Understanding Iran's Cyberpolitical Context

Since I last posted, events on the ground and online in Iran have continued to escalate. This is broadly in line with my belief that the Iranian government has decided to engage in a long-term project to silence dissent online, using both state and non-state actors, as well as to become at a minimum a “regional cyberpower”. Recent statements and actions by the regime confirm my belief, as I'll discuss in this post.

The regime's level of paranoia has increased as the 2010-2011 protests across the Middle East have spread – the protests demonstrated that power gained from fear can swiftly vanish once the fear is gone. Paradoxically, the regime has even supported the protests claiming that it is simply an extension of the 1979 Iranian Revolution. Capitalizing on the regime's endorsement of the protests, Green Movement leaders MirHossein Mousavi and Mehdi Karroubi called for a rally in solidarity with the brave protesters in Egypt and Tunisia. Their call was brilliant: if the regime was enthusiastic about protests abroad, it should be overjoyed by solidarity protests at home. Given the lack of an independent media their call was spread online, protests organized on social networks and opposition websites and strategies devised through distant collaboration made possible by electronic communications. The importance of the Internet to the Green Movement was demonstrated with these protests.

Almost immediately digital activists inside and outside Iran sprung into action, activating dormant networks and connecting with new ones. Facebook pages dedicated to rallying supporters appeared and Green Movement websites carried banners and links to key information about the protests. Scores of new videos and posters were created as well as small images that could be printed out and easily distributed. Small images that could be sent via SMS or bluetooth were created and shared online as well, allowing for “bluetooth protest spam” to occur in crowded subways and on buses.

25 Bahman Poster

25 Bahman protest call deliberately designed to be spread via bluetooth and SMS.

Enterprising activists in the Iranian diaspora created their own phonebanks to call Iranians and notify them of the protests. From February 7th to February 14th Tor usage doubled from 3,000 to more than 6,000 as part of a concerted push by more technologically savvy digital activists to inform Iranians about security and anonymity.

Tor Users in Iran Feb. 7-14th

Images of graffiti, a popular way for the Green Movement to effectively double the impact of a message by spreading it offline in the streets and online via photos again appeared calling people to the streets.

Graffiti for the 25 Bahman protests.

Digital activists worked day and night at a pace unseen since 2009 in preparation for the first protests in almost one year. What was remarkable was the level of real and digital solidarity expressed with an outpouring of creativity where the movement generates new symbols and meanings online for use in future protests and as an expression of their legitimate demands.  The protests were met with bullets and batons, and the protesters were armed with their incredible courage and their cell phone cameras. Hundreds of videos and photos emerged showing protesters chanting and marching.

Illustrating the regime's realization that protesters are Internet savvy launched near simultaneous DDoS attacks on Green Movement websites as well as popular Iranian link sharing site Balatarin, whose DDoS attacks resulted in a downtime of nearly 24 hours. Although these attacks have come to be expected, typically beginning 72 hours before a protest date, these attacks were the largest seen since the presidential elections of 2009 and began five days before the protests as opposed to three.

Balatarin DDoS on 25 Bahman protests. From blog.balatarin.com

Iran is a much more internationally isolated country than either Egypt or Tunisia was, and the regime knows it. People from around the world could watch the crowds at Tahrir Square in Cairo on Al Jazeera live, but similar news coverage is unavailable for Iran. The only way most of the world's media would get the news, images and videos that translate into clicks and awareness would be through opposition websites and blogs that have become the defacto independent media in Iran. By attacking these important sites, seizing several domains associated with the Green Movement since February 14, and blocking specific types of VPNs since February 7th, the regime could act like the Green graffiti artists and double their own impact: by bringing down opposition sites they not only send a political message to the opposition that you are still vulnerable online – but also slow or completely stop the flow of information to the outside world at a moment when Iran was trying to look like a supporter of the oppressed rather than an oppressor itself.

