Welcome to Cash Me If You Can. I'm your host Matt Pearl, Director of the Strategic Technologies Program at CSIS. In this podcast, we take a closer look at the technologies and policies driving tomorrow, and how the United States can stay ahead in the global innovation race. From the Center for Strategic and International Studies, this is Cash Me If You Can, where we explore the global forces shaping innovation, competition, and tech policy. My name is Kuhu Bhaji, and I'll be your host for this episode. Today, we're diving into one of the most discussed, yet often misunderstood, dimensions of the ongoing US-Iran conflict, cyberspace. Iran has spent over 15 years building a formidable cyber ecosystem that blends state actors, proxy groups, hacktivists, and commercial capabilities into a hybrid threat machine. We've already seen it in action. The Iranian state-affiliated group, Hondalahak, recently targeted a critical medical equipment supplier to the UK's National Health Service and US MedTech firm, Striker, wiping data and disrupting supply chains for a global corporation. And yet, experts caution that the noise of these operations can obscure their actual impact on the course of conflict, while also highlighting that cyber operations shouldn't be considered in isolation from information operations and activity in other domains, like space and the electromagnetic spectrum. So in the scheme of things, what does Iran actually want from its cyber operations? How degraded are its capabilities right now? And what should we expect next, from destructive attacks, to influence operations, to AI-assisted disinformation? To help us make sense of it all, we're joined by three experts. First, our very own Lauren Williams, Deputy Director and Senior Fellow with the Strategic Technologies Program at CSIS. Among several roles across government, Lauren served as Chief of Staff to the Assistant Secretary of Defense for Industrial-Based Policy at the Pentagon, and as Director for Strategy at the White House Office of the National Cyber Director, where she led work on space system cybersecurity that helped establish the first minimum cybersecurity requirements for federal space systems. We're also joined by Dr. Nikita Shah, Senior Fellow with the Intelligence, National Security and Technology Program at CSIS. Dr. Shah brings over a decade of experience in the UK government, where she worked across operational agencies and central policy departments. Her work focuses on evolving cyber threats, the broader cyber ecosystem, and the role of cyber capabilities in modern conflict. Finally, we are honored to welcome Lieutenant General Maria Barrett, former Commander of United States Army Cyber Command, or ARC Cyber, and Commanding General of the Network Enterprise Technology Command. General Barrett is also a commissioner on the CSIS Commission on US Cyber Force Generation, contributing to recommendations on the potential creation of a dedicated military cyber service. We are thrilled to have all three of them join us for today's discussion. Before we get into the specifics of individual attacks and operations, I want to make sure that our listeners understand the landscape that we're operating in. So starting broad, Nikita, when you look at what Iran has done in cyberspace against the United States and our allies since this conflict escalated, how significant has the threat actually been? And how do you view it in the context of activities happening in other domains? Are we looking at a fundamentally different and more dangerous Iran in cyberspace? Or is this consistent with what we've seen from them before? Thanks, Kuhu, and thank you so much for having me. If it's okay, I might answer your question in a slightly backward order. So I thought I'd give a very quick overview of the Iranian cyber ecosystem, talk a little bit about Iran's strategic objectives more broadly in this conflict, and then I thought I'd reflect on your question about whether this is a different Iran that we're seeing or whether it's fairly consistent with Iran's behavior in cyberspace. So just as a very quick overview of Iran's cyber ecosystem, Iran has different components that together comprise quite a complex and a quite thriving ecosystem. The first is state actors. So these might be actors that work for the Iranian IRGC, its Revolutionary Guard Corps, or the Iranian Ministry of Intelligence and Security. They tend to do things like conduct sophisticated espionage operations, destructive attacks, that sort of thing, and they've had some quite high profile successes in recent years, including the hacking of US elections in 2020 and 2024, also hacking into US critical infrastructure. So they're the kind of primary actor in Iran's ecosystem. The next is proxies, otherwise understood as hacktivists, and they tend to be civilians or actors that essentially will conduct a tax aligned with Iran's strategic objectives, usually to send some sort of political message. The third element of their ecosystem is cyber criminals. So these are financially motivated actors that will conduct a tax for their own personal gain. And then the last component of this ecosystem is the private sector. So Iran's cyber actors are known to use commercial capabilities to conduct attacks, and it also has a thriving kind of sub-layer of this ecosystem of companies that will do things like export surveillance technology. So when you put all of that together, it's a very dynamic ecosystem, and one that's really evolved over the last 10 years. So how does this translate to the current conflict and how we're seeing cyber attacks take place? It's quite interesting in that it's a high volume of activity, and we'll talk about this later, but I would question whether that volume of activity equates to impact. So just to give listeners a sense, so far we've seen the shutting down of Iran's domestic internet, which I think took levels of internet traffic down from regular levels to about 1% to 4% of regular internet traffic. We've also seen destructive attacks that include website defacements or the kind of overwhelming of networks and