How To Counter Covert Action In The Digital Age

Uploaded on 2023-06-02 in INTELLIGENCE-Hot Spots-Iran, INTELLIGENCE--International, FREE TO VIEW

The case of Iran shows that countering covert action in the digital age requires transparency, persistence and international cooperation. But also that it is unrealistic to expect states to stop completely.

Governments, military forces and non-state groups use covert action to understand – and influence – what their adversaries and allies are doing. The digital age has created many new opportunities for covert action, but has also made traditional strategies much harder to conceal. Digital capitalism’s thirst for data generates detailed online footprints, whether working, shopping or spying.

In this environment, three key strategies for covert action have evolved. The first is implausible deniability, such as Russia’s ‘little green men’ in Ukraine after 2014 – a course of action forced, in part, by Russian soldiers using geolocated photos  and apps on the front line. The second is to use distraction and disinformation, hiding embarrassing or sensitive facts in a forest of false counterclaims. The third is to attempt to shield certain audiences from leaks, imposing censorship to limit domestic impact from international scandal, a strategy more often used by states with authoritarian tendencies.

Countering these changing strategies requires transparency, persistence and international cooperation, as evidenced by the case of Iran.

Iran & Covert Action

Iran is a focal point for covert action in world politics, from attacks on dissidents in the diaspora to Israeli assassinations of nuclear scientists in the heart of Iran. Iran’s evasion of US and other sanctions, including procurement of nuclear-related technologies, operates through a complex network of front companies. While the outbreak of nationwide protests in Iran last year, and their violent repression, rightfully diverted attention away from its nuclear programme, Iran’s uranium enrichment has continued to increase.

Iran’s strategy of implausible deniability has recently run up against mounting digital evidence, presenting a sharp dilemma for its leaders seeking to repair regional relations and dampen popular revolt.

Iran’s use of its state airline and small boats to supply drones for Russia’s war in Ukraine, as well as its ongoing support for actors in several destabilizing regional conflicts, has brought the issue of covert action into the foreground once again. Iran regularly deploys all three strategies above, from cyber-enabled influence operations to complex Internet restrictions. But it is Iran’s strategy of implausible deniability that has recently run up against mounting digital evidence, presenting a sharp dilemma for its leaders seeking to repair regional relations and dampen popular revolt.

Seized Missiles & Digital Clues

In early 2022, a UK Royal Navy frigate stopped two speedboats in the Gulf of Oman, seizing parts for cruise and surface-to-air missiles. Similar events also took place in 2019 and 2020, and most recently in February this year.

According to a UN report, Iran rejected any links between ‘the authorities of the Islamic Republic of Iran and those vessels and equipment therein’. However, the UK and other states have tracked Iranian missile construction for years, using public photos of Iranian weapons displays, as well as secret intelligence sources and technical analysis, to understand Iran’s various missile programmes, types, and ranges. This analysis uses key engineering features – such as the smoothness of finishes – to differentiate Iranian homemade parts from foreign versions.

States expect covert operations to be outed and make plans for how to best take advantage of this moment.

In this case, the UK had a very concrete piece of evidence tying the Iranian state to the smuggled weapons. The missile components were stored alongside a commercial remote-controlled quadcopter made in China, equipped with a high-resolution camera. UK analysts recovered the internal digital memory of the quadcopter controllers and found records of likely test flights at locations owned by the Iranian Islamic Revolutionary Guards Corps (IRGC) in Tehran. The colocation of this quadcopter – including IRGC location data – with missile parts in the same speedboat adds significant weight to the assessment that these were destined for Iran’s Houthi partners in Yemen.

While the users of the quadcopter recognized the potential for digital data to betray their covert action and had removed external memory cards for the controllers, the default for data collection in digital devices left a crucial clue.

Defeating Deception

The parts recovered by the Royal Navy also included detailed efforts at deception, a core part of covert action. Previous Iranian surface-to-air missiles had used engines manufactured by a Netherlands-based company. The recovered parts also had this company’s markings but included spelling mistakes that strongly suggest they are in fact Iranian replicas.

In cyber operations, Iranian actors have been uncovered through the discovery of code written in Farsi deep within malware used to target organizations across the Gulf states. However, such inferences must be taken with care as things are not always what they seem. Cyber espionage operations targeting Israel, also using Farsi, were initially thought to be Iranian in origin, until further research found technical links to a Chinese group.

But the secrecy of covert action is not absolute: states expect covert operations to be outed and make plans for how to best take advantage of this moment. Deception needs only to misdirect a defender or investigator long enough to achieve the desired aim. The successive stops of speedboats in the Gulf, the tricky attribution of cyber operations, and the ever-growing list of sanctioned Iranian entities, all exhibit the cat-and-mouse dynamic characteristic of covert action, albeit at a digitally accelerated pace. Ironically, coverage of Iranian covert action is not all bad: it maintains Iran’s reputation as an influential – if destabilizing – player in the region, therefore preserving a key rationale for international engagement.

