It is an understatement to say that 2015 was a terrible year for the Middle East: the humanitarian disasters spawned by the wars in Syria and Yemen continued unabated; the Islamic State expanded its terrorist operations throughout the region; and Iran accelerated testing of its ballistic missiles and increased its domestic oppression after agreeing to the nuclear deal that will provide Tehran with up to $150 billion in sanctions relief.
Unfortunately, 2016 may already be off to an even worse start. On January 2, Saudi Arabia executed prominent Shia cleric Sheikh Nimr Baqir al-Nimr after his conviction on terrorism charges stemming from his support of mass anti-government protests in 2011. Iran responded by permitting mobs to attack the Saudi missions in Tehran and Mashhad. Saudi Arabia and other Gulf states subsequently cut diplomatic ties with Iran, thereby heightening the already deadly sectarian tensions sweeping the region.
However, it is unlikely that these tensions will escalate into a shooting war in the near term. Saudi Arabia faces systemic challenges to its internal stability and is already militarily engaged in neighboring Yemen. Meanwhile, Iran’s conventional military strength still lags behind that of the Gulf states’ when U.S. military power in the region is taken into account. Yet rather than a military confrontation, the more probable threat is that Iran will launch a campaign that operates in the gray areas of hybrid warfare similar to Russia’s efforts in Ukraine. Given Iran’s penchant for operations that attack its adversaries’ soft targets while assuring Tehran a degree of deniability, U.S. policymakers should be concerned about the real possibility of a full-blown cyberwar emerging between Iran and our Gulf allies.
Although cyberwarfare is a relatively new phenomenon, Iran already has a history of conducting cyberattacks against its regional rivals during diplomatic crises. In retaliation for the Saudi government’s “crimes and atrocities” in countries such as Syria and Bahrain, in 2012 a group calling itself “Cutting Sword of Justice” launched a malware attack on Saudi Aramco – Saudi Arabia’s state oil company — that destroyed 30,000 computers, and shortly thereafter a similar virus struck Qatar-based gas company RasGas. From 2012 to 2014, Iran’s “Operation Cleaver” targeted companies in Kuwait, Qatar, Saudi Arabia, United Arab Emirates, and 12 other countries in sectors “including oil and gas, energy and utilities, transportation, hospitals, telecommunications, technology, education, aerospace, defense contractors, and chemical.” Already, in the wake of Saudi Arabia and Iran severing diplomatic ties, unknown hackers have attacked key websites belonging to the Saudi Defense Ministry.
Iran has also employed foreign proxies to launch cyberattacks against countries opposing Tehran’s interests in the region’s various conflicts. The “Syrian Electronic Army” (SEA) has attacked Saudi Arabia, Qatar, and other countries known to be supporting Syrian rebel groups, targeting news networks such as Qatar’s Al Jazeera, Saudi Arabia’s Al Arabiya, and U.S. outlets such as the New York Times and Washington Post. It has sabotaged websites belonging to the U.S. Army and Marine Corps, and even hijacked President Obama’s Facebook and Twitter accounts. Similarly, last June the previously unknown “Yemen Cyber Army” released roughly half a million documents stolen from the Saudi Foreign Ministry in retaliation for the Saudi-led intervention in Yemen.
While fears of a “cyber 9/11” may be exaggerated, and even the most damaging cyberwar in the Middle East is likely preferable to a shooting war between Iran and Saudi Arabia, a cyber conflict between the two nations could still have significant repercussions for the United States. First, given that President Obama pledged to defend the Gulf states against Iranian cyberattacks at last May’s Camp David summit, a Middle East cyberwar would likely draw America into the conflict. Standing by idly in such a scenario would further damage America’s already weakened credibility in the region, and might lead the Gulf states to seek assistance from other great powers with significant cyberwar capabilities seeking to expand their influence in the Middle East.
Second, it is difficult to contain the effects of cyberweapons with any precision. The Stuxnet virus, for example, inadvertently spread to computers from Indonesia to India to the United States. Whereas that malware was designed only to damage the specific type of industrial control systems used in Iran’s Natanz nuclear reprocessing plant, it is doubtful that any attack designed by Iran would match this precision. Conversely, if the Gulf states sought to purchase offensive malware or rent mercenary hackers on the dark web to retaliate against Iran, it is unlikely they would possess the sophistication or accountability to limit a cyberattack’s effects. Thus, any malware generated by a Middle East cyberwar could replicate out of control and cause significant damage beyond the conflict zone.
Finally, there is the possibility that a destructive cyberattack could trigger a kinetic retaliation. America reserves the right to use military force in response to a cyberattack that produces fatalities. Would Saudi Arabia similarly consider a cyberattack that crashed Riyadh’s electrical grid in the midst of a sweltering summer and caused heat-related deaths a casus belli for military action against Iran? If so, conflict could escalate from ones and zeros to missiles and bombs faster than diplomacy could contain.
The Obama administration was right to pledge to defend the Gulf states from Iranian cyberattacks, even if the specifics were somewhat ambiguous. In light of recent reports that a Russian cyberattack may have crashed Ukraine’s electrical grid — thereby raising the potential stakes of a cyberwar — U.S. policymakers need to be preparing contingency plans for the possibility that current Saudi–Iranian tensions will result in a cyberattack at least as destructive as the Saudi Aramco attacks. Similarly, it would behoove candidates of both parties to have coherent positions in the event of a rapid escalation of the emerging Saudi–Iranian cold war.
Benjamin Runkle has served as in the Defense Department, as a Director on the National Security Council, as a Professional Staff Member on the House Armed Services Committee, and as a consultant in DHS’s Office of Cybersecurity and Communications.
Photo credit: Cathy Stanley-Erickson (adapted by WOTR)