This is the headline that should have been affixed to the New York Times’ most recent story about supposed Iranian cyber attacks against oil and natural gas companies in Saudi Arabia and Qatar, as well as banks in the United States. In fact, it is the most appropriate headline for practically all of the news reports on this topic published during the last two weeks. Thus far, the reporting has been based entirely on anonymous sources who have provided no evidence to support claims of Iranian cyber attacks.
In its most recent report on October 24, the New York Times cited a number of anonymous sources, including “intelligence officials,” “independent computer researchers,” “two people close to the investigation,” “security researchers,” and “security experts.” The Times is up front about the fact that “intelligence officials” have “offered no specific evidence to support” their claim that Iran was behind the attacks. Ten days earlier, on October 14, the Times had reported, “Among American officials, suspicion has focused on the ‘cybercorps’ that Iran’s military created in 2011…though there is no hard evidence that the attacks were sanctioned by the Iranian government.” After already reporting that anonymous officials were suspicious but lacking evidence, ten days later the Times thought it necessary to remind us all that these officials were still suspicious, and still not providing evidence for their claims. The Times did not question these suspicions or claims, however.
The the New York Times has not been the only news outlet to report anonymous, evidence-free claims of Iranian cyber attacks. The Los Angeles Times, Huffington Post, Reuters, CNN, CBS, Associated Press, and Washington Post have all gotten in on the act. All have relied upon anonymous “officials” and “experts”; few have offered anything in the way of evidence.
In some cases, it is not clear in the reporting whether allegations of Iranian cyber attacks are coming from current or former government officials. In the case of stories from Associated Press and the Washington Post, our knowledge of what the U.S. believes is based on accounts provided by “former U.S. government officials” (with an assist from the seemingly ubiquitous “cybersecurity experts”).
Senator Joseph Lieberman (I-CT) is the one American “official” who has been named consistently in news reports as claiming that Iran is behind the recent spate of cyber attacks. On September 26, the Los Angeles Times reported:
Senate Homeland Security committee chairman Joe Lieberman (I-Conn.) said Iran has targeted the American financial system in response to U.S. sanctions placed on the country because of its nuclear program.
The Quds Force, a secretive Iran military unit blamed for terrorist activity, probably executed the cyber-attacks, he said.
But that same article goes on to report that “a group called Izz al-Din al-Qassam Cyber FIghters has claimed responsibility for the [bank] outages.” One might be tempted to believe that this group is somehow tied to Iran. In fact, as a later story in the Huffington Post notes, the group is not Iranian and its stated motivation for the bank attacks, which it called “Operation Alababil,” was
revenge for the anti-Islam YouTube film Innocence of Muslims. […] They wrote: “Operation Alababil is revenge in response to the humiliation of the Organization of the Prophet of Islam (PBUH) by some Western countries.”
None of the stories cited above have noted the discrepancy between Senator Lieberman’s account of the attackers and their motives and the reasons given by the group that has claimed responsibility for the incidents.
Other reporting has also begun to call into question officials’ claims of Iranian involvement in attacks on Middle East oil companies. An October 25 report from Bloomberg News indicated that as intelligence officials admit “that the evidence implicating Iran in the Aramco attack is largely circumstantial,” individuals involved with the investigation of the incident “aren’t convinced that the incident was an Iranian response to the attacks on its suspected nuclear weapons program.” Instead, they believe that the attack was largely the work of a lone insider.
Claims of Iranian cyber attacks could serve several purposes. Most obvious is that they are being used by Administration officials like Secretary of Defense Leon Panetta to make the case for a possible executive order on cyber security, as well as to argue in favor of cyber security legislation.
But they also contribute to the general sense of fear and suspician surrounding Iran. They serve as one more seeming example of Iran’s nefarious use of technology, first nuclear and now cyber. As former NSA General Council, Stewart Baker, told the Associated Press, “If anybody is going to release irresponsible unlimited attacks, you’d expect it to be Iran.” Of course, though one might expect Iran to launch “irresponsible” cyber attacks, in fact, thus far the United States seems to have been the chief perpetrator with the Stuxnet attack against Iran. Nonetheless, recent reports of Iranian cyber attacks–substantiated or not–will no doubt provide one more talking point for those making the case for a military strike against Iran.
This would not be the first time that a would-be adversary suddenly emerged as a cyber threat at a time when the drums of war were growing louder. Following the attacks of 9/11, U.S. officials claimed that the greatest cyber threat to the United States came from terrorist groups like al-Qaeda. But then, in a rather sudden shift, as the Bush Administration began to press its case for war with Iraq, states suddenly became the top threat and, perhaps unsurprisingly, Iraq was identified as one of those states with a cyber warfare capability. But just as Iraqi WMD never materialized, neither did its supposed cyber warfare capabilities.
In 2002, when pressed to provide evidence that Iraq was in fact supplying WMD to terrorists, Secretary of Defense Donald Rumsfeld answered simply by saying, “the absence of evidence is not evidence of absence.” Similarly, James Lewis, a leading cyber security expert from the Center for Strategic and International Studies, said, “How do they know it was Iran? You may look under your bed at night for spies and not see them, but that does not mean they are not there.”
Of course, Secretary Rumsfled and Mr. Lewis are correct. Absence of evidence does not, by itself, prove the absence of a threat. But absence of evidence is even less likely to prove the existence of a threat. Given a choice, absence of evidence is more likely to be evidence of absence than it is evidence of presence.
None of this is to say that Iran is innocent. It is perfectly conceivable that Iran has launced cyber attacks targeted at U.S. interests at home and abroad. But in the context of rising tensions between the U.S. and Iran over its nuclear program, and in the wake of the Iraq WMD fiasco, we should expect more from reporters, experts, and officials.
[This post also appears at Forbes.com.]
- For a detailed account of shifting official descriptions of cyber threats during the Bush Administration, see Bendrath R, Eriksson J, Giacomello G (2007) From ‘Cyberterrorism’ to ‘Cyberwar’, Back and Forth: How the United States Securitized Cyberspace. In Eriksson J, Giacomello G (eds) International Relations and Security in the Digital Age. London: Routledge. ↩