Why Russia’s cyber arms transfers are poor threat predictors

The history of international cyber conflict is remarkably long and storied. The timeline of major cyber threat events stretches back nearly four decades, but it is really only the last decade that has seen the widespread proliferation of national cyber forces. As of 2007, only 10 countries had operational cyber commands, three of which were members of the NATO alliance. Just eight years later, that figure jumped to 61 nations, a full two-thirds of which were outside of the NATO alliance. Clearly, national governments have become more willing to see cybersecurity as a key responsibility. States are also cooperating and sharing the burden of securing cyberspace.

Against the backdrop of cyber partnerships aimed at improving the common health of the digital domain, some countries are collaborating to build better offensive capabilities. A highly visible recent example of this — Russia’s initiative to furnish Iran with new digital surveillance and intrusion capabilities  — has generated substantial concern among Western commentators. Some see the transfer of cyber arms as another instance of Russia’s wartime troubles leading to the sophistication of partners that it relies on for battlefield matériel — countries like China, Iran, and North Korea.

On the surface, these concerns seem well-founded. The spread of Russian arms and munitions in decades past has fueled the potential for conflict in hotspots around the world. The spread of Russian cyber tools might surely do the same. But this view misses key facts about what constitutes robust offensive cyber operational capabilities. In many ways, exploits and tools are the least important elements of a competent offensive posture online. Talent, infrastructure, operational know-how, and organizational support make the difference between irritating threat actors and truly dangerous ones. Not only is Moscow not offering these elements up — yet — but Putin’s government also has clear strategic reasons to limit its cyber cooperation.

The transactional backdrop of Russia’s Ukraine missteps 

Between 2011 and 2013, in the wake of revelations in the international community about Stuxnet and the cyber-physical attack on the Natanz uranium enrichment facility, Iranian cyber warriors launched a series of distributed denial of service (DDoS) attacks on financial targets across the Middle East and the West. Since that time, however, Iran’s commitment to becoming a capable cyber power has meant less focus on such direct disruption. Instead, the government in Tehran has been tied to increasingly sophisticated disinformation campaigns, supply chain attacks, and attempts to infiltrate critical infrastructure systems in Europe and North America. For some, this shift in approach has clear ties to the series of cyber cooperation agreements signed by Iran and Russia over the past decade.

These agreements appear to have been focused on bolstering network defense capabilities. However, recent developments suggest that cyber collaboration between Tehran and Moscow may have evolved toward offense. Recently, the Wall Street Journal reported that Russia is directly helping Iran build its cyber offense abilities via the provision of surveillance tools, hacking software, and know-how about methods of exploitation for a range of common consumer products.

One transfer comes from the Russian company PROTEI Ltd., which has provided Iranian authorities with censorship software. According to Citizen Lab, the tools developed by PROTEI and delivered to an Iranian ISP would “enable state authorities to directly monitor, intercept, redirect, degrade, or deny all Iranians’ mobile communications, including those who are presently challenging the regime.”

Cyber cooperation between the two authoritarian regimes clearly has a domestic flavor. Both governments have illustrated in both statement and action that social control is a top priority. Yet in both countries, development of the infrastructure of population control has been enmeshed with the construction of operational capabilities for foreign interference and attack. One need look no further than PROTEI to see this, as the company is known to hold extensive contracts with Russia’s Ministry of Defense.

Iran has also quite famously leveraged surveillance techniques to address state interests beyond its borders. In addition to extensive efforts to use malware to spy on journalists and advocates abroad, Tehran has been linked to major cyberattacks like the 2011 compromise of certificate authority DigiNotar, whose compromise likely gave the regime access to thousands of dissident email accounts.

