The Islamic Republic of Iran’s cyber security strategy: challenges in an era of cyber uncertainty

Filiz Katman

Introduction

Cyber security is one of the main areas of comprehensive security approaches that attract global attention. In the cyber era, cyber security has been increasingly located on top in national security agendas. Cyber-attacks on critical institutions have been challenging national security; thus, a comprehensive mechanism is required for countering such technology-based threats. The Islamic Republic of Iran, as a key actor in the Middle East with nuclear capacity, is also targeted in cyber-espionage attacks.

In this chapter the cyber wellness profile of the Islamic Republic of Iran will be evaluated in terms of a comprehensive cyber security strategy, responsible agencies, cyber security awareness, and international cooperation. Diverse perspectives will be elaborated with a multidisciplinary approach including both defensive and offensive considerations. It will reveal types of cyber threats, cyber-attacks, cybercrime, cyber warfare, policy mechanisms, regulatory and preparedness schemes, cyber security, and nuclear security relations. Cyber programs, cyber defense, cyber force building, and cyber espionage in Iran will be evaluated. Iran is targeted at not only national level, but also its universities and private industries. Thus, a broad analysis of cyber security in Iran will be discussed in all dimensions.

This study first analyzes the comprehensive cyber security strategy of Iran. In order to frame the strategy the national security strategy, which is based on deterrence (Tabatabai, 2019: 7), will be evaluated. Iran, allegedly dreaming of a reborn Persian Empire (New York Post, 2015), has always been one of the most significant actors in the Middle East. In order to achieve such a vision, Iran should tackle contemporary challenges and opportunities. Thus, national security of Iran includes the elements of change and continuity. Cyber security is a vital and significant element of change in the strategy, and it is referred to as a comprehensive cyber security strategy. It is reported that Iran perceives cyber-attacks as a greater threat than actual war and is prepared to defend itself against them (Reuters, 2012).

In order to realize such a comprehensive strategy legal measures, technical measures, organization measures, capacity building, and cooperation will be discussed as main components of the strategy. In terms of legal measures, legislation and regulations will be explained. Then, in terms of technical measures, the content of the Cyber Incident Response Team (GIRT), standards, and certification will be analyzed.

Organizations should also be organized and assigned to certain tasks of cyber security. Considering the characteristics of the state, the Supreme Leader and the Ayatollahs have major control (Rattray, 2018: 7). Organizational structure of cyber security structures will be analyzed within the comprehensive cyber security strategy. In terms of organizational measures policy, roadmaps, responsible agency, and national benchmarking will be analyzed.

In terms of capacity building, standardization development, manpower development, professional certification, and agency certification will be discussed. A vital component of security in general, cooperation will be discussed in intra-state cooperation, intra-agency cooperation, public sector partnership, and international cooperation.

The Islamic Republic of Iran has ambitious goals in the region, allegedly extended to a reborn Persian Empire. In order to achieve such ambitions, national security strategy has a military doctrine in largely defensive and asymmetric terms with a strong military and the capabilities to deter enemies and raise the costs of conflict (Tabatabai, 2019: 7). In this framework, it has elements of continuity and change. Cyber security composes the element of change and cyber threats are referred to as greater threats than actual war. Thus, a comprehensive framework of cyber security strategy is designed in terms of legal, technical and organizational measures, capacity building, and cooperation. Such a comprehensive cyber security strategy mainly aims to deter cyber threats, create awareness, provide preparedness schemes, and connect cyber security with nuclear security.

National security strategy of the Islamic Republic of Iran

In framing and modelling the national security strategy of the Islamic Republic of Iran, a bargaining process based on infighting (division) and consensus building (consensus) is followed in an anarchic structure (Tabatabai, 2019: 3). Bargaining takes place in areas other than redlines drawn by the Supreme Leader. In this process, the Supreme National Security Council (SNSC) facilitates the process through presenting the outcomes of bargaining and highlighting the consensus to the Supreme Leader. National security policy is debated at the SNSC, composed of the representatives of the following state organs: the final arbitration of disputes by the Supreme Leader, the legislation by the Majles, execution held by the President, judiciary, and the Iranian armed forces composed of the conventional military by the Artesh, and Islamic Revolutionary Guard Corps (IRGC) (see Figure 37.1).

