 I think we'll get started. Thank you all for joining us. My name's Yegan Atwar-Batsy. I'm a reporter with Reuters. And we're here to present a report that Colin and Karim have written about, or the cyber threat posed by Iran. Of course, when this event was planned a few weeks ago, we were sort of in a different situation in terms of what was happening domestically in Iran. And so of course, we wanted to address what's happened in the last eight days or so. So we are going to get to the reports, and the, so louder, sorry. They could turn up my mic a little bit. I think it's on. Can you hear me? All right. So we are going to get to the actual contents of the report and the really interesting findings that Colin and Karim have gathered over the last couple of years. But at first, we wanted to kind of start by addressing what we've seen over the last eight days or so. So Karim, if you could just start off by describing a little bit sort of how do you see this is different from 2009, and what are you observing? So thank you all first for braving the cold and hi to all of those who are watching online. Just so we're all on the same page, I would argue that there are three main distinctions between today's protests and those of 2009. Number one is scale, obviously. In 2009, you saw at 1.2 to 3 million people take to the streets at its largest. There was protests of hundreds of thousands. This scale has been quite a bit smaller. The largest crowds I've seen this time around are perhaps tens of thousands of people. But what's much larger about these protests are the geographic scope. In 2009, it was mostly the city of Tehran, some smaller protests, and the city of Esfahan. But it was a lot of urban sophisticates. This time around, there are perhaps dozens. According to some estimates, I've seen up to 80 cities throughout Iran that are experiencing protests. According to BBC Persia, 90% of these cities are essentially experiencing popular anti-government protests for the first time since 1979. So the geographic scope is much wider than it was in 1979. And I would argue another distinction this time around are the intensity of the slogans. In 2009, people were calling for their vote back. It was much more in the spirit of let's reform the Islamic Republic, at least initially. And then it radicalized over time. But this time around, you have people who are just totally fed up with the entire system, calling for deaths to the Supreme Leader, deaths to the Islamic Republic. And I thought from the beginning, first of all, none of us predicted this would happen. I say it's akin to predicting anti-national anti-Trump protests breaking out in Kentucky. These cities were thought to be the strongholds of the Islamic Republic. Cities like Home and Mashhad. So none of us predicted this would happen. But when they did, I think myself, one of the lessons I learned from both the 2009 uprisings in Iran and the Arab uprisings is that there are no shortcuts from authoritarianism to democracy. There's infomercials for eight minute abs, but there's no such thing as eight minute or eight day democracy. And this is a regime which remains firmly resolved to stay in power. There's security forces, as far as we can tell from far away, are pretty cohesive. One of the things I say about the Islamic Republic in contrast to the Shah's government, the Shah's government, many of their political, economic, military elite, they studied abroad or had foreign passports. So when the going got tough in 1978, they could make their lives outside of Iran. The Islamic Republic's elite, military, political elite, don't have that luxury. There's few places which these folks can go. They don't speak foreign languages or have foreign passports. And so I always thought for that reason, this current leadership led by the Supreme Leader Ali Khomeini, they're willing to kill a lot of people, to kill en masse, to stay in power. But I don't think it's a society which is willing to die en masse to try to take power. And so for that reason, I've always thought that the odds, we can salute the courage of these protesters and we can, from a US perspective, try to do everything in our power to inhibit the Islamic Republic's ability to black out communications and repress en masse. But I always thought we needed to be sober about their prospects for success. And so given the sort of repression of the protests that we've seen in the past eight days, Colin, I was wondering just to tie it into the subject of the report and the event today, can you tell us what you've observed about what steps the government has taken to limit communications, to slow down the internet and whatever else you may have seen? Well, I think one of the things that's interesting is that you've seen a sort of drastic and consequential reintroduction of the sorts of censorship that was common during the Ahmadinejad era. And so what you saw, for example, I think that the historical parallel is the 2013 presidential election. In the lead up to the presidential election, you saw very aggressive blocking of circumvention tools, tools that are used to bypass or on filtering regime. You saw the targeting of dissidents with malware and eventually actually right after the official list of candidates was announced up until the election, you saw extremely aggressive throttling overall of bandwidth within the country. Actually, after Rohani was elected, these sorts of tactics had generally subsided. While there was still censorship of social networks and social media platforms, there was sort of a sustaining of the status quo. Things didn't get better, but they didn't necessarily get worse. In certain ways, overall internet speeds were slowly improved, access to 3G, 4G was introduced. But you didn't see Twitter unblocked, Facebook unblocked. And you saw the rise of telegram as a service which ultimately eclipsed everything else and was not necessarily filtered. In fact, you saw the Rohani administration would stake political capital on telegram not being filtered and these services being available. So