systems. We've also seen the wiping of targets, and that includes the US medical technology firm Striker, which has seen heavy disruption to its medical supply chains in the US and globally. And then the last aspect that I'll mention is reconnaissance activity or what we'd understand as cyber espionage, and that might be intrusions into US or Israeli companies. It might also be the hacking of surveillance cameras that Iran has been known to do, and that's predominantly to assess battle damage or, in some cases, to surveil for an upcoming operation. To put that into perspective, how this links to Iran's overall strategic objectives is twofold. So Iran likes to use cyber activity firstly for domestic purposes, and that's both for social control over its population, it's also for regime preservation, hence the shutting down of its domestic internet. And then internationally, Iran also likes to use cyber capabilities to destabilize its adversaries, and that plays into a broader campaign of hybrid threats, so things that are below the threshold of conventional conflict, but still incredibly destructive, and that might also include things like information operations, physical threats, that sort of thing to really create chaos. So when we look at what's going on in this conflict, it very much plays into those two strategic objectives, domestic and international. And then going to your question of, well, is this different to what we've seen previously of Iran, or does it make it a more significant threat in this conflict? Actually, I'd argue it's been pretty consistent with what we've seen of Iran before. It applied very similar operations in the 12-day war with Israel in 2025. And the other thing I'd flag is, actually Iran is facing a couple of constraints in this conflict. Part of that is that its physical infrastructure that it might rely upon to conduct cyber attacks has been destroyed, physical and digital infrastructure. There is possibly also a leadership void when it comes to Iranian cyber leadership. So there have been some Israeli claims of bombing the IRGC cyber headquarters. So it might be that actually there's a lack of strategic direction as to how Iran should use its cyber capabilities. And finally, I think it's really important to remember that, yes, there's this conflict going on, but Iran also has other intelligence priorities that it might want to use its cyber capabilities for. So in short, it only has finite resource when it comes to cyber capabilities, and those will be stretched both in this conflict and for its regular intelligence operations. So hopefully that gives you a nice picture of what we're seeing so far. Absolutely. I found that discussion of kind of the Iranian cyber landscape and the framing that you gave to be very helpful, and specifically the distinction between kind of the high volume of attacks or the noise versus the strategic impact to be particularly important. One place where the stakes feel more tangible is the financial infrastructure. Hondala also recently claimed an attack on Verifone, a global payments technology company, reportedly disrupting payment terminals worldwide and extracting financial data. US banks were placed on hide and alert for Iran-linked attacks back in early March. So General Barrett, how seriously should we take these threats to financial infrastructure in particular, and what does a serious attack on that system look like in practice? You know, when it comes to the financial sector, I mean, that still ranks as the number one sector that is always under attack, and it grows year after year in terms of trend reporting. The amount that the financial sector spends on response to intrusions or data losses continues to grow as well. And so I think what you're asking is, you know, well, do you pay attention to it or not? Whether you're in the financial sector or you're not, I think you have to take a look at any time we have one of these events, you know, the reconnaissance or the attempted attacks are on the increase. That's definitely showing in the data. And so can you afford not to put off a security patch or something like that in your ecosystem? Can you afford not to pay attention to FBI tippers of activity like this? Can you afford not to look at the early information out of the strike or investigation and say, hey, what enterprise capability do I have in my infrastructure that might also be taken advantage like this? Because the fact of the matter is you don't know if the prepositioning has occurred in your own network. And so you don't ignore it. You ignore it at your own peril. I think to the second part of your question, though, you're asking, you know, so the financial sector is already a target, you know, so what constitutes moving from the cost of doing business, which is an enormous thing that the banks already deal with, to tipping the scales to loss in faith in the institution. And that loss in faith in the institution might be actual material loss, i.e. the, you know, data is changed, we can't get to the ATMs, we can't conduct credit card transactions because we care about those things. We like our cars, we like going to gas pumps. And when you interrupt those things, it presents a problem. And I think that's when you start to have that loss in faith in an institution. And it could also be a perceived loss. It might not have to be a big thing that happens. And I would point to colonial pipeline. You know, when you break that particular intrusion down, I would, in my humble opinion, say the worst part of it was the information operations aspect of it. The views of seeing lines outside gas stations in the southeast of the United States. And so that perception piece, the actual intrusion, doesn't need to be the major part of it, but it's just that, oh my gosh, I've got to go get gas now. And so I think that's how I would break the seriousness of how we take this. Absolutely. I think that the loss of faith component is important and kind of raises the question of whether the goal of these potential threats is disruption or just shaping the perception of vulnerability. Recently, the