Syria: Preparing for the Cyber Threat
Writing for the National Interest, EWI Senior Fellow Franz-Stefan Gady argues that a U.S. strike against Syria is unlikely to trigger a retaliatory cyber strike. But he cautions that such a response by Syria or Iran is not out of the question.
As U.S. military strikes against the Syrian government become more likely, many in the West are worried about retaliatory cyber attacks of pro-Assad forces on critical information infrastructure in Europe and the United States. The Syrian Electronic Army and its recent activities of hacking various news websites and social media platforms, has especially caused ‘cyber angst’ among private-sector companies. However, while sophisticated cyber attacks are a possibility, the likelihood of severe disruptions is minimal to non-existing.
From all the open source intelligence gathered at this stage, Syria’s offensive cyber warfare capabilities are limited. While Iran, which boasts that it has "the fourth-largest cyber force in the world" is actively supporting the Assad regime, this effort, led by the Iranian Ministry of Intelligence and Security, is largely focused on electronic surveillance and identifying members of the opposition. The Assad government’s principal focus in cyberspace is domestic.
The Syrian government has little incentive to pour precious resources into sophisticated offensive cyber weapons that will not influence the outcome on the battlefield in Syria. In this case bullets are beating bytes, or, as Eric Schmidt and Jared Cohen put it succinctly in their book The New Digital Age: “You cannot storm an interior ministry by mobile phone.”
Consequently, pro-Assad cyber attacks have largely been conducted by proxy (cyber activists rather than government forces), with the result that attacks emerging from Syria or pro-Assad hackers in Iran and Russia have not been particularly sophisticated and consisted mostly of Distributed Denial of Service Attacks (DDOS). The attack on the New York Times was more elaborate, penetrating the Domain Name System—the "phone book" of the internet as it is often called—yet it also did little damage and was more of a cyber protest than an attack aimed at the destruction of networks and data.
While Syria’s capabilities are limited, Iran and potentially Russia could lend Assad a hand and deploy their arsenal of cyber weapons in support of the Syrian government. This, however, will have to be preceded by a conscious decision of the Iranian government to escalate the level of conflict by launching sophisticated strikes on Western critical information structures such as SCADA (supervisory control and data acquisition) systems that monitor and control power grids. These sorts of attacks are hard to pull off, since they demand sophisticated knowledge, require layers of resources and are difficult to coordinate. Because of this, such complex attacks need some form of state sponsorship.
The current improbability of debilitating attacks by Iran or Syria is not so much a sign that they are deterred from acting because of the West’s asymmetric advantage in cyber capabilities, but rather of the domestic focus of Syria’s efforts in cyberspace.
Unlikely, however does not mean impossible. Steps have to be taken to convey to Iran, Syria and the world what the likely reaction to cyber strikes against Western targets will be in order to actively reduce the likelihood of debilitating attacks. Clearly, the West needs a strategy of cyber deterrence against Iran and Syria.
A combined Syrian-Iranian DDOS attack on a well-known Fortune 500 company—although probably fixed within a few hours—could trigger panic in global financial markets. The media is such that it can create cyber mountains out of cyber molehills. Cyber deterrence—unlike nuclear deterrence—is not meant to deter all cyber attacks. Its principal aim is to dissuade adversaries from engaging in debilitating cyber strikes.
At the lowest level, one way to increase the deterrence factor vis-à-vis adversaries is to have a more systematic public display of nation states’ cyber-war capabilities. This can have a greater deterrence effect on nonstate actors operating in the service of Iran and Syria, because they will have a clearer understanding of the forces arrayed against them. It can also make ‘signaling’—conveying the intentions of a state through a particular policy or move—easier, since a better understanding of capabilities reduces the likelihood of misguided policies.
Often, the media has been used to convey a country’s capabilities with strategic leaks of classified information (e.g. Stuxnet, Flame etc.) to some news outlets—this is part of a country’s cyber-deterrence strategy. It is likely that we will see such a strategic leak shortly before any air strikes. Whatever this leaked cyber asset may be, the ability to identify, defend and retaliate against any attack from the Middle East will be its key characteristics.
When it comes to cyber deterrence, the revolutionary idea for policy makers to get their heads around is that the public and private sector need to be better informed on discussions pertaining to a state’s cyber war capabilities. It is no longer enough to have a small clique of policymakers and the militaries on both sides know each other’s cyber arsenals. In order to deter nonstate actors and reduce uncertainty about the consequences of cyber attacks in the general public, a more open discourse on cyber capabilities—beyond Iran and Syria—will be needed in the future.