Beyond shared authoritarian and strategic interests, of course, this development in the relationship is also likely being driven by Russia’s persistent missteps on the battlefield in Ukraine. Aside from the seeming inability of Moscow’s armies to capture and hold territory in the face of tenacious Western-backed Ukrainian defensive efforts, recent months have underlined the logistical bankruptcy of Vladimir Putin’s campaign. Russia’s stockpiles of munitions, armored vehicles, and even basic supplies have been depleted so extensively that the regime is now turning to partners for resupply and even for new capabilities. Iranian drones have featured heavily in Moscow’s aerial campaign against Ukraine’s people and the government in Tehran has been reaping the benefits thereof. American equipment captured from Ukrainian forces has found its way into Iranian hands. Russia is also selling natural gas at a steep discount to Iran as well as to India, China, and other third parties to the conflict. Now, cyber tools are enhancing the Islamic Republic’s capacity to spy, compromise, and disrupt online.

Cyber operations are much more than tools or exploits

Given this development, the bottom line for many is that closer Russo-Iranian cooperation on building offensive capacity in cyberspace portends heightened insecurities for Western industry in the future. While there is certainly a base level of concern about this evolution the partnership, the degree to which this development fuels the threat to the West shouldn’t be overblown. Just as nuclear weapons cannot be obtained via the theft of simple formulas or even fissile material, the sale or transfer of “cyber weapons” (e.g., code, exploits, or tools) rarely amounts to anything more than a minor improvement of capability. To catapult Iranian cyber capacity to the next level, Russia would have to bring much more to the table.

Specifically, the degree to which exploits and tools are only made relevant in the context of robust organizational process, talent support, and infrastructure is often underemphasized in those commenting on state cyber operations. Max Smeets has noted that the workforce required to underwrite even competent offensive cyber operations is extensive. In addition to the operators, vulnerability analysts, and basic technical support staff that enact digital intrusion, cyber forces require testing personnel, tactical planners, system administrators, and frontline support staff. Without these supporters, cyber operators would have limited access to the resources — often drawn from black market engagement, other intelligence outfits, or private industry coordination — needed to succeed in strategically meaningful ways. Not mentioned yet are the regular support staff found in any organization (e.g., human resources or legal support) and the political planners that must figure out how to employ cyber offensive assets to fit broader geopolitical strategies.

Added to this workforce complexity is the fact that robust, innovative capacity in any organization is a product of culture and vision. Even if cyber operators often function with less tactical oversight than a regular soldier might, effective decision-making means understanding how the organization and the political interests it serves set priorities. To some degree, this is a matter of doctrine but it’s also a matter of tacit knowledge foundations. Tacit knowledge, which underwrites organizational culture and sets shared understandings of the mission involved, is information that is hard to communicate to those outside the organization. That certain tools should be avoided or emphasized around certain targets is something that a team of operators may know well, but that motivation to align tactical actions with long-term planning and political objectives is not something that can be learned quickly.

Finally, effective offensive cyber capacity means developing and securing infrastructure. Cyber forces rely on robust command and control (C2) infrastructure to operate in strategically meaningful ways. This C2 infrastructure must be diverse and intentionally fragmented to allow for redundancy, plausible deniability, and the ability to burn assets (e.g., a counter-compromised server) as a vulnerability. Cyber forces also need even more extensive fallback infrastructure that permits the preparation of campaigns and is as separate as possible from C2 resources. In this space, hacking outfits can retool, train, simulate new environments, and dissect the bounties of successful operations.

Iran, of course, has much of this complex infrastructure that underwrites cyber operational capacity already. However, these interacting features of a robust offensive cyber posture generally don’t plug and play as states cooperate and transfer individual elements across borders. Cooperation on the level being reported by the Wall Street Journal is unlikely to produce more than incremental benefits for Tehran. Harnessing newfound access to extensive Russian cyber warfare know-how in the wake of the Ukraine war will require immense adaptation on the part of Iran’s security services. That’s if Moscow will even agree to share more significant elements of its cyber portfolio, such as vendor relationships and talent.

The strategic calculus: how much Russian cyber operations help is too much?

The transfer of cyber operational capacity is a unique beast. Like conventional arms transfer, the trade of cyber tools can look more or less complete in its immediate utility. Sometimes states transfer completed applications, infrastructure, or workforce plans. Other times, they only transfer basic training or engineering know-how and leave partners to synthesize end products on their own. Cyber tools are also, as some have noted, rivalrous goods. This means that when one actor possesses or uses them, their utility for other actors diminishes.

