October 28, 2022 | CEEW Monograph
The Dangers of Iran’s Cyber Ambitions
October 28, 2022 | CEEW Monograph
The Dangers of Iran’s Cyber Ambitions
Introduction
Tehran has not engaged in spectacular cyberattacks against the United States over the past four years — even after the Trump administration imposed devastating sanctions on Iran and launched a drone strike that killed Major General Qassem Soleimani, commander of the Islamic Revolutionary Guard Corps (IRGC) Quds Force.1 This is a puzzling departure from precedent and obscures the broader trend of Tehran’s improving cyber capabilities.
Iran’s 2011–2013 campaign of DDoS attacks against the U.S. financial system — in which hackers took down bank websites by flooding them with traffic — marked one of the earliest examples of CEEW by any nation.2 Since then, Tehran appears to have recalibrated its tactics to mirror some of the more successful operations of other U.S. adversaries. The Islamic Republic now engages in disinformation operations, conducts supply chain attacks, and penetrates U.S. critical infrastructure. Some of these activities may constitute CEEW, while others position Iran for future attacks.
Washington should not assume that Tehran’s tactical changes indicate the United States has deterred Iran from launching destructive attacks. Deterrence is not static. It requires regular maintenance. Underestimating a committed adversary is dangerous, and a misdiagnosis risks underinvestment in intelligence gathering, leading to strategic surprise. It is possible that U.S. sanctions, indictments, and counter-cyber operations have deterred Iran from further attacks.3 It is also possible that Iranian hackers are attempting dramatic attacks but failing.
Alternatively, the regime may have elected not to expend limited resources on destructive attacks but to maintain the capability to employ them later on. After all, cyber-espionage can always be a steppingstone to more aggressive operations, and it can be difficult to parse motive from a few lines of code. In late 2019, for example, Microsoft warned that Iranian hackers were trying to breach industrial control systems (ICS) — that is, computer systems that control critical infrastructure — to conduct physically disruptive attacks in the United States.4 Other private security researchers cautioned that reconnaissance and espionage were equally likely motivations.5 Given the uncertainty, the United States cannot afford to dismiss the Iranian cyber threat.
Iran’s hackers are persistent. For example, in 2018, the Department of Justice charged the Iranian government with sponsoring a multi-year campaign to pilfer data from hundreds of universities, companies, and government entities in the United States and around the world.6 The following year, researchers discovered the same hackers using the same tactics and network infrastructure to target more than 60 universities in the United States.7
Iranian hackers have repeatedly caused damage despite their less sophisticated capabilities compared to America’s other cyber adversaries. And Tehran’s skills are improving. The Islamic Republic is demonstrating a “growing expertise” in its cyber operations, the U.S. intelligence community concluded in its February 2022 annual threat assessment.8 Likewise, Microsoft observed a “gradual evolution of the tools, techniques, and procedures employed by malicious network operators based in Iran” throughout 2021.9
In recent years, Tehran has demonstrated improvements in its social engineering and technical skills that raise concerns for future Iranian cyber operations, CEEW or otherwise. Rather than focus exclusively on thwarting or deterring current Iranian operations, the United States and its allies must take steps to prevent Iran from becoming a more capable adversary in the future.
Domestic Repression as a Cyber Training Ground
The Islamic Republic’s cyber capabilities were born in reaction to the mass protests following the fraudulent 2009 Iranian presidential election.10 The protesters’ use of the internet and social media for mobilization and information sharing was the regime’s first brush with the power that cyberspace provided to the Iranian people.