After the protests were over, the opposition leaders went missing and new protests were called to support the imprisoned leadership. Yet again Facebook pages were created to support the new protests and the movement's leadership in exile established a Facebook page, The Green Path of Hope, to provide news and updates which also were to appear on Green Movement websites while Mousavi and Karroubi are missing. What's emerging is an interplay between Facebook and independent Green Movement websites who work in concert and separately to spread awareness and information. This is a crucial point since it means the Green Movement need not only rely on commercial space (Facebook) as its sole means of communicating with the outside world but that independent websites and news organizations not hosted at commercial entities (WordPress, Blogspot, Facebook) continue to play a vital role in the spreading of awareness for the opposition online. Facebook and Twitter, despite what the media and Internet cheerleaders may say, are only one part of a broader oppositional Internet strategy.

As seems to be the case whenever people speak their minds in countries where those in power are scared of the minds of others, more brave young people were killed by the regime's thugs, in this case their names were Sane Jaleh and Mohammad Mokhtari. Powerfully, Mohammad's last words on Facebook, just before the February 14th protests were:

God, give me death by standing for it's better than a life of sitting under oppression.

On the Internet it can be difficult to be forgotten. Every utterance and every awkward photograph may be stored somewhere permanently. Google searches can reveal the mistakes of youth years after the deed was done. On the other hand incredible moments of heroism and bravery, those courageous comments that go unnoticed in the sea of Charlie Sheen and Tiger Moms will also be remembered long after our infatuations have faded. Although we may never know Mr. Mokhtari's actual last words, his last Facebook post stands in defiance of everything the regime is and reminds us of the power of the Internet not only as something that can play a part in a new future, but also as a way to ground ourselves with memories of past bravery.

Embarrassed by the murder of Neda in 2009 the regime took advantage of Mr. Jaleh's death and declared that he was a member of its thug-like milita, the Basiji. Friends of Mr. Jaleh and Facebook pages stood up to denounce this blatant attempt to spin the media story just hours after this young man's death. Digital activists contacted the Western media as well as made blog posts, posters, and videos of Mr. Jaleh's life to demonstrate clearly that he was not a member or supporter of the regime. Yet again, in the absence of any balanced media coverage, the Internet becomes the space of contestation, but in this case it is over the facts of a human life. In this case the space provided by opposition websites that had successfully survived the attacks by the regime became a place of dignity, a place where the facts of Mr. Jaleh's life could be told and explained and understood far from the hyperbole of men terrified that others have their own minds and opinions. The ability of opposition websites to perform this duty established them as digital spaces of solace and remembrance that stood silently and resolutely, armed only with the truth of Mr. Jaleh's life.

The regime also (again) began sending out masses of phishing emails to members of the opposition and to opposition websites. This is not a new tactic, as I've discussed previously but was renewed with significant vigor in concert with the larger DDoS attacks. These are targeted to specific activists and websites, often done in concert with arrests of key individuals who are then tortured to supply email addresses and contact information for other activists. There seems to be emerging a standard playbook of sorts that the regime is using for going after the opposition online in a concerted way. There are highs and lows in their repression cycle with different techniques used to sustain pressure but allow activists to take more risks before clamping down again. At the same time the Iranian Cyber Army re-emerged from its slumber to deface the Voice of America and replace its front page with a message directed at Hillary Clinton:

Image of the Voice of America after being hacked by the Iranian Cyber Army

The focus on Mrs. Clinton is interesting and comes soon after another speech by her on Internet freedom. It most likely represents one arm of a response to the United States for its perceived meddling in Iran's internal affairs via the idea of Internet Freedom and the heavily covered Stuxnet incident. However, this would not be Iran's only response to the United States and other countries who sought to violate the Islamic Republic's digital borders.

Recently, fraudulent certificates for popular websites (Google, Skype, Yahoo, etc.) were obtained from a Comodo partner by an attacker believed to be associated with the Iranian regime. This attack was significant in that it would have allowed the attacker to perform man-in-the-middle attacks as well as impersonate these websites. This is an important attack that went after a major certificate authority and has highlighted the relative fragility of the certificate authority system.

