Iran, writes Benjamin Runkle, has developed formidable capabilities for electronic spying and hacking, and has carried out sophisticated cyberattacks on Saudi Arabia, the U.S., and Israel. Nor is the Islamic Republic the only Middle Eastern threat to American cybersecurity: Hizballah, Islamic State, and the self-styled Syrian Electronic Army (which works for the Assad regime) are all engaged in cyberwarfare. Runkle writes:
[W]hereas Russia and China have the resources to build conventional [military forces] unthinkable for most Middle Eastern actors, the entry costs to acquiring a significant cyber capacity are low enough to allow the Middle East’s weaker states—or non-state actors—to obtain capabilities that threaten U.S. and allied interests. . . .
[C]yberattacks [also] allow potential adversaries to bypass America and its regional allies’ military forces in order to target civilian infrastructure and economic targets directly. . . . Iran’s hackers are targeting critical infrastructure and developing the ability to cause serious damage to the U.S. power grid, hospitals, or the financial sector. . . . In fact, recent history suggests that Tehran’s offensive cyber capacity has dramatically evolved in sophistication and scope. . . .
In sum, Iran’s demonstrated willingness to conduct destructive cyberattacks, its ability to offset U.S. and allied military superiority in the region through cyberwar, its dearth of equivalent targets for deterrence or retaliatory attacks, and the Islamic Republic’s strategic culture favoring asymmetric or indirect conflict over conventional war mean that it poses at least as great a threat of initiating a “catastrophic” attack against U.S. or allied critical infrastructure as [the otherwise] technically superior Russian and Chinese hackers.