in the February 2016 parliamentary election, there was a lot of pressure to censor and while there was a blocking of circumvention tools, largely the Rohani administration was able to resist hardliners calls for the blocking of telegram and others. What was really interesting is in the presidential election this year, a number of the companies that provide circumvention tools were kind of in war rooms. They had their back pocket mechanisms to evade any sort of thing that government would throw at them. And what was surprising is nothing happens. There was no filtering. And it was largely, things were left open. And then suddenly within the course of a couple of days of these protests breaking out, everything started to get shut down. And there was no investment of political capital. And so what you've seen at least is the blocking of telegram which the Rohani administration had resisted for four years. And you saw the throttling of internet. Now it's really hard to understand. Internet measurement is extremely difficult. It's a science in and of itself. The internet is a complex thing and it's hard to understand the totality of what the government is potentially doing overall, but especially for somebody who's in, for example, rural of Oz. So we have a lot of rumors and we have a lot of sort of statements that have been made that maybe the international internet has slowed down, been slowed down whereas domestic access is the same as always. We know that circumvention tools are blocked. We know that certain social media platforms such as telegram have been blocked. And so we know that there's been a rampant and very aggressive increase of censorship. We don't necessarily know. It's harder to know what the comparable change in the surveillance regime has been. We don't know, for example, if people are going out and protests with their cell phones, if those cell phones are being identified at certain locations and that those people are being rounded up. We don't quite know yet whether there's been an identification of protesters and spearfishing campaigns against protesters. So we at least know that there has been definitely a specific focus and a directive focus on these protests by the censorship regime. It looks like there has been some cases where it looks like there has been malware used targeting certain reformists or oppositional properties, but we don't necessarily know the totality of how that circumstance has changed. Just taking the big picture of me, what Khan was saying about how after Roe Honey's election things had opened up a little bit. I saw anecdote after anecdote in the news media about how ordinary Iranians away from Tehran would see images on Instagram of wealthy Iranians in Tehran boasting about how much money they were spending on their pets and showing off their SUVs and this had sort of stoked a lot of anger throughout the country. The President of Roe Honey, the budget that he had publicized that sort of made clear how much money certain security organs and foundations were getting was spread through telegram and shared. Do you think after these protests are suppressed that Roe Honey will lose that argument that he won't be able to say that okay, we should keep the internet speeds relatively high and not censor as much, or is that going to continue to be the same? Where do you see that going? Well, let me take your first point first because I think it's a very important one. George Packer of the New Yorker wrote a piece I think it was in the New York Times over 10 years ago and the title was When There Sees Here. And he was talking about this in a global context but basically when people around the world living in Africa and Asia, who are living in some cases at or below the poverty line, when they start through social media, cable television, telegram, WhatsApp, they start to see how others around the world are living. How is that going to impact them psychologically? And I think the phenomenon we've seen in the United States and certainly in a country like Iran, one of the stats which jumped out at me when these protests began, and I was researching a piece for the Atlantic, was that in 2009, 1 million Iranians had smartphones today, 48 million Iranians have smartphones. And so I think that the first point you said, which is this anger and disenchantment towards how many working class Iranians think Nuval Reish and upper class Iranians are living, I think that is incredibly powerful. The other thing I say is that in America, if you catch your politician stealing or your clergyman stealing, that is much more angering to you, right? Because these are individuals who are supposed to be in positions of moral authority and responsibility. And in Iran, your politician and clergyman are oftentimes the same people, right? Because it's a theocratic system. And so when you have a theocracy, which is plundering and committing repression from a moral pedestal, I think this is just incredibly angering to people. And so Colin and I have talked about this a lot in terms of kind of internet speed and things like this. It just seems to me that this is a train which has left the tracks. Now that the Islamic Republic has embraced the internet and everyone has a smartphone, they can't turn the off switch. And the challenge we seem to have is that when there are moments like this, all of us say, okay, we have to think about ways to inhibit the regime's ability to control information and repress and monopolize communications. And then the moment passes and then our attention goes elsewhere. And then when there is another tumult, whether it's in Iran or another authoritarian regime, we're kind of caught flat footed again. So I hope this time around, there's maybe more of a sustained conversation about what practical measures Vice President Pence had a Washington Post op ed saying we stand with the Iranian people. And I just think that rather than the statements which are made by US officials or the tweets by US presidents, what's much more constructive is what practically can be