Iran’s Ministry of Intelligence has thus “recruited highly educated people and turned their cyber talents into tools to exploit, harass, and repress their fellow citizens and others deemed a threat to the regime,”11 according to FBI Director Christopher Wray. This development threatens the United States because the techniques deployed against Iranian dissidents “foreshadow the tactics and tools that will be employed against other targets,” scholars Collin Anderson and Karim Sadjadpour concluded in a study four years ago. They noted that “most victims of Iranian cyber operations are in Iran or the large Iranian diaspora,” but the Advanced Persistent Threat (APT) groups responsible for internal surveillance are often also responsible for global espionage.12
In September 2020, Washington imposed sanctions on Iran’s APT39 and its front company Rana Intelligence Computing Company, which were operating on behalf of the Iranian Ministry of Intelligence. The U.S. Treasury Department explained that Rana’s operations were “both internal to Iran and global in scale,” with its victims comprising “hundreds of individuals and entities from more than 30 different countries across Asia, Africa, Europe, and North America,” including 15 U.S. companies.13
Like the line between domestic and internationally focused APTs, the distinction between espionage-focused APTs and destructive APTs may also be blurring. Private cybersecurity firms have warned that Iranian APTs associated with espionage maintain destructive malware in their arsenal.14
The overlap between those engaged in domestic and international operations is not surprising. The tactics needed to surveil or harass domestic opponents can apply to international espionage targets. For example, the Department of Justice indicted two Iranian hackers in September 2020 for a “coordinated cyber intrusion campaign — sometimes at the behest of the government of the Islamic Republic of Iran.” These hackers “brazenly infiltrated computer systems” around the world, explained then-U.S. Attorney for the District of New Jersey Craig Carpenito. They sought to steal sensitive data while also attempting “to intimidate perceived enemies of Iran, including dissidents fighting for human rights in Iran and around the world.”15
Tehran clearly seeks to shape the domestic information environment. For example, to prevent activists from organizing and sharing information, the regime has repeatedly throttled internet connectivity during protests.16 In November 2019, Tehran ordered internet service providers to disrupt internet access across the country as demonstrations against fuel price spikes spiraled into political protests against the regime.17 Similarly, Iran’s Khuzestan Province experienced internet disruptions in July 2021 during protests sparked by water shortages.18 In both cases, Tehran aimed to limit the ability of protestors to share information with the outside world about the regime’s suppression of dissent.
Human rights and digital rights organizations attribute Tehran’s ability to cut internet access to Iranian efforts over the past decade to filter web content and to build a sovereign internet infrastructure known as the National Information Network, or SHOMA in Persian.19 In March 2021, the IRGC announced yet another initiative to purge the internet of “vulgarities.”20 The effort implemented Supreme Leader Ali Khamenei’s instructions that the internet “should not be put at the discretion of the enemy.”21
Advancements in Disinformation Operations
Tehran has long engaged in online influence operations to “launder information and push distorted narratives, especially with respect to Iran and Saudi Arabia,” the congressionally mandated Cyberspace Solarium Commission concluded in December 2021.22 The Commission noted that Iranian disinformation operations have become more frequent, but “its tactics remained technically unsophisticated.” Indeed, Iran’s skills do not match those of Russia, but over the past four years, Tehran’s hackers have demonstrated a growing understanding of the U.S. information environment and the social engineering needed to target Americans.
Fortunately, the four Iranians responsible for a 2014–2015 cyber-espionage operation targeting U.S. intelligence officials appear to have had limited success because of their poor English-language skills.23 The hackers worked with a former U.S. counterintelligence agent (whom the Justice Department later charged with espionage) and were therefore presumably valuable Iranian operatives. But their grammar revealed them as imposters.
By contrast, when Microsoft revealed a 2020 Iranian operation targeting more than 100 people planning to attend the Munich Security Conference, a prestigious gathering in Germany, the company noted the attackers used “perfect English.”24 One may infer Iranian hackers now have a better command of the English language.