New York Times documented 110 unique deep fakes conveying pro-Iran messages, propagated not just by Iranian networks, but also amplified by Russian and Chinese information ecosystems. Meanwhile, Iran has also shut down its domestic internet for weeks, seized hundreds of Starlink terminals, and is promoting its domestic internet. Lauren, you've written about how the key battlefield here might be the information domain. How do these tools work together as a coherent information warfare strategy? Thanks, Coo-Hoo. And just building on what's already been shared, the landscape that we've heard about, and even from Nikita, and even the specific context of a financial system attacks, I think there is maybe a key truth to pull out here, which is that the threat from Iran is multifaceted. And I think we do ourselves a disservice if we focus independently on the cyber threat without thinking about, as you noted, the concurrent objectives in the information domain or the information space. And then I would also add into that bucket of what I will call digital domains, activities taking place in the electromagnetic spectrum, EW around satellites, and communication there as well. So to focus in particular on the information space, I think that is an important and critical theme and focus to watch coming out of this conflict. We've seen Iran, Israel both play with activities in that space in the conflict so far over the last couple of weeks. So we've talked already about how the Iranian regime, first of all, at the beginning of this conflict and in past conflicts, focused on shutting down the internet to tighten its citizens' ability to communicate. There may also be cyber dimensions to that choice as well. Internet communications, as Nikita noted, are down to, at max, maybe around 4% over the last several weeks. And that means that citizens can't communicate with each other or outside of the country. But it also means there may be defensive cyber implications to that as well, in that it's more difficult for outside cyber actors to target the Iranian regime. So shaping the information space in terms of who is able to communicate and about what we're seeing that play a role in Iran, you noted as well the proliferation of misinformation and disinformation on the internet. I think that was very much a story in the early days of the conflict. Videos showing strikes that didn't actually happen to shape perceptions around the world of what was actually happening in that conflict. And then, of course, we saw in the early hours of the conflict Israel attempt to shape the information space in terms of targeting the Bari Saba prayer app that is used by millions of citizens in Iran and most notably regime officials and the propagation of anti-regime messages that obviously would have been intended to shape the information space. So we're certainly seeing shaping public opinion, shaping public perspectives, being a broader objective both of the combatants' cyber operations as well as a broader theme throughout this conflict. And then, as I noted, we are seeing satellite systems that are used for communications, such as Starlink be a theme in this conflict as well. Citizens in Iran in this context and before have attempted to gain access to Starlink, which is technically not allowed in the country to be able to communicate. There are indications that the Handala haq group that you mentioned maybe is also using Starlink to conduct its operations. And then you also noted rightly that the Iranian regime recognizes the importance of the satellite systems for its citizens to be able to communicate and has attempted to crack down on them. So there's a very complicated landscape, but a lot of the activity that we're seeing points back to the countries involved in this conflict, understanding that shaping information and shaping public perspectives is really going to have a long-term impact. Thanks, Lauren. I think that the discussion of the information warfare being used in Iran really relates back to the intended psychological effects of these attacks and also the loss of faith that General Barrett was mentioning before. So staying with you, Lauren, now that we've talked about these threats, I want to turn to the US cyber policy posture. Given your time working on cyber in the federal government, how would you assess the US government's current capacity to counter Iranian cyber and influence operations? Are there gaps that concern you? And what should companies that may be caught in the crossfire due to build up their cyber resilience? There are a lot of things to say when it comes to evolving US cyber policy posture broadly, but then also as applied specifically to this conflict. So I'll note a couple of data points that we've seen, and I'll point a couple of those to the Venezuela operation back in January, and then I'll attempt to kind of make an overarching statement about where I see the Trump administration going on these issues. So the first thing to note is that this administration, Trump administration officials, both in the White House and coming from the White House and also at the Pentagon have demonstrated far more willingness and interest in publicly messaging cyber offensive capabilities than we have seen in the past. So I noted that we saw this in Venezuela or coming out of Venezuela. The president very notably stated that cyber operations had played a role in his words turning off the lights in Caracas, which was a new development for a president to allude to cyber operations. We then very quickly after that saw the chairman of the Joint Chiefs of Staff say something similarly, which is that US cyber command and US space command were involved in that operation, which multi-domain operations like this are not new, but the public discussion around them, including from senior military officials and White House officials is new. And so the next data point I would draw our attention to is the Iran conflict. We saw quite a bit of discussion in the chairman's press conference following the February 28th airstrikes where he said a couple of things. He noted that US