done to inhibit these regimes, whether it's Iran or another regime, their ability to keep their populations back. Just a final question before we get to the actual contents of the report. What practically can be done? Are there relatively easy steps that the US could take or other tech companies could take to ensure that Iranians have access to their tools? Well, I think to start off on a positive note, Iranians have been the beneficiary of a sort of what is often called the internet freedom agenda, which is a set of programs and funding which has bipartisan support intended to open up access to information inside of the country. And so probably the primary example that would be the majority of the tools that are provided to Iranians to bypass the filtering regime are actually funded by US and European governments. And these are safe and secure tools rather than privately provided or domestically provided tools which open up access to the internet. And this funding has also been very useful in making sure that at times like this in which there is a sort of a scaling up of the blocking of these tools, there are people on the other side whose specific job is to make sure that they remain available. I think that that's a success story and I think in which there has been attempts to be better and to open up access and that they're still providing VPNs to Iranians. Now these policies have led to certain American tech companies opening up certain services that otherwise wouldn't be available, but they're still very important products and platforms that are still not accessible because there are sanctions concerns. One of the areas of focus has been Google's App Engine service. This is a service that has been used in Egypt and the Emirates in order to bypass government and post blocking of secure communications tools. Unfortunately because of certain compliance concerns, Google App Engine is not available in Iran. And so subsequently what could be a powerful tool for bypassing the filtering regime is not available on a selective basis. I think that these are areas in which there could be a focus of the United States government in collaboration with the private sector in order to make services that are unavailable because the last thing that we want is there to be two filtering regimes. One, the Iranian government and the second, the American government. We wanna make sure this thing that we can all agree on which is that Iranians should have access to the internet is protected and secure and open. So on that note, let's get into the actual findings of the report. It's a really remarkable report. I think it adds a lot in terms of helping us all understand the strategic intent behind Iran cyber activities and beyond just its targeting of private sector or even government entities in the West or in Saudi Arabia, the actions that it's taking within Iran against both dissidents but also reformist factions and even its own government officials and then also in the Iranian diaspora. So I was wondering if, Kairim, you could start out by telling us a little bit about the genesis of the report and how it came about. So I think that our timing has been incredibly fortuitous that the report is launched this week when this is a timely topic, but we actually began this conversation Colin and I over two years ago and it was shortly after the arrest of a close friend of mine, Siam Aknamazi who has been in prison over two years in Iran since October, 2015. And one of the things that the regime did after Siam Aknamazi in the hours after he was imprisoned when we talk about this in the report was that they took over his email accounts and they pretended to be him and they sent emails to a lot of his contacts including folks in this room, including myself saying, pretending to be Siam Aknamazi and saying this is an op-ed that he had written about the JCPOA and whether the recipients could edit that op-ed. And if you open that attachment, the Islamic Republic could take over your Gmail account and in some cases your computer and they did incredible damage as a result. And so over the years I had also been, the Islamic Republic attempted to hack my accounts and the way I know this is that for those of you in the room who you use Gmail I'd encourage all of you if you haven't already to use two step notification because what happens with two step notification is that you'll get a text message when someone is trying to log into your Gmail account from an unfamiliar device. And there was one morning, I have some friends who work at Google so they encouraged me to do this years ago and one morning quite early, 6 a.m. I received dozens of texts back to back. Someone is trying to get into your, what is your passcode? Google will send you a text message as a two step entry into your Gmail account and I kept getting dozens of these codes so it was clear to me someone was trying to log on to my Gmail from an unfamiliar device. So I woke up my poor friends who work in Mountain View because it was very early in the morning DC time, it was even earlier, three hours earlier, Mountain View time. And they said, yeah, we're actually watching this happen in real time and they could tell, in some cases, this was coming from Iran if the hackers weren't sophisticated enough to be able to conceal their location. So this is a topic that I've been interested in for personal reasons, obviously the issue of 2009 as well. And Colin said to me that he had been monitoring this for a very long time. And so we had an initial conversation and he sent me his findings which were incredible but I'm so ignorant about this topic that I had no idea about two thirds of what he was sending me in the terminology and what was going on. And so that's why to his credit, Colin was unbelievably patient with me. This was like a two year writing process and our editors at Carnegie were really fantastic as well. I'm reminded of something that Walter Isaacson who was a wonderful biographer told me once about his book about Albert Einstein. He wrote a great biography of