Aside from the aforesaid, within the office of the Supreme Leader (beyt-e rahbari), various advisor)' bodies including political, military, intelligence, security, and international affairs oversee internal and external affairs. In terms of division of labor in national security issues, relations with international powers are under the authority of the executive branch while relations with regional powers are dominantly held by the IRGC. Considering their relatively small role in national security, the Artesh and the Majles can be listed but their role is primarily in shaping public opinion and bringing the public opinion to the decisionmaking and embedding policies into the system through law making.

Within the national security' framework of the Islamic Republic of Iran, main factors can be listed such as religion, nationalism, ethnicity, economics, and geopolitics (Byman, Chubin, Ehteshami, & Green, 2001: 1). It is also inseparable from domestic and foreign policies. While it is a mix of Islamic and nationalist objectives and while geopolitics

Figure 37.1 Key Power Centers in National Security Decision-Making Source: Tabatabai, A. M. (2019).

contribute and economics, ethnicity, and communal divisions play roles in terms of regional stability, so it results in favoring more cautious policies. Thus, it can be argued that Iranian policy is based on the combination of factors with varying degrees of importance in different periods with ethnicity and economics dominating in numerous key areas (Byman, Chubin, Ehteshami, & Green, 2001: 19).

Table 37. i Comparative Drivers of Iranian Foreign Policy

Source: Tabatabai (2019: 3).

The strategic culture of Iran is composed of the powerful national cultural identity with regional hegemonic ambitions and theocratic ruling necessitating a strong military culture leading to confrontation and rivalries with regional foes and it dictates Iran’s foreign policy and military activities in general, and its cyber warfare activities in particular (Rattray, 2018: 7) (see Table 37.1).

Comprehensive cyber security strategy of the Islamic Republic of Iran

Cyber security has been considered as a vital element of national security since its uranium enrichment centrifuges were hit in 2010 by the Stuxnet computer worm, allegedly emanating from Israel or the United States (Reuters, 2012). As reflected in the words of Abdallah Araqi, Deputy Commander of Ground Forces, Iranian Revolutionary Guard (Rattray, 2018: 98), “we have armed ourselves with new tools, because a cyber war is more dangerous than a physical war.” Cyber security is considered more important, moreover, cyber is used as a weapon not only to preserve and protect the regime but also for the offensive purposes against the adversaries (Rattray, 2018: 7).

Since the first connection to the internet in the early 1990s, the Supreme Council of the Cultural Revolution controlled cyber activity in the country. IRGC supervises cyber activities in Iran. With the popular dissent relying more on new information and communication technologies (ICT) in 2009, the Green Revolution led the Iranian authorities to rely on cyber surveillance as an effective counter-strategy tool. In order to avoid a more widespread popular uprising in Iran like those which, through the power of networks, toppled regimes in Tunisia and Egypt in 2011, Iranian security forces expanded their ability to monitor and disrupt online dissent as part of a broader crackdown on opposition activities after the Green Revolution in 2009 (Lewis, 2014: 2).

As the success appears, government-sponsored cyber and hacking capabilities developed such as offensive strategies to use these capabilities against external targets, such as the Saudi oil company Aramco and the banking sector in the United States (Rattray, 2018: 99).

Cyber policies are aimed at leveraging its influence in the region and cyberwarfare is added to its arsenal “as a deterrence weapon against foreign threats to the regime, as well as a way to spy on foreign nations” (Rattray, 2018: 105). In 2011, the hack of the Netherlands internet company DigiNotar allowed Iran to read Iranian dissidents’ emails secretly (BBC, 2011).

Legal measures

In the cyber security strategy of the Islamic Republic of Iran, criminal legislation and regulations compose legal measures leading to cyber justice such as the 2009 Computer Crimes Law (criminal legislation, regulation). In this process, numerous arrangements were made including the Protection of Software Copy Right Act in 2000, Electronic Commerce Act (ECA) in 2003, Military Criminal Act in 2003, Free Access to Information Act 2007, Audio-video Crimes Act in 2008, and Cyber Crimes Act (CCA) in 2009.

In the evolution of the cyber area in the Islamic Republic of Iran, the very first institution that used internet through satellite was the Theoretical Physics Research Center in 1992; then, universities received services in 1993, meaning joining the World Wide Web. Thus, it necessitated preparation for a law on cybercrime which was initiated with a committee composed of legal and information technology (IT) experts for drafting the laws regarding cybercrimes in 2002 and the draft of the Cyber Crime Act (CCA) in 2004 which was approved by the Majles in 2009 with some modifications (Pakzad & Ghassemi, 2012: 140).