cyber command and US space command were the quote, first movers in that conflict and also that cyber operations were utilized to disrupt communications. We already talked about the Iranian regime's efforts to tamp down on its own citizens' communications. We heard also US officials talk about cyber operations to do the same and to limit the regime's ability to respond. So I think these are very notable public statements from this administration. And then we also saw, and I think the Trump administration released its national cybersecurity strategy, a cyber strategy for America, just the week that the conflict began. I think it was the very beginning of March, which additionally doubled down apparently on the administration's emphasis on offensive cyber operations. It didn't specifically list out threat actors, priority cyber threat actors, but Iran is, of course, on the list of nation-state cyber actors that the administration would be focused on. So I think taken together, we can certainly say that this administration is not afraid. It's very much leaning forward in terms of messaging, its capability and intent to use offensive operations. Some of that discussion kind of raises a broader structural question about whether the current US government institutions are organized to face this kind of threat, even if it happens again in the future. General Barrett, as we mentioned earlier, you're a commissioner on CSIS's Commission on US Cyber Force Generation, which is currently examining how the United States would move forward toward building a dedicated military cyber service. In your view, what does Iran's approach in cyberspace reveal about the force generation and readiness questions that the commission is currently grappling with? How should a cyber force be designed in a way that addresses nation-state threat actors from Iran all the way to China? From Iran all the way to China, let me address it from that perspective, because I think that's really more poignant. A lot of discussion over the last two years about nation-state adversaries being discovered inside US critical infrastructure. And the assessment is that there's no reason to be in a critical infrastructure like that, there's no foreign intelligence value, except if you're prepositioning and you're prepositioning either to deter an attack or in the event of an attack to take advantage of that presence. So having said that, I think what the commission is doing is let's take a look at readiness and force generation and ask ourselves that question. Are you postured to have a force that can contend with that day-to-day, 365 days a year type of activity that we're seeing from nation-state actors against our critical infrastructure and other parts of the US? And can we also make that pivot to kinetic operations, a surge in operations where there are some initial cyber attacks and we now see that comes in the format of not only to our homeland, but to our allies and partners as well, and then integrate offensive operations with kinetic operations? And I think that's in the back of our mind with the commission is, is the force postured today to do all of that, both from an active military standpoint, the composition of our forces, military versus civilian. Can we agilely take the reserve component and the National Guard and apply them in meaningful ways to that particular challenge against the homeland? And then also, how do you take advantage of our industry partners and civilian expertise that might be out there in a way that would contribute to those ends? And I think all of that speaks to the readiness issue, and I think we'll be addressing all of those. And the timing of this conflict lined up with the preparation of this report. So I'm sure it will inform some of the questions that will be addressed by all of the commissioners as they're authoring that. So kind of circling back to where we started, I want to go back to the question of how much these cyber operations coming from and also happening in Iran can realistically shape the trajectory of the conflict. Nikita, in your recent piece, you argue that cyber operations are unlikely to alter the course of the conflict. Why do you think this is? And what do you think future cyber activity in this conflict might look like? Are there certain indicators that you'll specifically be looking at? So on your question of the course of the conflict, I'm very much for the view that I think the volume of cyber operations that I mentioned is unlikely to translate to impact. And therefore, cyber capabilities will definitely be a defining feature, I think, of this conflict, but they won't fundamentally alter the trajectory of how it's going to go. So I kind of set that out for three reasons. The first is the constraints that I mentioned the Iranian regime will be up against. So that loss of infrastructure, leadership and resources in many ways. The second to me, as Lauren really helped spell out earlier, is that the battle is very much in the information domain, as far as it goes particularly between Iran and Israel. But certainly for Iran, that's how it approaches its use of cyber capabilities in general. So it will really be thinking about how it can use cyber operations as part of this layered integrated set of capabilities, which again, Lauren very helpfully spoke to, to have that psychological effect, particularly amongst Western audiences, given that it's controlling its domestic internet. And then the third reason is that cyber operations tend to offer little value in isolation. So they're very much more valuable and more useful when they are layered with other capabilities, whether that's information operations, even whether it's kinetic effects in warfare. And I'd argue that on their own, actually they're best used for intelligence purposes. So they might be used to making intrusion into some sort of network or organization and surveil and essentially spy on what's going on with that company. But also they're not very easy to deploy quickly. So when we're talking about exquisite cyber capabilities, so that really top tier, high quality set of