OPINION

Iran’s expanding cyber operations call for rethinking US response

Nariman Gharib
Nariman Gharib

Cyber espionage investigator

Iran has expanded its cyber warfare capabilities in recent years, exposing vulnerabilities in US defenses, meddling in election campaigns even, while policymakers in Washington debate the proper response.

As a cyber espionage investigator focused on Iranian state-sponsored hacking, I’ve observed these operations evolve steadily—from initial reconnaissance to targeted intrusions.

Even when US agencies unmask these hackers, legal and enforcement actions often drag on for months or years, allowing adversaries to rebrand and operate under new aliases.

Yaser Balaghi Inalou, one of three Iranian hackers recently indicted by the Department of Justice for a hack and leak operation targeting the 2024 presidential election, was exposed as early as 2015 by the Israeli security firm Check Point.

Had US agencies exposed him at the time, it might have fractured his network and even disrupted the attack on Donald Trump’s 2024 campaign.

With President Trump’s second term underway and the possibility of deepened tensions between Tehran and Washington, a cohesive and decisive strategy to address this threat seems imperative.

Intelligence agencies may unmask hackers quickly. But those unmasked would regroup and evolve if legal and enforcement responses are delayed. Greater collaboration may be required between federal agencies like the FBI and the Department of Homeland Security, even with private cybersecurity firms, to ensure swift countermeasures such as targeted sanctions and asset freezes.

Also important would be rebuilding trust in US whistleblower programs. Insider intelligence from those with firsthand knowledge of Iranian cyber operations—whether from inside Iran or abroad—can be invaluable.

The current track record of the Rewards for Justice (RFJ) program discourages potential informants. Its FAQ page still highlights cases from 1995 and 2007, with no reference to payouts for whistleblowers in Iranian cyber operations.

Providing a recent example on its website or social media could restore credibility and encourage more people to come forward. As it stands, many of those engaging with the program on social media view it as more of a stunt than a serious incentive.

Public exposure of Iranian cyber operatives is another critical measure. Many operatives hide behind the guise of IT professionals. Publishing updated lists of identified operatives in English and Persian could help rid these groups of the secrecy on which they rely.

Sanctions and asset seizures also remain powerful tools. Iran’s cyber operations are largely directed by state entities like the Ministry of Intelligence and the Islamic Revolutionary Guard Corps (IRGC), already designated as a terrorist organization by the US. Expanding efforts to track and freeze financial assets tied to these entities could significantly disrupt Tehran’s ability to fund its hacker networks.

The importance of swift and proportional countermeasures cannot be overstated. Delayed responses—sometimes by as much as a year—reduce deterrence and embolden threat actors.

Strengthening alliances and building a collective defense mechanism would also enhance deterrence by creating a more formidable response.

The United States relies on digital systems, from essential public services to financial networks. As the reliance grows, so does the threat posed by Iranian cyber operations, likely expanding as Tehran tries to avoid traditional military confrontation.

With the changing of the guards in Washington, new policies should be devised to protect the US digital infrastructure while holding Iran accountable for its online aggression. The implications of inaction are clear—continued vulnerability and escalating threats.