Two Facebook operations highlight Iran’s growing understanding of how to leverage social media platforms.25 Social engineering can convince a target to download malware, hand over credentials, or believe a false narrative. In 2018, Facebook shut down accounts for “coordinated inauthentic behavior” when Iranian hackers tried to convince victims to follow pages and consume disinformation.26 Three years later, Facebook revealed another operation involving “sophisticated fake online personas” with “profiles across multiple social media platforms to make them appear more credible.”27
Microsoft also observed that Iranian threat actors are displaying more persistence.28 Whereas actors previously sent bulk unsolicited emails with malicious attachments, they are now using much more time-consuming and individualized tactics.29
These improvements were evident in a disinformation operation during the 2020 U.S. presidential election. Having witnessed Russia’s success at sowing discord during the 2016 election, Iranian hackers attempted a combined hacking and disinformation operation against American citizens, according to U.S. government statements and a Justice Department indictment.30 The indictment does not directly attribute the operation to the Iranian government and only alleges that the hackers worked for a company that provides services to the Iranian regime. However, a U.S. intelligence community assessment concluded with high confidence that Supreme Leader Khamenei likely authorized a “whole of government effort” to interfere in the U.S. election.31
Director of National Intelligence John Ratcliffe arrives to a closed-door briefing on election security for the Senate Select Committee on Intelligence on September 23, 2020, in Washington, DC. (Drew Angerer/Getty Images)
Because of the hackers’ mistakes, American law enforcement quickly uncovered an effort to intimidate registered Democrats by impersonating the Proud Boys, a right-wing extremist group.32 The subsequent Justice Department indictment revealed, however, that the operation was more sophisticated than early reporting indicated. The hackers first attempted to compromise voter registration websites in multiple states. Successfully breaching one, the hackers downloaded 100,000 voter records. They then used the information to target registered Democrats with the voter intimidation emails.33 These emails included the name and address of the recipient and did not contain grammatical errors that compromised their credibility. The hackers also sent messages and videos to Republican lawmakers and members of the media, again pretending to be Proud Boys volunteers, claiming that Democrats were hacking election records and creating fraudulent ballots.34
The operation revealed an understanding of the fissures in American society. “The message to Republicans echoed baseless claims Trump had already voiced — that Democrats were prepping to steal the election. The message to Democrats was that thuggish Trump supporters were trying to bully their way to victory,” The Washington Post explained.35
In addition to Tehran’s own disinformation operations, the convergence of Iranian, Russian, and Chinese disinformation campaigns provides an avenue for the Islamic Republic to achieve an outsized impact.36 As scholar Clint Watts has observed:
By opportunistically reinforcing each other’s information manipulation efforts, the cumulative sum of their [Russia, Iran, and China] efforts is greater than its individual parts. It also allows each country to concentrate on its comparative advantages. Russia’s tremendous capacity for content production and programming in multiple languages offers China and Iran cost savings and extended reach. China’s Twitter attacks on America provide the Kremlin an information warfare proxy. Iran’s haughty, aggressive anti-American claims allow Russia and China to advance narratives they’d rather not put forth under their own names.37
This amplification of each other’s messages does not prove coordination. However, the potency of mutually reinforcing disinformation efforts by adversaries is concerning. If U.S. adversaries recognize the benefits of “opportunistically reinforcing” each other’s operations, they may begin to apply it to CEEW campaigns.
Lessons From Attacks on Iran’s Neighbors
Iranian cyber operations against its regional adversaries “could be a testing ground for attacks against U.S. targets,” as The Washington Post put it, citing Adam Meyers of cybersecurity firm CrowdStrike.38 As U.S. sanctions intensified and tensions soared in the Persian Gulf in the summer of 2019,39 Iran launched cyberattacks against Bahrain. While Tehran’s animosity toward Manama pales in comparison to its rivalries with Riyadh and Jerusalem, Bahrain is home to the U.S. Navy’s Fifth Fleet and Naval Forces Central Command. Among other targets, Iranian hackers hit Bahrain’s Electricity and Water Authority, Aluminum Bahrain, and national oil company Bapco. The attacks disrupted the operation of these critical-infrastructure entities by destroying (or “wiping”) data vital to their function.40 A few months later, IBM’s threat researchers disclosed a destructive Iranian campaign targeting industrial and energy firms across the Middle East.41 Saudi Arabia detected similar activity.42
Data destruction has no intelligence value but can have a strategic or psychological value. For example, in late 2020, the Israeli cybersecurity firm ClearSky observed an Iranian APT conducting what appeared to be criminal ransomware operations against Israeli targets.43 The firm concluded, however, that because the hackers leaked data and posted threatening messages, they were engaged not in ransomware but in information operations aimed at sowing fear in the Israeli public.44
Separately, the hacker group MuddyWater — which the U.S. government subsequently called “a subordinate element within the Iranian Ministry of Intelligence and Security”45 — launched a series of ransomware attacks on Israeli companies in the fall of 2020.46 ClearSky assessed that the attack did not aim to extract a ransom for locked data. Rather, the operation resembled Russia’s 2017 NotPetya attack on Ukraine, in which hackers disguised their wiper malware (which destroys data) as ransomware (which merely encrypts the data until the victim pays a ransom).47
Using ransomware to disguise espionage, destruction, or influence operations helps obscure the attackers’ motivation. It may also hinder attribution by creating the impression that the attackers are criminals operating independently from a nation state.