capabilities, they take months if not years to prepare. And actually in very blunt terms, why deploy a cyber capability when actually you could throw a kinetic action or say a missile or a bomb at a target instead. And so some of that has played out in this conflict. I think the other thing to say is where we will see cyber activity, it will likely be highly opportunistic. So Iran has a tendency to go for low hanging fruit, whether that's networks or organizations where it already has accesses, or it might also be companies such as Striker that have very weak cyber defenses and therefore it's very easy to just throw some malware at them. So ultimately, in my view for Iran, the use of cyber capabilities becomes about two things. The first is power projection. So really trying to assert itself beyond where it in fact physically is. And then the second is raising the cost to its adversaries. And in this particular conflict that won't just be the US and Israel, it will also be countries that it regards as participating or involved in this conflict. So it very much increases or expands that attack surface without Iran really having to do all that much in terms of sophistication. And I think as you said earlier, Kuhu, it's about shaping the perception of the vulnerability and really trying to make out its adversaries to be more vulnerable than they maybe are in practice. And on your question as to what this might look like or indicators that I'll be looking out for, I think there are a couple of ways that I'll be looking out for different types of cyber activity and what this actually means. I think we'll likely see continued hacktivism. So that might be website defacement. It might be distributed denial of service attacks that overwhelm networks and other attack services. It might be hack and leak operations, which the Iranians have done in the past. I think in terms of targets, the energy and tourism sectors are highly vulnerable. Again, that plays into Iran's strategic objectives in the course of this conflict and raising the cost to its rivals. We may see the increased use of AI. I think there's been some initial reporting that suggests Iranian threat actors have been using artificial intelligence to do things like help it code. It will definitely use them when it comes to generating information operations, whether that's through creating fake social media accounts or even just speeding up the efficiency with which it deploy some of those operations. And then the last thing I'll say is, again, going back to that targeting base, US and Israeli companies are highly likely to be the most vulnerable because, again, Iran will see that symbolic value of going off to those targets. So when you put all of that together again, I think we'll see a sustained volume of cyber activity. What, for me, that doesn't equate to its impact. I may be completely wrong. There may be some sort of destructive cyber attack that actually takes place against very high-value targets. I just think, given the constraints that the Iranian regime is up against, it's unlikely. And instead, I think we'll see these low-level disruptive attacks. But actually, the impact will be very localised. In the case of Striker or that health organisation in the UK, it will be contained to those victims, and it won't actually equate to impact at that national or international strategic level and alter the course of this conflict. I'm just going to jump in quickly and say that I think we have to discuss also, including building on what Nikita just laid out, the importance of critical infrastructure operators for industry or government agencies of keeping in mind those basic cyber security best practices. You noted that companies can be seen as low-hanging fruit for Iran-sustained cyber threat activities. So I'll just note that there have been quite a few advisories that have gone out from, I think, 10 ISAC groups across sectors, as well as from CISA and some industry cyber threat actors who have just kind of emphasised that all of us who are part of cyberspace need to do the basics to protect ourselves, especially in this threat environment, but every day. Absolutely. Thank you, Nikita and Lauren. I think that really helps to contextualise the severity of the threat and kind of what we can expect going forward. So at this point, I'd like to try and reflect everything that we discussed today. We started by unpacking the reality behind Iran's cyber activity, distinguishing between attention-grabbing operations and those that meaningfully affect strategic outcomes. We also revisited this discussion at the end when we discussed kind of the pros and cons of cyber versus kinetic capabilities and what future attacks might look like. We explained how Iran integrates cyber operations with information warfare, influence campaigns in broader geopolitical signalling, highlighting how cyber tools often complement activity in other domains, rather than independently determining the trajectory of conflict. Our conversation today also examined vulnerabilities in financial systems and critical infrastructure and what indicators might signal escalation or strategic intent in future cyber activity. And finally, we discussed how the United States can strengthen resilience through policy partnerships and potential structural reforms, including the long-term implications of building a dedicated cyber force. Now, like we said, I'm sure there will be more developments in cyberspace as this conflict continues to evolve and will, of course, be watching closely. You can keep up with the latest analysis from CSIS scholars on csis.org. And looking at General Barrett, we can also stay tuned for the Commission on Cyber Force Generation report outlining how the US stands up a cyber force from day one. But for now, thank you so much to Lauren, General Barrett, and Nikita for joining us for this week's episode of Cash Me If You Can. And thanks as always to our listeners for tuning in. That's it for this episode of Cash Me If You Can. Don't forget to subscribe and follow CSIS for more deep dives into the technology shaping our future.