Cyber security strategy has been through an evolutionary process. First, in 2007, the Fourth Development program introduced strengthening and improvement in computer information systems (both qualitative and quantitative) and development of information society and e-commerce. In order to do this, necessary legislations for securing cyber space and confronting cyber organized crimes (such as guidelines for cyber space security) were also instructed.

In 2009, the Comprehensive Statute of Security in Production and Exchanging Data (AFTA) passed in order to establish an information transfer system. In terms of criminal legislation, a specific legislation on cybercrime has been enacted: the Computer Crimes Law No. 71063 in 2009. It was mainly inspired by the European Convention on Cyber Crimes, for the prosecution and repression of cyber activities with 56 articles on internet usage and online content with two main parts (crimes and punishments and prosecution of cybercrimes) and one miscellaneous part. In an attempt to make it understandable, simplifications led to some ambiguities. It has articles on the punishments for spying, hacking, piracy, and publishing materials deemed to damage “public morality” or to be a “dissemination of lies.” Article 18, inter alia, provides for imprisonment up to two years and a fine up to 5,000,000 Iranian Rial for anyone found guilty of “disseminating false information likely to agitate public opinion.” The main categories of criminal content can be listed as immoral content, anti- Islamic content, anti-security and disturbing the public peace, criminal content regarding intellectual property and audio and visual issues, content which encourages, invites, or provokes others to commit criminal acts, content against state and public institutions and their responsibilities, and content used to facilitate other computer crimes (GlobalVoices, 2010).

In 2010, development of national information network, electronic state, economy, commerce, justice, national defense etc. with the aim of providing internet access for 60 per cent of Iranians by 2016 was included in the Fifth Development Program.

Technical measures

The National GIRT of the Islamic Republic of Iran, namely the Computer Emergency Response Team (CERT) also known as MAFIER, was established with the goal of coordinating cyber space incident handling activities in the country for developing secure communication mechanisms for safe and secure communication among all teams (Radkani, 2013). It is composed of an incident response and response coordination team, an assessing and analyzing team, a monitoring, data gathering and updating team, a maintenance and supporting team, a malware and vulnerability analysis team, and a training team.

The CERT works on reporting and handling the incident, analyzing and reporting vulnerability, consultation on security' advisory of security articles and reports, malware analysis at a malware analysis lab and reporting and comparing antivirus, guiding malware removal, developing malware toolkit — HoneyNET — and organizing seminars and conferences. Iran does not have any officially approved national- or sector-specific cyber security framework for implementing internationally recognized cyber security standards. Iran also does not have any cyber security framework for the certification and accreditation of national agencies and public sector professionals.

Organizational measures

In the comprehensive cyber security strategy of the Islamic Republic of Iran, the National Information Network has the capacity to disconnect Iran from the global internet. There is no national governance roadmap for cyber security in Iran. The laws and regulations on the cyber area also necessitate professional law enforcement agencies. Iranian lawmakers recognizing this reality have established professional divisions within the justice system for the investigation and prosecution of cyber criminality. BASIJ, 1RGC, the Ministry of ICT, Iran’s Passive Defense Organization, and the Information Technology Organization of Iran are such enforcement agencies responsible for cyber security oversight in the Islamic Republic of Iran.

In 2011, the Cyber Police - FATA (Polis-e Faza-ye Towlid va Tabadol-e Ettela’at; Iran Cyber Police) — was formed belonging to NAJA (Niru-ye Entezami-ye Jomhuri-ye Eslami; Law Enforcement Force). It has provincial branches in order to fight against phishing, forgery, internet theft, hacking, organized internet crime, pornography, violation of privacy, to secure and preserve order, defend religious and national identity, protect private sphere and legal liberties, protect national interests, secrets, and authority, secure the fundamental infrastructures against electronic attacks, and maintain public peace.

In order to determine which content is criminal, the Iranian Judicial Administration established the Committee for Determining the Instances of Criminal Content within the Office of the State Prosecutor General. It is composed of Ministers of Education, ICT, Intelligence, Justice, Science, Research and Technology, Culture and Islamic Guidance; the President of the Islamic Propagation Organization; the head of the Islamic Republic of Iran Broadcasting; the Commander-in-Chief of the Police; an expert of ICT chosen by the Commission of Industries and Mines of the Majles; and a member of the Legal and Judicial Commission of the Islamic Consultative Assembly chosen by the Legal and Judicial Commission and confirmed by the Majles.