Albert Einstein and he said that I had to relearn calculus so my readers didn't have to. And so the challenge of this report was me learning from scratch all of these things which I knew nothing about. So all of you hopefully won't necessarily have to. I thought if I don't understand it, then the broader readership may not and we wanted to make this report not just for a tech and cyber crowd but something which is accessible to a lay audience. So Colin was incredibly patient with me if there was a sentence or a term I didn't understand. I mean, what does this mean? What does this mean? What does this mean? And I think in the process he told me himself, this was like an MA master's degree in writing for you. So that was basically the genesis of it. Tim, I want to bring you into the conversation as well. The report describes sort of a kind of a fuzzy connection between these Iranian threat actors and the actual Iranian governments. And it's not, you know, it's very rare that the Iranian government actually takes credit for any single attack or even there are even contradictions in what it says about its own cyber capabilities. Can you put that in context? Is that sort of, are there parallels when it comes to China's behavior, Russia's behavior? Like how should we read that particular aspect of Iran's, you know, cyber activities? Yeah, I think there are two aspects of that. The first one is the technical aspect where because of the internet and how it works that you can conceal the origin of an attack but I think the report and some of Colin's research also shows that what's often called as the attribution problem is not a question necessarily of if it can be attributed but rather when and that if an actor has either the wits as Colin does or additional resources like a state does, you're able to actually trace back a lot of the malicious activity because a malicious actor might not be careful and might not be very good at concealing their identity and the indictments that we've seen come out of the US government, for example, provide very good insight into that. And the second piece is that certain states tend to use actors that are detached from the states to further increase plausible deniability. If you look at proxy actors and when it comes to malicious cyber activity, I think sometimes we are quick to jump to the conclusion that this is a new phenomenon when it comes to cyber but when you actually start digging a little deeper and you compare countries, it turns out that it's more an extension of how states have been using these actors in the past and that I think Iran is a fantastic case study for how a country within the span of a decade, I think the first reports about when Iran started developing offensive cyber tools stayed back about 2007. So within the span of a decade, Iran was able to develop these capabilities and essentially was using its existing system and was able to mobilize these actors to project their political power in that space. So let's get into Colin, what you actually did observe. The report is based obviously on open source research but also research that you conducted, primary research where you actually observe some of these attacks happening. So I was wondering if you could like bring out a few anecdotes for us who are, like Keri maybe cyber illiterate, explain those sort of how that works and then what did you actually observe? So I think maybe part of the answer to that comes out of the genesis of this. What was interesting is that I've had the fortune of having relationship, like relationships working partnerships with members of the Iranian civil society and human rights community for some time. One of the things that was often talked about is the state-based hacking campaigns. But 2010, 2011, as best as I could, I could never get examples of somebody getting spearfished, having their account stolen, receiving malware. 2012, I started to really specifically focus, raising attention, saying if you get anything, send it to me, still nothing. And then suddenly two months before the 2013 election, I get too much. It was just too much, too much malware, too much phishing. And what was interesting about this is that, having looked back at it a little bit later and especially in the context of private sector reports, all of a sudden the groups that I was seeing sending malware to dissidents outside of the country were groups that were getting published on later as having tried to engage in military espionage, having tried to attack a Saudi oil refinery, having tried to get into a US government system. These were the same groups. This was the same malware. And so what's useful is that, within the cybersecurity community, there are professional practices that give you access to a great deal of broader insight into what's happening in certain campaigns. An example that I've given that is accessible is just the principle of sync holding. When you get malware, the way that malware often communicates is that it has to communicate back to attackers. Often what it does is it contacts a domain name like mymalware.com in order to understand where to send the files that it has stolen. There are a variety of ways of getting access to that domain name. Often you can ask domain name providers. Often that domain name has expired because the malware is older and you can just re-register it. And so suddenly you can potentially interdict the communications of this malware network. If you're sitting on that, you're suddenly seeing who's been compromised. That starts to tell you the broader profile. And so you've gone from one dissident sitting in London that received a malware to a broader sense of who was targeted or compromised by this campaign. In other cases, I think the first case was that the malware that was communicating actually had an embedded username and password. And if you just connected to that same resource with that username and password, you could see all of the other files that were stolen. It was pretty simple to understand who was being targeted and being