Learning from other hackers, Iranian APTs have also begun experimenting with supply chain attacks against Iran’s neighbors. In such attacks, the hacker penetrates dozens or hundreds of companies by breaching a trusted vendor, managed service provider, or other third party with direct network access to the victim’s systems.
In one operation, Tehran breached a logistics company in Israel, Amital Data, along with other companies in the transportation, logistics, and import sectors. From there, the hackers used Amital’s list of clients and login information to breach another 40 firms.48 While the attack’s financial cost remains unclear, targeting the transportation sector is worrisome from a strategic perspective because a military cannot move troops and supplies if the nation’s transportation sector is compromised.
The Iranian government’s most headline-grabbing cyber operations over the past four years targeted Israeli water facilities.49 While a June 2020 attack appears to have hit a small agricultural facility with no real-world effects, an unsuccessful April 2020 attack targeting Israel’s drinking water could have resulted in a public health crisis.50 Israel took the operation so seriously that it reportedly responded by launching a cyber operation that knocked a major Iranian port offline.51
By launching cyberattacks against its neighbors, Tehran may also be trying to exacerbate tensions between the United States and its allies. For example, when the United States is in delicate nuclear negotiations with Iran, Washington has largely ignored Iranian cyberattacks in the Middle East. The absence of an American response may worsen friction between the United States and its Israeli and Arab allies, which already see Washington as too accommodating to Tehran.
Leveraging Common Techniques Against U.S. Critical Infrastructure
The U.S. intelligence community has repeatedly assessed that Iran can “conduct attacks on critical infrastructure.”52 In November 2021, a joint advisory from the FBI, the U.S. Department of Homeland Security, the UK’s National Cyber Security Centre, and the Australian Cyber Security Centre warned that “Iranian government-sponsored APTs” are targeting the U.S. transportation and healthcare sectors.53
Cybersecurity firm Dragos has observed two Iranian APTs attempting to compromise the ICS of U.S. utilities.54 Dragos concluded, however, that because Iran lacks “ICS-specific capabilities,” the hackers were likely focused “exclusively on information gathering at this time.”55
Yet Iran does not need ICS-specific capabilities to disrupt critical infrastructure. When U.S. pipeline operator Colonial Pipeline suffered a ransomware attack on its information technology systems in May 2021 at the hands of a Russian ransomware gang, the company “proactively disconnected” components of its gas pipeline “to ensure the systems’ safety,” explained the Department of Homeland Security.56 Colonial Pipeline’s CEO later testified before Congress that responders “halt[ed] operations throughout the pipeline … to help ensure that malware did not spread to the Operational Technology (OT) network, which controls our pipeline operations.”57 Ransomware effectively shut off a pipeline providing nearly half of all fuel to the East Coast.
Iranian hackers use common tools to conduct their operations, wielding an “opportunistic approach” to cyber operations, the U.S. intelligence community concluded last year.58 They are attempting, for example, to exploit the widely reported Log4j vulnerability to gain access and exfiltrate data.59 They are not the first hackers to do so, but the vulnerability is so prevalent across thousands of systems that it is a ripe avenue for attack.
The November 2021 U.S.-UK-Australian joint advisory noted that Iranian APTs are exploiting vulnerabilities as many as three years old and target systems that have not patched a severe vulnerability in Microsoft Exchange.60 This vulnerability earned headlines in 2021 for its severity and scale.61 In July 2021, Sky News, a British television station, obtained a cache of documents that purported to be assessments by IRGC hackers of possible cyber targets, including Western cargo ships, fuel pumps, building management systems, and maritime communications networks. The hackers “appeared to rely on open source research rather than any privileged information,” Sky News reported. Private cybersecurity firm Mandiant concluded that the Iranian hackers focused on “simple, opportunistic attacks.”62
Using unsophisticated techniques that are easy to spot does not mean an APT group is amateur. For example, Microsoft noted that the Iranian APT group was “deliberate” and “operationally, very sophisticated.”63 The group may not need to use custom malware or sophisticated techniques to be successful because its victims have weak defenses. In a separate report, Microsoft revealed that Iranian hackers had used “password spraying” — attempting multiple guesses of predictable passwords to break into an account — against U.S. and Israeli defense companies. The report noted that basic security measures can protect against this technique.64
Iranian hackers are dangerous because they are opportunistic, adopt the successful strategies and tools of other hackers, and exploit the weak defenses of their targets.