The Prosecutorial Office holds the judiciary process in the prosecution of cybercrimes. It is necessary for prosecutors and judges to have capacity in cyber space, thus, since 2005, there have been training courses and workshops for judicial staff to add current special prosecutorial office for cybercrimes in Tehran (Pakzad & Ghassemi, 2012: 143). Iran does not have any officially recognized national benchmarking or referential for measuring cyber security development.

Capacity building

There is no information on any program or project for research and development of cyber security standards, best practices, and guidelines in Iran. In order to create cyber security awareness in the Islamic Republic of Iran, ASIS Cyber Security Contest has been organized since 2015. Iran does not have the exact number of public sector professionals certified under internationally recognized certification programs in cyber security. Iran does not have any certified government and public sector agencies certified under internationally recognized standards in cyber security.

Cooperation

The Fourth Development program introduced in 2007 encourages cooperation with regional and international institutions and unions of information and communication technology. There is no information on any framework for sharing cyber security assets across borders with other nation states. Iran does not have an officially recognized national- or sector-specific program for sharing cyber security assets within the public sector. There is no officially recognized national- or sector-specific program for sharing cyber security assets within the public and private sector in Iran.

MAHER is involved in the international arena through membership in the Organization of Islamic Conference OIC-CERT and ITU-IMPACT, and cooperation with other CERT in cyber-attacks like phishing, waterhole attacks, botnet etc. It has achievements on disabling some reported phishing sites, identification, analysis and disinfection of several malware attacks (such as flame, narilam, batch wiper), and developing a widespread honeypot network over the country.

Categories of cybercrime

According to the CCA and ECA cybercrimes may be categorized into the following types: offences against the confidentiality of data and systems, offences against the authenticity of data and system, offences against the integrity of data and system, and offences related to the availability of data and systems, computer related crimes, accessor)’ crimes, and e-commerce crimes.

Offences against the confidentiality of data and systems refer to illegal accesses to a computer or communication systems, interception without right, made by technical means, of nonpublic transmissions of computer data to, from, or within a computer system including electromagnetic emissions from a computer system carrying such computer data, and espionage. Illegal access is punished with 91 days to 1 year of imprisonment or fines of 5—20 million Rials or both (Article 1), if there is an intention to gain access to secret date, Article 3 is applied. Illegal interception is punished with 6 months to 2 years of imprisonment or 10—40 million Rials of fine or both (Article 2).

Espionage refers to violation of security measures of computer transmitting or storing secret data. One to 3 years of imprisonment or 20-60 million Rials of fine or both is the punishment for gaining access to, obtaining, or intercepting secret data (Article 3a) while 2 to 10 years of imprisonment is the punishment for providing access to secrets for incompetent people (Article 3b), and 5 to 15 years of imprisonment is the punishment for disclosure of access to secret data for foreign states, organizations, companies or groups, or their agencies (Article 3c). Six months to 2 years of imprisonment or 10—40 million Rials of fine or both is the punishment for violating security measures of computer information systems with secret data (Article 4). Ninety-one days to 2 years of imprisonment or 5-40 million Rials of fine or both in addition to 6 months to 2 years of imprisonment during the dismissal of offender from the governmental duties is the punishment for disclosure of secret data to incompetent people out of carelessness, negligence, or infringement of the security measures by officials (Article 5).

Offences against the authenticity of data and system refer to computer-related forgery and the use of false data. In computer-related forgery (Article 6), input or alteration of reliable data or fraudulent creations or input of such data and alteration of data or signals of memory or processable cards in computer or telecommunication systems or chipsets, or deceitful creation or import of data or their signals to them are considered as criminal activities. The punishment for such crimes is 1 to 5 years of imprisonment or 20—50 million Rials of fine. Use of false data (Article 7) is also punishable with punishment of forger)’.

Offences against the integrity of data and systems refers to data interference, system interference, and cyber terrorism. In data interference (Article 8), deletion, destruction, disturbance of others’ data or making them non-processable without pennission is punished with 6 months to 2 years of imprisonment or 10-40 million Rials of fine or both. In system interference (Article 9), damaging or disturbing the functioning of computers or telecommunication systems by inputting, transmitting, distributing, deleting, interrupting, manipulating, and deteriorating data or electromagnetic or optical emissions is punishable with 6 months to 2 years of imprisonment, or a fine of 10-40 million Rials, or by both (Article 9). Using internet in terrorist activities is referred to as cyber terrorism against network, data, information, and computers for a political cause, specifically Article 11 defines it as deletion, destruction, disturbance of others’ data or making them non-processable and damaging or disturbing the functioning of or denial of access to data or system with punishment of3 to 10 years of imprisonment (Article 11).