compromised. And so this, what this provided us, I think was, which was uniquely valuable, kind of like a longitudinal understanding of what somebody was doing at one time. And by having sat in this and having maintained these relationships and having gotten a broader sense of other campaigns, we could start to piece it together. And what we saw was that there was a lot of, there were a number of reports that were being published, especially about attacks against the private sector, against economic infrastructure, against defense companies. And these were often the same groups, the same malware that we were tracking. These were often the same people that were going after domestic dissidents or the same people that were going after regional adversaries. And it actually makes sense, right? What is the Islamic Republic afraid of? Cream can answer this better than I can. But my childish attempt at comparative politics would say, I think that the Iranian government is not necessarily as afraid of external invasion as they are internal dissent. And so if you're prioritizing your resources, yes, you might try to find like technical information about a European fighter jet, that might be a useful thing for you to know. But the existential fight, the regime stability fight is against reformist opposition, is against, even more so, is against people in the periphery of the country who might have grievances about how ethnic minorities are treated. It might be a BBC journalist in London who is very capable of digging up dirt about economic corruption. And so what we saw was there was a lot of this sort of overlap between these campaigns that we were seeing the private sector write about and the campaigns that we were seeing targeting people that were familiar with the community. And so it became interesting and useful to start looking at this in a broader sense and start to look at these things. And these themes are repeated and they're common and they're obvious. And what we wanted to do is really kind of, I think take out those themes and show them to a broader audience. Sorry, if I can just share a few anecdotes as well in case I forget later. And maybe these are anecdotes slash questions for Colin. I mean, in the course of this report, I would get emails and texts from Colin and he'd say, do you know such and such individual? And it was oftentimes a senior former Obama administration official and he'd say, can you let them know that there is going to be an email in their inbox? And it's purporting to be someone from Human Rights Watch with a report about the human rights situation in the next country. Tell them not to open that report because that's a phishing attack and if they open it, their computer or their email account is going to be compromised. I guess the question for you is how the hell did you know these things? I never understood or figured that out. The second, which is also an anecdote, something I find funny, it may have no strategic slash cyber consequences, but I was always amused how these individuals who are essentially working for the Islamic Republic of Iran, either you found out they had hardcore pornography on their laptops or they would actually deface others using pornography, which is an interesting paradox that these kind of people working for an Islamist theocracy engage in that kind of stuff. The third thing is, one of my main takeaways, one of the main things I learned from this is the parallels between the way Iran projects power externally and how it uses cyber, which is essentially to use organizations like Hezbollah or Shia militias or the Houthis in Yemen in which they have plausible deniability so they can say, well, these folks are independent. I remember years ago when I was based in Tehran with the International Crisis Group and I would interview Iranian officials about Hezbollah, they would say, no, no, Hezbollah, we only provide them moral support, that's it. Nowadays, Hassan Nasrallah says you can't sanction us because all of our support and resources come from Iran, but they have this kind of plausible deniability in a way to be able to say it implicitly signals what Iran is capable of, but on the surface, they can also deny that they have any involvement with it. Do you wanna give us, enlighten us a little bit on some of the specific attacks and fishing attempts that you witnessed? And the porn stuff. The porn stuff. There's a lot of porn stuff. And there's a lot of cases in which you see very professional, let's say, intellectual class people unfortunately falling for spearfishing attempts that appear to be nude pictures from an attractive young woman. You're embarrassed for that individual at that time. You wanna be like, why did you fall for that? You know, I think, again, the value is and I would love to surface this more over time. So there's so many illustrative examples of how these attacks tell us broader things. You know, one of the things that I am going to, I think that we'll have the opportunity to surface a little bit more, but we allude to it in the paper, is that if you take, for example, the first public illustration of Iran's cyber capacity, it's the Iranian cyber army. Over, starting in December 2009, I think in response to perceptions that the internet was being used as American cyber warfare against Iran, you had groups, defacement groups, a defacement group suddenly vandalizing certain opposition websites, certain Israeli websites, and actually, their largest victories or accomplishments was briefly defacing Twitter, as well as briefly defacing the Chinese search engine Baidu. What was really interesting is that we were given access to some historical records about domain registrations, and we actually found a little bit when Baidu sued its registrar, and we were able to connect to the dots, and what was interesting is that this campaign, when it was published, there was a number of op-eds and statements saying, this is Iran's ability to inflict damage on the United States. This is indication that the Russians are supporting the Iranians