Here, the value of cyber know-how, infrastructure, exploits, and tools is time limited. Zero-day vulnerabilities are perhaps the best example of this dynamic, as the possibility of defender discovery of a previously unknown flaw could happen at any time. This motivates rapid use of such exploits, as well as rapid sale by those who find flaws and recognize that value is based on secrecy. The transitory nature of cyber assets is also driven by other factors, including the similarity of new tools to existing ones, political interests in certain effects, and the likelihood of discovery (of, say, C2 infrastructure previously employed).

This dynamic motivates cyber arms transfers when two states align on the precise details of planned operations, such as in the case of Israel and the United States’ coordination for Operation Olympic Games. Other than that, cyber arms transfers only make sense when the supplier isn’t made more vulnerable or less capable by supplying specific capabilities to a partner. In the current case of cooperation with Iran, Russia’s provision of tools and infrastructure centered on surveillance and targeted espionage thus makes a great deal of sense.

In addition to paying the Iranians back for kinetic resupply and showing solidarity with a fellow authoritarian regime, Moscow has thus far limited its support in ways that protect the country’s core claim to cyber fame — its capacity to launch the full range of offensive cyber operations leveraging an immensely diverse array of operational units, both government and private. Simply put, Tehran’s deployment of these newfound abilities is not likely to blunt the effectiveness of Russia’s most capable digital weapons or further reveal the clandestine extent of the complex ecosystem of parts it relies on to project cyber power.

When to become concerned about Moscow and Tehran in cyberspace

Commentators must be clear when discussing developments like the recent transfer of cyber tools from Russia to Iran. This is a clear trade of valuable capacity to Tehran in exchange for substantial supply chain support. This is not a game-changer for Iran’s ability to plan and execute sophisticated offensive cyber operations. It is not a signal that Russia is engaging Iran as a more equal partner than in the past, as has been suggested about Moscow’s evolving relationship with Beijing. And it is not a partnership that is likely to evolve toward more extensive joint planning and execution of cyberattacks. As tempting as it is to make these assumptions, the techno-infrastructural and political context of the relationship simply don’t support them.

There are three conditions under which Western industry and government stakeholders should get more concerned about this cyber relationship:

1. Direct evidence of greater coordination of cyber activities should shift the risk calculation made by cyber defenders, specifically toward weighting areas of shared interest more heavily than alternatives. Coordination could come in several different forms, including direct operational entanglement of the kind that produced Stuxnet a decade ago. It might also look like Iranian engagement of targets that either directly or symbolically relate to the Ukraine conflict. The most obvious near-term point of concern in such a case is likely the forthcoming US 2024 election cycle, which will inevitably be targeted by Iran for interference purposes in some fashion. The form and scope of that interference, however, will be telling of just how the relationship with Moscow continues to evolve.

2. Related to this intersectionality of Russian and Iranian geostrategic interests, Western stakeholders should be concerned if the transfer of known operational capabilities for cyber activities beyond surveillance is reported. Moscow may have an interest in keeping Iran in a junior partnership role, but the transfer of tools or infrastructure with known attributes makes sense if a clear use case can be articulated by Tehran.

3. Finally, and most significantly, the nature of the cyber partnership between Russia and Iran may change in reference to rising tension between Tehran and the West. Specifically, the transfer calculus is sensitive to circumstances in which Russia perceives a geopolitical advantage to a temporary improvement of Iran’s capabilities. If a confrontation with Iran on the part of the United States, Israel, or some other formation of Western interests can distract attention from the war in Ukraine, change the calculus of Chinese support for Russia, or impact global commodity prices, then the value proposition of more sophisticated support for Tehran might radically change.

Until that point, however, Russian support for Iran’s cyber ambitions is little more than Vladimir Putin’s pre-war boasts about the superiority of Russia’s military: cheap talk.