Offences related to the availability of data and systems refers to the violation of the principle of accessibility of data and system, and the accessibility of prohibited data and system out of omission of an internet service provider. In case of a denial of access to both data and systems, the punishment is 91 days to 1 year of imprisonment or 5-20 million Rials of fine or both (Article 10). In case of failing to prevent access to criminal content, the punishment is being banned from service, in case of repetition of the same crime, it is punished with the closure of business for 1 to 3 years (Articles 21 and 23). Illegal use of bandwidth is punished with 1 to 3 years of imprisonment or 100 million-1,000 million Rials of fine or both (Article 24).

Computer-related crimes refer to theft, fraud, and offences against public decency and morals. In theft, the punishment is harsher in case of complete removal of data. In case of the first act, the punishment is 1-20 million Rials of fine, in case of the second act, it becomes 91 days to 1 year of imprisonment or 5-20 million Rials of fine or both (Article 12). In fraud, gaining property or financial means is punished with 1 to 5 years of imprisonment or 20—100 million Rials of fine or both (Article 13). In offences against public decency and morals, obscene pornographic content is punished with 91 days to 2 years of imprisonment or 5-40 million Rials of fine while indecent pornographic content is punished with the minimum amount of the aforementioned term.

In the case of encouragement, provocation, or threatening or convincing people to access, the gravely obscene content is punished with 91 days to 1 year of imprisonment or 5-20 million Rials of fine while indecent content is punished with 2-5 million Rials of fine (Article 15a). In the case of the act of encouragement, provocation, threatening, facilitating, convincing, or training, the punishment is 91 days to 1 year of imprisonment or 5—20 million Rials of fine or both (Article 15b). Offences against dignity include following acts: fabricating, distorting, or altering the video, voice, or picture of a person and its distribution, by means of computer or telecommunication systems (Article 16), distributing or making available voice, picture, private, or family video, or others’ secrets concerning another person without their permission (Article 17), disseminating of false news through computer and telecommunication systems, with the intention to harm others or disturb public peace (Article 18). In such cases, the punishment is 91 days to 2 years of imprisonment or 5-40 million Rials of fine or both. If the content is pornographic, the maximum amount is applied.

Accessory crimes refer to following acts: production, distribution, making accessible, or trading data, software, malware or any other electronic devices to commit computer crimes; distribution or making accessible of the training materials and contents on how to commit cybercrimes, sale and distribution of passwords or providing access to them or any data to unauthorized people. Article 25 refers to 91 days to 1 year of imprisonment or 5—20 million Rials of fine or both.

The Electronic Commerce Act (ECA) 2003 regulates e-commerce crimes (WIPO, 2020). E-crimes cover crimes violating the declared rights of the author related to data messaging and crimes violating individual rights. Crimes violating the declared rights of the author related to data messaging include violation of intellectual property rights, crimes against commercial secrets and signs. Article 74 of ECA refers to 3 months to 1 year of imprisonment and 50 million Rials of fine in case of violation of intellectual property rights. Article 75 of ECA refers to 6 months to 2 and half years of imprisonment and 50 million Rials of fine in the crime against commercial secrets. Article 76 of ECA refers to 1 to 3 years of imprisonment and 20-100 million Rials of fine in case of crimes against commercial signs. Crimes violating individual rights include violation of consumer rights and false commercial advertisement. Articles 33 to 43 of ECA refer to 10—50 million Rials of fine for the violation of consumer rights (to deliver effective information, giving information, right to canceling the deal, to return the money to consumer). Article 70 of ECA refers to 20-100 million Rials of fine for fraudulent, unhealthy, ambiguous, anonymous advertisement, hiding the identity or brand. Article 71 of ECA refers to 1 to 3 years of imprisonment for the violation of personal data.

Cyber operations as a weapon of deterrence

Protection of the regime from internal and external sources is the primary impetus in the national security strategy of the Islamic Republic of Iran. Thus, cyber is used not only in a defensive but also in an offensive manner against adversaries. Such offensive strategy includes internal espionage, sabotage against neighboring Arab countries, using proxies for the inclusion of Iraqi groups (including Hezbollah, the Syrian Electronic Army, and Kata’ib Hezbollah in Iraq, in an attempt to create a “Cyber Shi’ite Crescent” [Rattray, 2018: 113]), cyber-attacks against Israel and Gulf countries, data mining and cyber operations targeting infrastructure, military operations and businesses in the region (for e.g. the attack on Saudi Arabia’s oil company Aramco and the attack on Qatar’s Ras Gas company as a response to the Stuxnet attack) and Western countries (Rattray, 2018: 7—8). Specifically, the energy sector has been critical.

