The U.S. Department of Homeland Security is warning companies to ready themselves against possible cyber attacks after the U.S. killed influential Iranian general and Quds leader Qassem Soleimani in a strike in Baghdad.
But according to Academy Securities, an investment bank with deep national security connections – including 13 former generals on staff – the most likely threat is a cyberattack on U.S. allies.
Iran has extensive cyberattack capabilities that can be readied in short order. Targets could include military installations, the U.S.’s financial infrastructure, electrical grid, and academic institutions.
Academy Securities estimates that military targets are too well-defended and have too much risk of retaliation by force for them to be a viable target for Iran. It also argues that much of the defenses for large American targets are robust, though Iran is “constantly probing our systems.”
The likely option: allies
This leaves an attack on allies as a course of action that would make the most sense for Iran, according to Academy Securities.
The near-consensus among Academy’s 13 generals on staff is that Iran will want to do something that appeases the public’s desire for action without risking too much escalation that would result in something drastic, like regime change.
“The most likely course of action is still against an ally that has possibly spent less time and energy on hardening themselves against cyber threats,” Academy’s analysts wrote. “Saudi Arabia likely presents an easier target with less ability to retaliate effectively.”
This week, however, Iran’s supreme leader Ayatollah Ali Khamenei called for a direct and proportional attack on U.S. interests, the New York Times reported.
This deviates from Iran’s standard tactics of engaging in proxy warfare. Considering the Iranian leader’s statement, it’s possible this time could be different — and the country may sign its name to an attack.
Companies need to watch out, too
Many industries have taken care to “harden themselves against cyber attacks,” and “there is a reasonable degree of confidence that any such attack would not be successful,” the analysts wrote.
In the past, however, cybersecurity companies have chided businesses for not taking the cyberattacks seriously and instead employing a check-the-box liability-focused approach. And while hacks and breaches don’t always do much damage to companies — Equifax taught companies that losing data is bad but not as bad as you might think — hacks like North Korea’s attack on Sony have prompted many companies to take this issue more seriously.
If that’s not enough, Academy says the private sector does have an ace up its sleeve: the role of deterrence. Typically, a company can’t do much if it’s attacked, but due to new red lines drawn by President Trump, some analysts think the administration could be willing to defend an attack.