To understand what domestic and strategic factors may have encouraged Iran to seek stronger cyber-capabilities, it helps to look at the several ways Iran uses such capabilities. First, Iran wants to keep its citizens under surveillance. Second, Iran wants to know the intentions and capabilities of other countries. Third, Iran wants a capability to harass those it sees as its foes. Fourth, it may be preparing larger attacks. Although all these uses require the capability to penetrate or otherwise manipulate systems and networks, each has its own motivation. The broader overall motivation remains the same: Iran is a country with revisionist tendencies that has accumulated enemies—which in turn has impelled it to develop techniques to keep them at bay. Cyber, in some circumstances, is a particularly cost-effective way of doing so.
Although the current regime has wanted to keep its citizens under surveillance since the 1979 revolution that brought it to power, its interest in doing so reached a peak in 2009 in the wake of a disputed election that spurred the Green Movement. Urban youth—the very people most likely to use social media—constituted the core of the dissidents. The government, in turn, identified particular dissidents by tracing their social media use, making inferences based on what they wrote and who they were reading. To suborn the machines of otherwise careful users, Iranian government hackers subverted two digital certificate firms—Comodo and Diginotar—and thereby managed to impersonate what would otherwise have been considered safe sites. Thus attracted, dissident machines would be served malware in order to keep their users under surveillance as they surfed other Web sites.
Iran, of late, has also generated a capacity to penetrate the networks of other governments (as well as affiliated organizations such as think tanks and the personal accounts of important officials). In recent years, Iran has even penetrated the unclassified Navy-Marine Corps Internet; detecting their presence and removing them entirely took several months. Iran's motivation for doing what many other countries also do does not require extraordinary explanation; if it appears more active than other countries, it is because, as noted, it has alienated many countries and because, as a state on the outs with others, it is not particularly ashamed to be caught spying. Thus, it carries out operations that may point back to itself in circumstances where other states would exercise more discretion or abjure altogether.
Iran's cyberattacks, however, may have less obvious explanations. Starting in 2012, it has sponsored repeated DDoS (Distributed Denial of Service, or flooding) attacks against U.S. bank sites, trashed the business computers at Saudi Aramco (an oil company), and wreaked similar damage on the computers of casino and resort operating company Las Vegas Sands. Indications are that Iran has cyber-attacked Israel, but with scant success (it may have shut down traffic signals in a tunnel under the city of Haifa). Why did Iran sponsor all these attacks? Part of the impetus may have been Iran's reaction to having been deeply embarrassed by Stuxnet, a hack that not only exposed Iran's inadequate approach to cybersecurity, but also its fecklessness in running industrial enterprises (e.g., not listening to machinery hum in unusual ways when under attack, putting machine control and machine monitoring on the same chip). Part of Iran's motive could be revenge. Some of it may be motivated by a desire to have its hostile neighbors remember who it is. The attack on Las Vegas Sands followed remarks by its owner on the advisability of dropping a nuclear weapon on Iran (so as to dissuade it from building its own weapons).
The fourth motive—preparing for larger attacks—may be inferred from reports by the intelligence community that Iran has penetrated systems associated with the power grid (although not so far as to touch any generator or power distribution controls). If such reports are to be believed, Iran's only motivation may have been to gather the intelligence that might allow it to take the grid down in some future crisis. But until it is understood what they took and who it went to, one can only speculate on motive.
Martin Libicki is a senior management scientist at the nonprofit, nonpartisan RAND Corporation. His research focuses on the impacts of information technology on domestic and national security.
This commentary originally appeared on The Cipher Brief on December 15, 2015. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.