This is the headline that should have been affixed to the New York Timesâ€™ most recent story about supposed Iranian cyber attacks against oil and natural gas companies in Saudi Arabia and Qatar, as well as banks in the United States. In fact, it is the most appropriate headline for practically all of the news reports on this topic published during the last two weeks. Thus far, the reporting has been based entirely on anonymous sources who have provided no evidence to support claims of Iranian cyber attacks.
In its most recent report on October 24, the New York Times cited a number of anonymous sources, including â€œintelligence officials,â€ â€œindependent computer researchers,â€ â€œtwo people close to the investigation,â€ â€œsecurity researchers,â€ and â€œsecurity experts.â€ The Times is up front about the fact that â€œintelligence officialsâ€ have â€œoffered no specific evidence to supportâ€ their claim that Iran was behind the attacks. Ten days earlier, on October 14, the Times had reported, â€œAmong American officials, suspicion has focused on the â€˜cybercorpsâ€™ that Iranâ€™s military created in 2011â€¦though there is no hard evidence that the attacks were sanctioned by the Iranian government.â€ After already reporting that anonymous officials were suspicious but lacking evidence, ten days later the Times thought it necessary to remind us all that these officials were still suspicious, and still not providing evidence for their claims. The Times did not question these suspicions or claims, however.
The the New York Times has not been the only news outlet to report anonymous, evidence-free claims of Iranian cyber attacks. The Los Angeles Times, Huffington Post, Reuters, CNN, CBS, Associated Press, and Washington Post have all gotten in on the act. All have relied upon anonymous â€œofficialsâ€ and â€œexpertsâ€; few have offered anything in the way of evidence.
In some cases, it is not clear in the reporting whether allegations of Iranian cyber attacks are coming from current or former government officials. In the case of stories from Associated Press and the Washington Post, our knowledge of what the U.S. believes is based on accounts provided by â€œformer U.S. government officialsâ€ (with an assist from the seemingly ubiquitous â€œcybersecurity expertsâ€).
Senator Joseph Lieberman (I-CT) is the one American â€œofficialâ€ who has been named consistently in news reports as claiming that Iran is behind the recent spate of cyber attacks. On September 26, the Los Angeles Times reported:
Senate Homeland Security committee chairman Joe Lieberman (I-Conn.) said Iran has targeted the American financial system in response to U.S. sanctions placed on the country because of its nuclear program.
The Quds Force, a secretive Iran military unit blamed for terrorist activity, probably executed the cyber-attacks, he said.
But that same article goes on to report that â€œa group called Izz al-Din al-Qassam Cyber FIghters has claimed responsibility for the [bank] outages.â€ One might be tempted to believe that this group is somehow tied to Iran. In fact, as a later story in the Huffington Post notes, the group is not Iranian and its stated motivation for the bank attacks, which it called â€œOperation Alababil,â€ was
revenge for the anti-Islam YouTube film Innocence of Muslims. [â€¦] They wrote: â€œOperation Alababil is revenge in response to the humiliation of the Organization of the Prophet of Islam (PBUH) by some Western countries.â€
None of the stories cited above have noted the discrepancy between Senator Liebermanâ€™s account of the attackers and their motives and the reasons given by the group that has claimed responsibility for the incidents.
Other reporting has also begun to call into question officialsâ€™ claims of Iranian involvement in attacks on Middle East oil companies. An October 25 report from Bloomberg News indicated that as intelligence officials admit â€œthat the evidence implicating Iran in the Aramco attack is largely circumstantial,â€ individuals involved with the investigation of the incident â€œarenâ€™t convinced that the incident was an Iranian response to the attacks on its suspected nuclear weapons program.â€ Instead, they believe that the attack was largely the work of a lone insider.
Claims of Iranian cyber attacks could serve several purposes. Most obvious is that they are being used by Administration officials like Secretary of Defense Leon Panetta to make the case for a possible executive order on cyber security, as well as to argue in favor of cyber security legislation.
But they also contribute to the general sense of fear and suspician surrounding Iran. They serve as one more seeming example of Iranâ€™s nefarious use of technology, first nuclear and now cyber. As former NSA General Council, Stewart Baker, told the Associated Press, â€œIf anybody is going to release irresponsible unlimited attacks, youâ€™d expect it to be Iran.â€ Of course, though one might expect Iran to launch â€œirresponsibleâ€ cyber attacks, in fact, thus far the United States seems to have been the chief perpetrator with the Stuxnet attack against Iran. Nonetheless, recent reports of Iranian cyber attacksâ€“substantiated or notâ€“will no doubt provide one more talking point for those making the case for a military strike against Iran.
This would not be the first time that a would-be adversary suddenly emerged as a cyber threat at a time when the drums of war were growing louder. Following the attacks of 9/11, U.S. officials claimed that the greatest cyber threat to the United States came from terrorist groups like al-Qaeda. But then, in a rather sudden shift, as the Bush Administration began to press its case for war with Iraq, states suddenly became the top threat and, perhaps unsurprisingly, Iraq was identified as one of those states with a cyber warfare capability. But just as Iraqi WMD never materialized, neither did its supposed cyber warfare capabilities.
In 2002, when pressed to provide evidence that Iraq was in fact supplying WMD to terrorists, Secretary of Defense Donald Rumsfeld answered simply by saying, â€œthe absence of evidence is not evidence of absence.â€ Similarly, James Lewis, a leading cyber security expert from the Center for Strategic and International Studies, said, â€œHow do they know it was Iran? You may look under your bed at night for spies and not see them, but that does not mean they are not there.â€
Of course, Secretary Rumsfled and Mr. Lewis are correct. Absence of evidence does not, by itself, prove the absence of a threat. But absence of evidence is even less likely to prove the existence of a threat. Given a choice, absence of evidence is more likely to be evidence of absence than it is evidence of presence.
None of this is to say that Iran is innocent. It is perfectly conceivable that Iran has launced cyber attacks targeted at U.S. interests at home and abroad. But in the context of rising tensions between the U.S. and Iran over its nuclear program, and in the wake of the Iraq WMD fiasco, we should expect more from reporters, experts, and officials.
[This post also appears at Forbes.com and CTOVision.com]
- For a detailed account of shifting official descriptions of cyber threats during the Bush Administration, see Bendrath R, Eriksson J, Giacomello G (2007) From â€˜Cyberterrorismâ€™ to â€˜Cyberwarâ€™, Back and Forth: How the United States Securitized Cyberspace. In Eriksson J, Giacomello G (eds) International Relations and Security in the Digital Age. London: Routledge. Â â†©