Right-Sizing Concerns About Cooperation With Other U.S. Adversaries
In November 2018, the Department of Justice indicted two Iranian hackers for a nearly three-year ransomware campaign that generated $6 million in revenue and cost victims — including the cities of Atlanta and Newark, the Port of San Diego, and six hospitals and other healthcare-related companies — more than $30 million.65 More recently, in May, researchers linked an Iranian government-backed group to financially motivated data exfiltration, ransomware, and extortion.66 It is not clear, however, if the hackers were raising funds for the government or themselves. Tehran could learn from these experiences and begin using ransomware not only to disguise other motives but also to raise funds to bankroll a range of malign activity.
The North Korean regime provides an example of this phenomenon. As the North Korea chapter of this monograph explains, financially motivated cyberattacks lie at the core of Pyongyang’s cyber strategy and have enabled the regime to remain solvent despite robust U.S. and UN sanctions. Were Iran to face a severe economic recession, Tehran could mimic Pyongyang’s strategy, acquire North Korean malware, and learn best practices through bilateral agreements.
However, this strategy poses risks for the Islamist regime. A study at Columbia University concluded that Tehran is unlikely to launch financially motivated attacks against global financial institutions, because doing so would “damage Iran’s credibility as an economic partner.”67
Russia and Iran, meanwhile, have signed several cybersecurity cooperation agreements over the past five years.68 In January 2021, the two countries signed an accord to coordinate their cyber activities, exchange technology, cooperate on training, and coordinate within international institutions.69 Iran’s Foreign Ministry said the agreement covers cooperation on detection of cyber intrusions and coordination “to ensure national and international security.”70
Previous cyber cooperation agreements between Tehran and Moscow have not led to any observable tactical coordination on offensive operations. But because Iranian hackers are far less skilled than their Russian counterparts, any knowledge transfer would improve Tehran’s cyber capabilities.
Still, recognition of Russia and Iran’s history of mutual suspicion and the enduring tension between them should temper handwringing about Russian and Iranian cooperation, although the two powers appear to be growing closer following Moscow’s invasion of Ukraine.71 While Russia finally delivered its S-300 air defense system to Iran after the implementation of the 2015 Iran nuclear deal,72 Moscow has not sold Tehran its more advanced S-400 system despite making it available to Turkey and other buyers.73 In the cyber realm, distrust at the operator level — that is, among the actual hackers — may also be high after reports that Russian hackers commandeered Iranian cyber-espionage infrastructure to launch their own operations.74
By contrast, Beijing and Tehran have historically recognized the value of a strong bilateral relationship.75 As a significant purchaser of Iranian crude oil and a critical trade partner,76 China has provided Iran with telecommunications and surveillance equipment, often in defiance of U.S. sanctions. Chinese telecommunications giants Huawei and ZTE have provided surveillance equipment to the Iranian government to monitor texts, calls, and emails for nearly a decade.77 Washington has penalized companies for sanctions evasion and obstruction of justice related to these sales.78 However, prior agreements, high-level visits, goodwill gestures, and even equipment sales between the two countries appear not to have led to a change in Iranian offensive cyber activities.79
Finally, it is worth noting that Iran has long shared China’s and Russia’s goal of challenging norms of a free and open internet, although coordination between these countries is loose at best.80 The Islamic Republic, along with human rights abusers such as Belarus, Myanmar, Syria, and Venezuela, cosponsored a 2019 UN resolution proposed by Russia and China that would legitimize domestic repression.81 Within the Chinese- and Russian-led Shanghai Cooperation Organization, which last year granted Iran full membership,82 Tehran seeks cooperation to combat the influence of foreign social media organizations.83 And within the annual Caspian Media Forum, Iran is working with other members to combat “imposed external values alien to” the region.84 This collaboration in international forums sets the stage for further cooperation.
Recommendations
FDD’s 2018 monograph on Iranian CEEW offered policymakers 10 recommendations to better understand the Iranian cyber threat, strengthen U.S. and allied defense capabilities, and impose costs on Tehran for its malicious cyber activities.85 Washington has still not done enough on these three fronts.
2018 Recommendations
UNDERSTAND THE IRANIAN CYBER THREAT LANDSCAPE
- Analyze Tehran’s cyber escalatory ladder.
- Analyze Tehran’s cyber investments, industrial base, and partnerships with other rogue actors in order to target these assets as needed.