Among the cyber offensive cases of the Islamic Republic of Iran, the following cases raise serious considerations of the cyber capacity of the Islamic Republic of Iran as a so-called “second-tier” cyber power (Rattray, 2018: 110). These were the indictment on hacking American banks and the indictment on the attempt to hack the computerized controls of upstate New York’s Bowman Avenue Dam. It was argued that allegedly water level and temperature information to operate the floodgate remotely was obtained. Interestingly, it was considered as part of a plot to breach or paralyze 46 of the largest American financial institutions and to block access to the bank accounts online. Considering the cyber capacity, the strategy of the Islamic Republic of Iran focuses on maximizing the damage with significant political and economic outcomes through some of the most sophisticated, costly, and, consequentially, invasive and destructive cyber operations in the history of the internet (Rattray, 2018: 111).

In terms of disrupting military operations, bases are targeted via the National Passive Defensive Organization (NPDO), an elite cyber force of the Islamic Republic of Iran. Formed in October 2003 after Operation Iraqi Freedom, NPDO can be termed as quasi- military body responsible for the protection of national infrastructure of the Islamic Republic of Iran in countering “power to coerce” (P2C) (RAND Corporation, 2016) focusing on “the use of nonlethal means in order to enforce adversaries into compliance” (Nadinri, 2018). It was given authority to use “all national cyber and non-cyber resources to deter, prevent, deny, identify, and effectively counter any cyberattack against ... Iran’s national infrastructure by either hostile foreign states or (domestic) groups supported by them” (Nadimi, 2018). In line with that, Telegram, an application for sending messages, was blamed for popular protests.

According to law, it was formed in order to deal with cyber, chemical, biological, radioactive, and economic threats through “policymaking, planning, directing, organizing, coordinating, monitoring, and operating the passive defense and civil defense ... activities of enforcement agencies” (Nadimi, 2018). In line with the hybrid characteristics of the warfare in the twenty-first century, NPDO is given the multitask character of containing hard and soft threats such as internal and external security for nuclear sites and the financial, construction, industrial, telecommunications, media, energy, food security, transportation, and defense sectors. In such a complex structure of duties requiring coordination with other institutions, it has authority to make agreements with other institutions of civilian, military, and security sectors for effective cooperation and coordination. Its structure is composed of staff from IRGC and BASIJ since it was formed under the Anned Forces of the Islamic Republic of Iran (AFGS), thus it was financed by the AFGS until 2015 reaching USD$34 million budget just a few years ago (Nadimi, 2018).

In using cyber strategy not only for defensive but also for offensive purposes, the NPDO handles “services to other countries within the limits of (Iran’s) national defense diplomacy” in order to accomplish “regional resistance doctrine” and in this manner, it is argued that the NPDO has been working closely with Syria, Iraq, and Lebanese Hezbollah, as mentioned by the chairman of the NPDO in October 2017 (Nadimi, 2018). It was argued that the regime in Syria received training and technology for the interception of communications and monitoring of the internet in order to track down and oppress political opponents (Rattray, 2018: 109). Moreover, it was argued that the Islamic Republic of Iran has hosted Hezbollah officials for “Cyber Hezbollah” conferences since September 2010 (Rattray, 2018: 113).

In combatting a diverse set of threats posed to the regime (i.e. military and non-military tools including economy, popular protests and the Velvet Revolution), the aim is to gain popular support and legitimate grounds for the prosecution of domestic opposition. The AFGS used such attacks on the Iranian nuclear and energy facilities such as those in 2009, 2011, 2012, 2017, and 2018, popular protests facilitated by social media, the 2010 Stuxnet attack on nuclear facilities, and the 2012 Flame attack on oil facility as a grounds to form a Cyber Defense Headquarters in October 2011 (Nadimi, 2018). By February 2012 it had reached a point of calling for the formation of an Iranian Cyber Army (IGA) in the coordination of surveillance of citizens’ online activities and, allegedly, conducting offensive cyber-attacks in cooperation with the IRGC-BASIJ cyber command. The cyber-attack aimed to sabotage the operations and trigger an explosion in a petrochemical company in Saudi Arabia in August 2017 (Rattray, 2018: 109).