in cyber warfare. This is indication that Iranians are first-tier cyber actor that they're able to take down Twitter, and when we start to put the elements together and string things together, it starts to look like actually the person that was the Iranian cyber army was potentially maybe one person who knew how to speak English and knew how to socially manipulate and work some of these domain name registrars, some of these elements of the internet infrastructure to his benefit and had been doing so over the course of six years for cyber crime, who had been stealing domain names and reselling them on the market. And so, and we actually, I think, I think we found the guy. I think his name is Omeed, and his social media profile talks about how he likes hot dogs and making big money, and he lives in Shiraz, and I think that that was such an enormously useful illustration of this asymmetry, right, and especially how Iran could, through proxies, appear to be larger than it is. The Iranian cyber army, as a concept, is still banded about often, right? It has taken on its own kind of life, despite the fact that there hasn't been any activity in its name since 2013. But what it showed is Omeed and Shiraz could project this, you know, like global ambition in terms of the media. And so what we've tried to do is we've tried to connect these sorts of things. We've been able to say, you know, the second case that I think that we really anchor ourselves on is a malware campaign that was called Mati, which was the first published report in bi-cyber security companies. Kaspersky was one of the companies that published on it. And this was a broad, you know, a somewhat broad campaign of cyber espionage using indigisly developed malware that had clearly been effective at compromising a number of American and Israeli institutions to gain some access to data. What's interesting, and we didn't do the attribution on this, somebody else had found it, it looks like basically that came out of the Iranian debasement community, that some people inside of the country since 2007, 2008 had been developing malware, selling it mostly to spy on people's girlfriends. And that that was instrumentalized in order to pursue these more political ambitions after the fact. And similarly, you know, this had been happening since 2008, but suddenly you see in 2010 these being directed towards global and domestic ambitions. And in that vein we see, this is a recurrent theme, that these groups that had been defacing all of a sudden in 2009 and 2010 realize that they can form private companies. And you often see the vestiges of these, you know, quasi-penetration company information, penetration testing information security companies that are formed, that are small but consequential, but seem to be contracting to the state. All of a sudden in 2010 the state seems to be hiring people to be doing some sort of espionage work or to be doing cyber operations. And this is pretty common. When you read the reports from the private sector, you see a lot of these groups suddenly are interested in 2009. And it really kind of, I think again illustrates a point which was assumed, but really kind of with information illustrates a point, which is it seems to have been the green movement and Stuxnet that really prompted Iran to be aware that this was an area in which it was attacked and it is an area in which it could retaliate and it is an area in which it could pursue its regional and domestic interests through. Yeah, go ahead, Tim. Just to build on Colin's point, I think Iran is a really fascinating case study because it also shows this interplay between the international politics and the domestic politics. And we also had a New York Times article that talked about the internet in a suit case and specifically about Iran. If I sit in Tehran and I read this article about the New York Times, in the New York Times, that makes me also imagine all sorts of things about what the US is up to, right? So what's so fascinating about the Iranian case that Colin alluded to earlier is with the same groups targeting dissidents abroad, focusing on dissidents at home, but also companies, is how governments select Tehran, but also others, for example, I think how the Kremlin thinks about this, how Beijing thinks about this, looking at this lens through information security and the control of information in a much broader sense than how we usually think about cyber security. This event has the tagline with cyber-attached to it, right? But I think a lot of times in the West we fall a bit in the strap of only looking at critical infrastructure, which coincidentally last year, all of a sudden changed with the election interference and people starting thinking much more about content and the role that could play. But Iran is a really interesting case study for how it's using these offensive tools across the board for both the domestic and the external projection of power that the regime is trying to imitate. The methods that Iran does employ and what Colin was mentioning, how one person could sort of pose as the Iranian cyber army and really kind of inflate Iran's cyber capabilities, what challenges that pose for the US or for sort of just global entities that want to enforce any kind of developing cyber norm or cyber rule that the global community is really working on, like how does Iran fit into that or challenge that goal? It's a great question, and I think one also with regard to the upcoming year that I think the White House is thinking about in terms of how it can impose more consequences on actors generally that engage in malicious cyber activity. If we take the example of the US indictment that came out that indicted seven Iranian nationals, it's a good case study because it shows three people who were part of one company and then four who were part of another company. And as part of the research I did for a separate project, I found that the four Iranians who were part of that one company had been publicly boasting about their web defasements on zone H which is a