The attacker has posted various comments and explanations for his actions here as well an apparent interview with Errata Security which contains more information. This is not a technical blog and so I will not go into technical details, but rather focus on the bigger picture and understanding how this fits in with the current situation in Iran. There are well-reasoned doubts as to the nationality of this attacker and whether or not he/she is actually Iranian based on speech patterns and choice of words. Naturally, there are also persistent doubts that it is a state-sponsored action. These points, while important, obscure the fact that the person who claims to be the attacker professes to act in the interest of the Islamic Republic of Iran's ruling hierarchy and thus we should use that as our basis for understanding their actions.

With the Stuxnet incident and now Comodo's certificates compromised, the ongoing cyber conflict between the regime and its real/imagined foes has entered a new phase. The reason for this is not necessarily only the sophistication of the Comodo attack, but also for its coverage. The Iranian regime seeks out and desires attention from the world's leaders and from the international media. These are often replayed back at home as a form of international legitimacy showing that a government which positions itself as the main adversary of the U.S. is truly a force to be reckoned with and one with international power. Although the individuals at the highest level who have employed the Comodo hacker likely did not understand the nature of the attacks, the media coverage has made it abundantly clear that it was significant. In fact, it seems to have drawn more of a media attention than the deaths of Sane Jaleh and Mohammad Mokhtari as well as the crackdown on the February 14th protests combined. The apparent success of this attack and its media success will no doubt encourage more of this kind of behavior. Iran will seek to impose its own paranoid fear of the Internet on the rest of the world so as to amplify fear in digital activists at home and bolster legitimacy amongst its supporters. In fact, it's already trying to offer the world its version of the Internet. Cyberconflict is cheap, effective, and poses very little risk to the regime. It is precisely the sort of attention the regime wants so it can demonstrate regional and global power and technological sophistication for a temporary boost to its own feelings of insecurity.

Beyond this, “Internet Freedom” rhetoric by leaders in government, industry, NGOs, and the press strongly politicizes the Internet. While we may think of the Internet as a free and open space for exchange and debate, repeated politicization of the Internet as a “tool of democracy” has the opposite effect on paranoid regimes who view every act of ours with suspicion. Their actions online become circumscribed, apparently surrounded by “enemies” like Facebook and Twitter, Google, the State Department's Internet Freedom division, etc. Their only option may be to somehow “level the playing field” in order to ensure continued legitimacy at home and to maintain a level of perceived international respect. Since they view our online actions as hostile and motivated towards gain, the regime is more likely to likewise engage in hostile online actions to forestall our gains and increase their security to counter our perceived threat.

Political events at home and abroad, combined with actions taken by the opposition and other states in cyberspace situate the regime within a cyberpolitical (for lack of a better term) context which seems to strongly influence actions the regime takes online when the two spheres (political and digital) overlap. In this blog I have tried to emphasize the importance of context in understanding the online political actions of the opposition and regime. What's also important is to understand the context in which the state as a political entity exists and operates. Tehran already views every action by Washington with suspicion, and the Internet is just one component of that view. Our politicization of the Internet via official statements and the media as a political space where democratic ideals are realized (regardless if this is true or not) opens it up to political actions from nations who believe they have a reason to fear our intentions. Iranian digital activists know this from first-hand experience, but the media, pundits, and NGOs tend to ignore it. There is a treatment of events as isolated, disconnected from the context under which they arose and into which they will fade. These attacks have arisen not spontaneously, but out of a series of circumstances and when they fade they will become the foundations of the next set of attacks. Iran's recent actions online are inherently political acts that just happen take a digital form, necessitating an understanding of the cyberpolitical contexts of both activists and the state (internally and externally) in order to understand motives, establish patterns, and anticipate future events.


Join the conversation

Authors, please log in »


  • All comments are reviewed by a moderator. Do not submit your comment more than once or it may be identified as spam.
  • Please treat others with respect. Comments containing hate speech, obscenity, and personal attacks will not be approved.