Iranian bombs aimed at U.S. assets have stopped falling, at least for now. But even if the kinetic war is actually over, that does not mean our conflict with Iran is at an end. Indeed, it’s likely to heat up considerably, this time in the cyber arena.

Iran has a long history of avoiding direct military conflicts and instead projecting its national power through proxies and asymmetric means. In some cases, this has been accomplished through support for terrorist militias such as Hezbollah. And for at least the last 10 years, cyber conflict has been a key part of Iran’s arsenal.

Early in the last decade, most of Iran’s cyber activities were disruptive and reactive in nature, rather than preemptive and catastrophic. For example, after the U.S. used a cyber tool known as Stuxnet to destroy Iran’s uranium processing centrifuges, the Iranian government began a series of denial of service attacks against American banks that prevented some Americans from using online banking tools. The Iranians were also identified as responsible for releasing a virus called Shamoon, which erased data on computers at Saudi Aramco, the largest oil company in the world. And Sheldon Adelson, a pro-Israel, Republican supporter of President Trump, was targeted — his Sands Casino in Las Vegas was infected with a virus that shut down the casino for a while, and U.S. officials said the attack came from Iran.

While the disruption from these attacks was significant, they were also notable for how little long-term damage they did. Iran was, in effect, pulling its cyber punches.

Today, the prospect of disruptive and perhaps even destructive Iranian attacks is growing. As the Department of Homeland Security recently warned, Iranian cyber capabilities are greater today than in the past. In June 2019, even before the recent rise in tensions, DHS cautioned that “Iranian regime actors and proxies are increasingly using ‘wiper’ attacks, looking to do much more than just steal data and money. … What might start as an account compromise, where you think you might just lose data, can quickly become a situation where you’ve lost your whole network.”

There is every reason to expect that Iran has not lost its appetite for asymmetric cyber conflict as a means of confronting the United States. And while Iran has been increasing its capabilities, the attack surface of vulnerable U.S. systems has only grown. To be sure, we’ve made significant strides enhancing the protection of critical infrastructure, but many systems remain vulnerable.

So what can we expect? Successful, deep cyberattacks are not created overnight. They take weeks, if not months to plan, develop, deploy and execute. Thus, in the near term, Iran’s cyber response will almost certainly have been in the works for many months. They’ve watched us in the last few years, and learned from our successes, and failures. Here are a few speculative possibilities about where Iranian responses may focus:

Iran has shown an interest in our politics that demonstrates a nuanced understanding of the American political scene. Though Iran would probably not take the inflammatory step of directly targeting President Trump’s business interests, it is certainly plausible to imagine that his powerful political supporters (like Adelson) would be inviting targets, especially if they have business interests that are vulnerable to destructive data attacks.

Iran has also no doubt observed that, even three years out from the 2016 election, the U.S. has yet to come to grips with how disruptive assaults on our election system can be. Iran probably is neither capable of nor interested in replicating Russia’s social media campaign from the 2016 election, but they have watched (as have all of our adversaries) and seen how disruptive ransom-ware attacks against local governments have been. Such attacks can have even greater potential for disruption when the perpetrator isn’t interested in a ransom. One key concern is the targeting of election databases in battleground states in the lead-up to the 2020 election. An attack on them would devastate confidence in the fairness of the election and make the final result the subject of political dispute.

It is less likely, though by no means impossible, that Iran would use cyberattacks for even greater, real-world effect. Hospitals and the medical system have proved especially vulnerable to wiper-type attacks. A well-timed intrusion that coincided with some natural disaster (like the earthquake in Puerto Rico this week) could have a devastating effect.

None of this is to say for sure that an Iranian cyberattack looms on the horizon. But given Iran’s history of such activity, American policy makers would be wise to act with great caution. Wars are not fought only overseas any longer; the cyber domain is here at home and we are vulnerable.

Image credit:  vanchai tan