How the Iran War Could Impact States and Localities

President Donald Trump indicated Monday that he expects his campaign in Iran — initiated in partnership with Israel on Feb. 28 — to last 4 to 5 weeks, but acknowledged the U.S. would be ready to fight “far longer than that.” The fighting has escalated quickly and expanded to involve several other countries in the region, including Cyprus and Lebanon. 

Iran does not have the ability to physically strike American shores. But state and local governments could feel the effects of the conflict via third-party cyber attacks, said Randy Rose, vice president of security operations and intelligence at the Multi-State Information Sharing and Analysis Center (MS-ISAC), during a public briefing. States and localities may also have to grapple with rising prices and digital service disruptions. 

“Second- and third-order effects, like the price of oil going up, transportation issues, flight cancellations, supply chain disruption — all of those things are on the table and likely to have an impact on the SLTT [state, local, tribal and territorial government] community,” Rose said.And, “we expect a lot of low-level cyber activity as the most probable near-term factor.”

Cyber Attacks

In the immediate aftermath of the U.S.-Israeli strikes, the Iranian government has been too busy responding to the physical damage to launch cyber attacks, said MS-ISAC Senior Director of Threat Intelligence TJ Sayers, during the briefing.

Iranian cyber activity was also initially dampened by a leadership vacuum after Supreme Leader Ali Khamenei’s death, which left government-backed hackers without clear guidance, and by the country’s widespread Internet outage, Sayers said. The outage is largely seen as a deliberate action by the governing regime, although some Internet infrastructure was damaged by the strikes.

Most of the retaliatory cyber attacks launched so far have therefore been the work of pro-Iranian hacktivists and allied actors located outside the country. These hackers are either acting on their own or following guidance they’d previously been given by the Iranian government about what to do in case of a major incident, Sayers said.

Hacktivists “don’t discriminate by target size or sophistication” and are likely to go after government entities of any size, as well as financial and energy entities, per Rose. Already, Iran supporters have hacked a few U.S. entities. A group known as Iraq’s Resistance Hub or FAD Team reportedly conducted a cyber attack that leaked personally identifiable information from Pennsbury Township, Pa.

In an email distributed Monday, threat intelligence company Flashpoint advised U.S. and European water and energy companies to take their industrial control systems — which manage physical operations for utilities, like water pumps, pressure valves and more — off the public Internet. This is a recommended cybersecurity practice that can prevent hackers from accessing and controlling crucial physical infrastructure.

Flashpoint also urges European and U.S. banks to be on heightened alert against malware attacks aimed at “wiping” — deleting or corrupting — data on their systems.

But Rose said most cyber attacks launched against state and local governments will likely be low level, such as website defacements and distributed denial-of-service attacks (which seek to overwhelm a service or network with a flood of traffic).

Also likely are SQL injections, which exploit software programs that check user-entered information against a database. (For example, when a person enters their username and password into a web-based login page, the program determines whether the login is valid by checking for this username-password combination in its database.) Instead of entering valid information, hackers conducting a SQL attack would enter code into the form’s entry field that prompts the program to disclose information stored in the database or alter or destroy data.

State and local governments can prepare. For one, they should patch their most essential software, like the programs they use to provide public-facing services. To combat distributed denial-of-service attacks, governments can “rate limit,” or cap the number of requests an IP address can send to a website within a certain amount of time, and they can deploy web application firewalls that block malicious web traffic, Sayers said. Meanwhile, they can better thwart SQL attacks by limiting the kinds of entries users can input.

Physical Attacks

MS-ISAC officials are also worried that, while the U.S. is outside of Iran’s striking distance, ideologically motivated actors could attack American targets in support. It’s not yet clear whether a shooter who killed three people in Austin, Texas, last weekend was motivated by the war with Iran, but officials are investigating that theory. The suspect, a U.S. citizen, was killed by police, and he wore a “Property of Allah” sweatshirt and a T-shirt with the colors of the Iranian flag.

Should Iran-aligned proxy groups seek to cause violence in the U.S., “any type of U.S. government, whether federal or local, would be a prime target for these types of physical threats,” Sayers said.

Government officials should ensure they’re in communication about threats with law enforcement and their state’s fusion centers, which are state-owned centers that gather, analyze and share threat information between all levels of government and private-sector partners. The MS-ISAC can also inform state and local governments about threats their peers are seeing, speakers said.

And government personnel should reduce personal information available about them online, especially their home addresses. They can delete inactive social media accounts, opt out of data brokers and request real estate aggregators remove their information, the MS-ISAC officials recommended.

Cloud Service Disruption

Major tech companies like Nvidia, Amazon and Google have operations in the Middle East. The violence has prompted Nvidia to temporarily close its Dubai offices and Amazon to close offices in Israel and seven other countries. Iranian strikes hit three Amazon Web Services data centers in Bahrain and the United Arab Emirates (UAE), causing physical damage, power disruptions and fires, whose dousing caused water damage. This reportedly led to digital services outages and disruptions in the UAE, including to some banking providers, payments services and a taxi app.

Disruptions won’t necessarily be limited to nearby organizations using the data centers’ services. If more data centers in the Middle East are disrupted, the computing workloads the centers had handled may be pushed to data centers in other regions, including the U.S.

“As certain providers are brought down, that workload has to be redistributed elsewhere,” Sayers said.

Competition for more limited computing resources could slow processing times and increase costs for operations that use data centers. That includes cloud services, AI models and content delivery networks, per Sayers. And it could take years to rebuild any destroyed data centers, causing prolonged effects.

States and localities should examine their supply chains and IT setups to see where they are dependent on Israel or other Middle Eastern countries, then make backup plans, should they experience an outage or disruption, Rose said.

“You may not be aware of all the vendors you’re working with today that have connections to Israel,” or other parts of the Middle East, Rose said. For example, Amazon, Google, Checkpoint, Nvidia and other tech companies “are currently operating under duress … they are within striking distance of the Iranian military.”

Governments need disaster recovery plans detailing what they will do if they experience a major cloud outage or other disruption and should practice transferring IT operations over to backup services, per Rose. They should also make paper copies of their emergency plans, in case a disruption prevents digital access.

Rising Prices, Delayed Shipping

Iran has blockaded the Strait of Hormuz, through which an estimated 20 percent to 31 percent of the world’s overseas oil transportation passes. Additionally, Iran’s military hit one of oil giant Saudi Aramco’s oil refining facilities, and pro-Palestinian hacktivist group Handala Team claimed it had disabled the company’s infrastructure and halted oil extraction, although as of Tuesday Flashpoint could not verify the hackers’ claims.

A disruption in oil supply can raise prices not only of gasoline, diesel and aviation fuel but also increase costs of producing and transporting all manner of goods. If prices keep rising — rather than spiking and then stabilizing — this could drive global inflation, per The Conversation. 

Additionally, the war could disrupt semiconductor shipping, per MS-ISAC officials. Air cargo carriers aren’t flying over the Middle East due to the war, and some overseas transportation is halted as well.

For state and local governments, that could mean higher project costs and shipment delays for items like new servers, Rose said. “If you have a major upgrade planned for the next couple of weeks or later in the summer, plan on, if the budget changes, what are your options?”