website for hackers where you can go if you defaced a website and you can claim credit for it. And then in 2012, they all of a sudden disappear after two years of posting these web defasements. And that's exactly the point in time where the US indictment claims that they started working with this other company including the one individual who has a relationship with the Islamic Revolutionary Guard and that's when the DDoS attacks happened against US financial institutions. So we focus very much on the control of information during this event so far. There's the other dimension of it with Saudi Aramco, the DDoS attacks against US financial institutions. And the US indictment so far has been the most public example of what the US government has done in response by trying to publicly name and shame to demonstrate that attribution is possible, that we can find out who's behind it. But what you can actually do with regard to these individuals, it's highly unlikely that these four will be arrested anytime soon unless they happen to travel to a country on vacation that happens to have an extradition treaty with the United States. Covert means, but that gets into it. We might find out in a couple of decades. But it's a really hard question that I think is somewhat unique to cyber because unlike international terrorism where you have a few individuals, they still need to be geographically close to their target when it comes to hacking. That's no longer the case. So can I make the point that Iran's use of cyber tools sort of reflects its use of proxies in the real world as well? One thing I wanted to, that was really interesting in the report is that for anyone who's a scholar of Iran, you're immediately aware of how factionalized the system is and how internally divided it is. And you document a lot of this actually happening where people like the foreign minister are attacked or fished by presumably people connected to the Islamic Revolutionary Guard Corps, former reformist politicians. Can you talk a little bit about what you observed on that front? Well, so actually if we go back, some of the oldest groups, so there's a group that's connected with the Ministry of Intelligence. It's colloquially named within the cybersecurity community, Magic Kitten. Magic Kitten actually, it turns out, had been thoroughly compromised by the NSA. And there are helpful slides that show who they were targeting because this was a training session within the NSA, a presentation from a training session that had been leaked by Snowden. And what you look is that while they redact the addresses, they've missed a couple. And you look and actually the addresses in those slides are within the country. And in fact, they are institutions in Qom. They are media institutions that are affiliated with the Iranian government, such as IRIB, the state media broadcaster. They are semi-attached agencies like the Center for Strategic Research, which in 2010 was actually headed by Rouhani. And so what that starts to tell you is is that this group in 2010, the oldest appearing group from the outset was targeting the Iranian government itself. And if you take that forward, about nearly every single group that has been published on was actually also targeting Iranian government officials. So the first group that we start looking at, again, is colloquially called Flying Kitten. It was first published by FIRAI in the Operation Zaffron Rose Report. And what was interesting is that that group, which was targeting the aviation industry at the time, which was targeting Boeing and others, had on repeated occasions attempted to steal the credentials, the passwords for Foreign Minister Zarif's Gmail account. And you move forward. This is also, this is occurring in early 2014, late 2013, at earliest. This is in the middle of the nuclear negotiations. And you move forward, and everyone around Rouhani especially, his immediate family members have clearly been targeted. His brother, Hussein Faridun, who was, I think, potentially for political purposes, targeted in a corruption trial, but has clearly not necessarily been, the hard line establishment has not been friendly with him, not been happy about him, has been repeatedly targeted by spearfishing attempts. You look forward and even we found cases in which actually the report has missed as early as this August, Zarif had once again been targeted by spearfishing. And so what it appears is that, even members of the government themselves are targeted. You take sort of an outer shell of that. If you move out a little bit more, reformist politicians are similarly targeted. People who purport to ascribe to the tenets of the Islamic Republic are repeatedly the most commonly compromised targeted demographics. We even saw some of Ahmadinejad's cabinet members being targeted in this process as well. So I think that's been, it was very compelling to see how much there's sort of a, it reflects the paranoia of the state in who they are targeting. Is there any political faction that's not targeted? For instance, is there any cyber actor that's targeting IRGC generals? We don't necessarily see that, but one of the questions that I've received is, do you see this factionism, right? So, and again, Karim can talk much more competently. So my barely informed understanding is, is that the way that the power structure lies within the security apparatus is that the IRGC decidedly falls under the Supreme Leader. The Ministry of Intelligence purports to fall under the president, but it's the individual who's appointed is always a very hard line individual. And so it's maybe the least controlled of all of the ministries. And so one of the questions that I've received is, do you see them hacking each other? And we don't necessarily see as much of the, I have not seen as much of the Ministry of Intelligence side. They actually seem to be more competent in their cyber actions. And so I haven't seen as much of that activity. I think that that would be awfully audacious if they're trying to hack the IRGC. I wouldn't rule it out, but