STRENGTHEN DEFENSE
- Bolster information sharing with U.S. allies to improve allied defenses.
- Develop a joint R&D agenda with U.S. allies to address common threats from Iran and other malicious cyber actors.
- Conduct joint cyber wargames with allies in the Middle East to demonstrate U.S. resolve to defend allies.
- Announce that the United States will defend its key allies from significant Iranian cyberattacks.
IMPOSE COSTS ON TEHRAN
- Sanction key Iranian leaders for authorizing cyberattacks.
- Use cyber-enabled information warfare capabilities to exploit and sharpen divisions between the regime and the Iranian public.
- Hold at risk Iranian assets using cyber and kinetic means.
While punishing Iran remains important, it will always be a reactive policy to address Tehran’s capabilities. The maturation of Iranian cyber capabilities over the past four years requires greater attention to understand the trajectory of the Iranian cyber threat. The Islamic Republic has demonstrated its intent to attack American allies. The United States should take the following steps to prevent Tehran from becoming a more capable cyber power.
1. Undermine Tehran’s control over the Iranian people’s access to information. Capabilities that the regime deploys against its own citizens can quickly present a threat to U.S. national security. Protests in Iran against government policies and against the theocracy itself continue.86 Thus, the regime will likely resort to violence and even sever access to the global internet. This presents an opportunity for the United States to help the Iranian people evade censorship. For example, Washington should devise a land-based or satellite solution as an alternative to SHOMA so the Iranian people have better access to information.87 This could serve as a test case for supplying freedom of information to other oppressed people, including in China, Russia, and North Korea.
2. Sow divisions between hackers working for different parts of the Iranian government. The structure of the Iranian hacker community is one of a loose contractor model in which quasi-independent hacker groups take commissions from the Iranian government to conduct operations. The cybersecurity firm Recorded Future reports that feuds between the IRGC and the Ministry of Intelligence are likely causing hackers to align more closely with one faction or the other. Infighting between regime factions may present its adversaries with an opportunity to undermine Iranian capabilities. Unconfirmed reports indicate that other Iranian hackers were responsible for a leak about an Intelligence Ministry-affiliated group,88 forcing it to “re-tool and focus on new campaigns going forward, potentially delaying any current or planned hacking efforts,” according to the business and technology news site ZDNet.89
Washington should exploit divisions within Iran’s intelligence agencies and hacker community to instigate internecine fighting. Tactics might include posing as one group to leak the tools of another or spreading disinformation about how Khamenei favors one group over another. The goal would be to exacerbate rivalries so that the hackers betray their own.
3. Sanction Iranian universities and cyber centers of excellence. Just as Washington has sanctioned Iranian universities that recruit promising students into science and technology departments, thereby feeding Tehran’s nuclear and missile programs, Washington should sanction academic institutions that support Iranian cyber capabilities, such as Shahid Beheshti University and Sharif University of Technology.90 Such measures can undermine or restrain the systems that produce the next generation of malicious Iranian cyber actors. The sanctions would damage the institutions’ reputations and could even hamper their ability to recruit students and engage in cutting-edge scientific research.
4. Enhance intelligence sharing with Israel and Iran’s Arab neighbors and increase global cyber diplomacy. Understanding the tactics Iran deploys against its neighbors would provide insights into future attacks against America. Therefore, Washington should continue and, where possible, increase intelligence cooperation with regional allies, particularly Israel, which is the most capable cyber actor in the Middle East. Greater diplomatic engagement with all U.S. allies about cybersecurity and norms would complement enhanced intelligence sharing, undermine Iranian efforts to use cyber operations to divide U.S. allies, and enhance the deterrent capabilities of U.S. partners.
5. Analyze cooperation, technology transfer, and training between Iran and its allies. The United States should study the collaboration between Iran and other U.S. adversaries and whether Iranian capabilities are improving thanks to help from other cyber powers. While Tehran will eagerly announce diplomatic exchanges, memoranda of understanding, and multi-year investment deals with other countries, Iranian cyber cooperation requires further study. This should be a priority of the U.S. intelligence community.
Conclusion
There is no shortage of steps Congress and the administration must take to enhance U.S. resilience and to thwart and deter cyberattacks. However, defense alone is insufficient. Similarly, deterrence is insufficient. The United States and its allies must actively prevent their adversaries from becoming more capable cyber actors whom they cannot combat or deter.