In the sanctions list of the European Union, namely the Decision of the Council of the European Union 2010/413/CFSP concerning restrictive measures against Iran, Brigadier General Gholam-Reza Jalali. former IRGC, PDO chairman, was named in the list of persons with the duty of “selection and construction of strategic facilities, including — according to Iranian statements — the uranium enrichment site at Fordow (Qom) built without being declared to the IAEA contrary to Iran’s obligations (affirmed in a resolution by the IAEA Board of Governors)” (The National Archives, 2010).

It is also argued that the Islamic Republic of Iran aims at developing its cyber capability as the fourth leg of deterrence aiming at gaining “ability to disrupt maritime traffic in the Strait of Hormuz; conduct unilateral and proxy terrorism on several continents; and launch long- range missile and rocket strikes against targets throughout the region” (Rattray, 2018: 107).

The tools used by the Islamic Republic of Iran are numerous. Installation of malicious code in counterfeit computer software, blocking of computer communications networks, and development of viruses took place in the 2012 attack on Saudi Aramco resulting in destroying 35,000 computers. Tools for penetrating computers to gather intelligence occurred in the attack on the Sands Las Vegas Corporation-LVS in 2014. The development of tools with delayed action mechanisms or mechanisms connected to control servers was observed in the attack of malicious domains emulating the ones used by the American Israel Public Affairs Committee - AIPAC (Rattray, 2018: 111).

In considering the cyber capacity and the national security strategy, the attacks aim “to disable critical infrastructure, create confusion, distrust, deception, disruption, support or to drive psychological operations that deter hostile activity or otherwise achieve strategic or tactical objectives” (Rattray, 2018: 111). The ultimate form of such goals led to the creation of the Iran Cyber Army by the Intelligence Unit of the IRGC, arguably the second-biggest cyber army in the world (Rattray, 2018: 114).

In countering the cyber capacity of the Islamic Republic of Iran, the vital element is the Joint Comprehensive Plan of Action (JCPOA), also called the Iran nuclear deal, an agreement reached between Iran and the P5+1 together with the European Union in Vienna on July 14, 2015. Recent developments on the JCPOA after the withdrawal of the United States of America challenge the argument that cyber threats emanating from Iran decreased after the JCPOA (Rattray, 2018: 115). Such consideration is made due to the fact that the Islamic Republic of Iran aims to deter threats to the regime and become a reborn Persian Empire.

Conclusion

The Islamic Republic of Iran is forced to have a contemporary national security strategy' in order to counter contemporary challenges like cyber threats. Considering the unique characteristics of the Islamic Republic of Iran, the main factor of the cyber strategy is “as a deterrence weapon against foreign threats to the regime, as well as a way to spy on foreign nations.”

In achieving such a goal, a comprehensive cyber security framework is highly' critical. In order to achieve that, the Islamic Republic of Iran focuses on legal, technical, and organizational measures together with capacity building and cooperation. In terms of legal measures, legislation and regulations provide measures to deter such threats via framing such acts as crimes. In terms of technical measures, a response team named MAHER has a reputation with its capacity, activity, and cooperation with international organizations. In terins of organizational measures, since the main factor is to deter the foreign threats against the regime, a main body' of national security, namely the IRGC, plays a vital role but it also has other units in order to work in coordination with each other.

Th EGA and CCA are the main elements of cy'ber security legislation and the acts classified as crime are defined in detail in the cyber area. The uniqueness of the cyber security legislation of the Islamic Republic of Iran lies in its moral values, which are highly strengthened in the cyber security legislation. Since the cy'ber threats are highly' contemporary, it necessitates the Islamic Republic of Iran to counter such contemporary challenges with continuous updates in the legislation, technical capacity, organization, capacity building, and cooperation.

In deterring internal and external threats to the regime and challenging the region as a hegemonic power, both defensive and offensive strategies are considered in the comprehensive cy'ber security strategy' framework of the Islamic Republic of Iran in order “to disable critical infrastructure, create confusion, distrust, deception, disruption, support or to drive psychological operations that deter hostile activity or otherwise achieve strategic or tactical objectives” through developing cy'ber capability as the fourth leg of deterrence.

Recent attempts to develop the cyber capacity of the Islamic Republic of Iran, namely NPDO, ICA, and Cyber Hezbollah, aim at transforming from a “second-tier” cy'ber power position to the second-biggest cyber army in the world. Adversaries observe such ambition and they weigh options available in the post-JCPOA including cyber warfare as well.

