’s power grids, related military facilities, air-defense systems and dual-use transportation sectors. Cyber also could be used tactically against Iranian Quds force operators attacking U.S. allies such as Israel, Saudi Arabia and the Persian Gulf States and, of course, against any effort launched against the United States.
Like so many others, I am hopeful that this agreement with Iran will lead us to a new, positive relationship, but I remain skeptical. We need to prepare to mitigate the effects of it going badly. Our allies and friends in the region must be reinforced and protected, and more importantly, we need to prepare ourselves for disruptive behavior across a wide variety of fronts.
Cyber will be an important component of monitoring, defense through disruption and offensive action to counter potential Iranian behavior. The sooner we think through a cyber campaign against Iran, the better. Ultimately, it will require a high degree of classification, extraordinary technical capabilities, real operational creativity and, above all, the political will to execute it.
Adm. James Stavridis, USN (Ret.), was the 16th Supreme Allied Commander for NATO from 2009-13. He is the 12th dean of The Fletcher School of Law and Diplomacy at Tufts University, from which he holds a Ph.D. in international law, and he is chairman of the U.S. Naval Institute’s board of directors.