Countering Covert Action In The Digital Age

The case of Iran helps identify ways to counter each of the three covert action strategies identified above.

First, counter implausible deniability by openly calling out covert action, with as much transparency as intelligence sources permit. The UK interdictions and UN panel of expert reports above are good examples of this practice. While narratives of attribution will always be contested, especially in an online world with an overload of misinformation and disinformation, the incremental weight of such reporting should not be underestimated.

Coverage of Iranian covert action is not all bad: it maintains Iran’s reputation as an influential – if destabilizing – player in the region.

Second, counter distraction and disinformation through international cooperation. The global priority of the Iranian nuclear file, and increasing awareness of its support to non-state armed groups, is the result of years of sustained exposure across different international forums. Although Iranian nuclear negotiations appear to be on indefinite pause at a multilateral level, creative and regional solutions are still possible.

Third, counter authoritarian censorship through persistent support for freedom of expression online, especially civil society. The irony of the recent China-brokered restoration of diplomatic relations between Iran and Saudi Arabia is that all three states have harsh attitudes to political dissidence online. Even if Iran and Saudi Arabia can now be franker about bilateral concerns – from alleged support for hostile news organizations to providing weapons to Yemen – an open debate on these issues for their citizens is not possible.

But although it is possible to counter covert action, it is not realistic to expect states to stop altogether. In fact, Iran’s actions seem to suggest that greater the pressure from the international system, the more covert action becomes cemented into the political priorities and practices of a state.

Dr James Shires is Senior Research Fellow, International Security Programme At Chatham House

You Might Also Read:

Selling Digital Insecurity:

___________________________________________________________________________________________

If you like this website and use the comprehensive 6,500-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.

  • Individual £5 per month or £50 per year. Sign Up
  • Multi-User, Corporate & Library Accounts Available on Request

Cyber Security Intelligence: Captured Organised & Accessible

 

« Lawyer Admits To Using ChatGPT 
Take Practical Measures To Avoid An Attack »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

Maureen Data Systems (MDS)

Maureen Data Systems (MDS)

Our mission at Maureen Data Systems is to digitally transform business environments with the use of cloud infrastructure, security and privacy controls, data analytics, and managed services.

Morgan Lewis Law

Morgan Lewis Law

Morgan Lewis is an international law firm with offices in North America, Europe, Asia, and the Middle East. Practice areas include Privacy and Cybersecurity.

Lumeta

Lumeta

Lumeta’s cyber situational awareness platform is the unmatched source for enterprise network infrastructure analytics and security monitoring for breach detection.

Nuvias Group

Nuvias Group

Nuvias Group is a specialist value-addedd IT distribution company offering a service-led and solution-rich proposition ready for the new world of technology supply.

Cyversity

Cyversity

Cyversity's mission (formerly ICMCP) is the consistent representation of women and underrepresented minorities in the cybersecurity industry.

HoxHunt

HoxHunt

HoxHunt is an automated cyber training program that transforms the way your employees react and respond to the growing amount of phishing emails.

Hysolate

Hysolate

Hysolate has transformed the endpoint, making it the secure and productive environment it was meant to be.

PeckShield

PeckShield

PeckShield is a blockchain security company which aims to elevate the security, privacy, and usability of entire blockchain ecosystem by offering top-notch, industry-leading services and products.

Elevate Security

Elevate Security

Elevate is the leading Security Behavior Platform, changing employee security habits while giving security teams unprecedented visibility.

Onclave Networks

Onclave Networks

Onclave Networks is a global cybersecurity leader, transforming the future of securing all IT/OT devices and systems.

HACKNER Security Intelligence

HACKNER Security Intelligence

HACKNER Security Intelligence is an independent security consultancy delivering comprehensive security assessments across IT security, physical security, and social engineering.

Eureka Security

Eureka Security

Eureka help organizations securely use any cloud data storage technology they need without having to compromise on security.

NetTech

NetTech

NetTech’s Managed CyberSecurity and Compliance/HIPAA services are designed to help your company prevent security breaches and quickly remediate events if they do happen to occur.

tru.ID

tru.ID

We’re tru.ID, and we're reimagining mobile authentication, one API at a time.

Yotta Infrastructure Solutions

Yotta Infrastructure Solutions

Yotta Infrastructure, a Hiranandani group company, provide Datacenter Colocation and Tech Services such as Cloud services, Network & Connectivity, IT Security and IT Management services.

Onwardly

Onwardly

For everyday folks tasked with implementing security and privacy. Do it faster with Onwardly - build, launch and scale your cyber resilience program in 30 minutes per week.