Suggested reading

Article 19. (2012). “Islamic Republic of Iran: Computer Crimes Law.” www.articlel9.org/data/files/ medialibrary/2921/12-01-30-FINAL-iran-WEB per cent5B4 per cent5D.pdf

Baldino, D. & Goold, J. (2014). “Iran and the Emergence of Information and Communications Technology: The Evolution of Revolution?” Australian Journal of International Affairs, 68(1): 17-35.

Carnegie Endowment for International Peace. (2018, January 4). “Iran’s Cyber Threat: Conclusion and Prescriptions.” https://carnegieendowment.org/2018/01/04/iran-s-cyber-threat-conclusion-and-pre scriptions-pub-75143

Doffinan, Z. (2020, January 11). “Iran’s ‘Critical’ Cyberattack Threat: This Is What Is Really Happening Right Now.” www.forbes.com/sites/zakdoffinan/2020/01/11 /irans-critical-cyberattack-threat-this- is-what-is-really-happening-right-now/#79e6a7184178

O’Flaherty, K. (2020, January 6). “The Iran Cyber Warfare Threat: Everything You Need To Know,” Forbes, www.forbes.com/sites/kateoflahertyuk/2020/01/06/the-iran-cyber-warfare-threat-every thing-you-need-to-know/#35d56ac215aa

Vicens, A. J. (2020, January 3). “Here’s What a Cyber Attack by Iran Might Look Like,” Mother Jones. www.motherjones.coin/politics/2020/01/heres-what-a-cyber-attack-by-iran-might-look-like/

References

BBC. (2011, September 5). “Fake DigiNotar Web Certificate Risk to Iranians.” www.bbc.co.uk/news/ technology-14789763

Byman, D., Chubin, S., Ehteshami, A. & Green, J. D. (2001). “Iran’s Security Policy in the Post- Revolutionary Era,” RAND Corportation, Santa Monica, United States, www.rand.org/pubs/mono graph_reports/MR 1320.html

GlobalVoices. (2010). “Iran: We Are All Computer Criminals.” https://globalvoices.org/2010/ll/23/ iran-we-are-all-computer-criminals/

Lewis, J. A. (2014). “Cybersecurity and Stability in the Gulf, Gulf Analysis Paper,” Center for Strategic and International Studies, Washington, DC. https://csis-prod.s3.amazonaws.com/s3fs-public/legacy_ files/files/publication/140106_Lewis_GulfCybersecurity_Web_0.pdf

Nadirni, F. (2018). “Iran’s Passive Defense Organization: Another Target for Sanctions,” Washington, DC. www.washingtoninstitute.org/policy-analysis/view/irans-passive-defense-organization-another- target-for-sanctions

The National Archives. (2010). “Council Decision 2010/413/CFSP.” www.legislation.gov.uk/eudn/ 2010/413/2020-01-31

The New York Post. (2015). “The Iranian Dream of a Reborn Persian Empire.” https://nypost.com/ 2015/02/01/ the-iranian-dream-of-a-reborn-persian-empire/

Pakzad, B. & Ghassemi, G. (2012). “Cybercrimes in Iran: Perspectives, Policies and Legislations,” in S. Manacorda (ed.), Cybercrinunality: Finding a Balance between Freedom and Security (pp. 139—163). Milano: ISPAC.

Radkani, E. (2013). “MAHER (Iran National CERT.” www.itu.int/net/WSIS/implementation/2013/ forum/agenda/session_docs/Day4/113/Panelist3-Radkani.pdf

RAND Corporation. (2016). “The Power to Coerce: Countering Adversaries without Going to War.” www.rand.org/pubs/research_reports/RRl000.html

Rattray, G. (2018). “Strategic Culture and Cyberwarfare Strategies: Four Case Studies,” SIPA Capstone Workshop. https://sipa.columbia.edu/file/7168/download?token=qLvPL-J8

Reuters. (2012). “Iran Sees Cyber Attacks as Greater Threat than Actual War.” www.reuters.com/art icle/net-us-iran-military/iran-sees-cyber-attacks-as-greater-threat-than-actual-war-idusbre88o0my 20120925

Tabatabai, A. M. (2019). “Iran’s National Security Debate, Implications for Future U.S.-Iran Negotiations,” RAND Corporation, Santa Monica, United States, www.rand.org/content/dam/rand/pubs/perspec tives/PE300/PE344/RAND_PE344.pdf

World Intellectual Property Organization-WIPO. (2020). “Electronic Commerce Law of the Islamic Republic of Iran.” www.wipo.int/edocs/lexdocs/laws/en/ir/ir008en.pdf