we haven't necessarily seen. They haven't tried to hack Khamenei's Gmail account. I'm sure he has a Gmail account. How does that strike you, Karim? I mean, one thing I also notice in the report is that while Iran has invested some amount of money into this, the capabilities remain pretty third tier. And whether that's because of, that they just haven't given enough money or brain drain within Iran, I mean, can you identify some of those factors as well? So this was another thing that I learned in the process of doing this with Colin that even a third tier cyber actor like Iran can be very effective by preying on fifth tier cyber actors. So they may not be able to successfully hack Israel or the United States, but Sadie Ramco is sitting around not really paying attention to these types of things and their attack on Ramco caused enormous damage. One of the things I enjoyed in co-authoring the report was Colin would just sometimes say things to try to get me to understand something, kind of a simple anecdote. And I'd say, yeah, that's actually incredibly informative. And I remember one of the things he said was, he was trying to explain to me that very simple methods can have huge consequences. He said, well, the attack on the Democratic National Committee in 2016 was just a very simple phishing email, I guess, to John Podesta. And so that's what I think the Islamic Republic has done very well is preying on either individuals or companies or countries who really weren't focused on these things. And now as a result, the rest of the world is much more focused. And I guess this is a question for both. Tim, your book has a chapter, your forthcoming book has a chapter on Iran. One of the things that I think about, I think US officials think about is kind of the double-edged sword of using cyber as a weapon. Because once you launch an attack like Stuxnet on Iran or very sophisticated cyber attacks, it's a little different than conventional military attacks in that Iran can reverse engineer in some cases or better understand how these attacks were conceived, learn from it, and then use it as a tool themselves. I'm curious whether that, I'm sure I've oversimplified that. No, I think you point to a really important piece where if we take Stuxnet as an example, and the code that was used during the operation was designed to only really unleash the damage in that specific system because it was tied so that if it infected that system and that system was connected to another system, another level of the code would be executed. So the more sophisticated you are as an actor, I think the more targeted you can be because you have the expertise, the knowledge and the level of sophistication to make your cyber weapon much more targeted. If you are less sophisticated as an actor, be it Iran or for example, North Korea, then you might still be able to cause a significant amount of damage because you're actually less sophisticated and don't have the knowledge and expertise to limit your harm only for the intended target. So I think the WannaCry ransomware that we saw last year is a very good example of that where because so many of the systems remain unprotected, most people don't use two factors as you do, there are so many low hanging fruits that remain for even low level actors to cause a significant amount of damage. Another example is the blackout in Ukraine that occurred in 2015, December or 2014. Might be around the year here. But the damage that was caused by the malware, by the, through the outage, was not through the malware that was used. It was actually people having gained access to the systems and then using the legitimate credentials of the people operating the plant and then causing the blackout. The malware that was used as part of the operation was only used to obfuscate what was happening and to delay the recovery of the system. So again, the actual effect of taking the power out was the result of you gaining access to legitimate credentials. It wasn't because there was a super sophisticated malware that actually caused that effect. And I think that's the worrisome trend that you have the ability for even a small or unsophisticated group of actors to cause harm if they have the intent to do something. So I think we'll open it up for Q and A for questions from the audience. So if we can have the mics. Yes, this gentleman here, I'm sure. And if you could identify yourself and what institution you're representing. Nikosar Abangan. My question is for Kareem regarding the signs of what happened in Iran in the last 10 days. Had you and your, let's say other people you know from different think tanks paid attention to the riots in places that were hit by water crisis, what we saw like in Eze, what we saw in Toy Sur Khan, what we saw in Abbas and all the places that people had gone to the streets for environmental problems like dust storms or water crisis. And also there were people killed actually like in the last two years in parts of Iran. And people, some people had said that we will have problems of let's say hundreds of thousands of or millions of my immigrants because of what the government has done in the last 20 something years. Thank you. So I've paid attention to it because I'm on your email list. So I see what you've written about it and I read it. And I think that in addition to the environmental crisis there was the recent earthquake in Kurdistan in which there was mass outrage at the colossal mismanagement and poor response measures. Listen, to make a very much broader point one of the reports we authored at Carnegie a few years ago, myself and Ali Vaz was looking at the economic cost of Iran's nuclear program. And remember we talked about that as well. And this is a regime which has poured tens in the case of the nuclear program, hundreds of billions of dollars when you consider the ancillary cost economic sanctions, et cetera for things which really don't have much return on investment. The nuclear program can at best provide something like 2% of Iran's energy needs when about 16% of Iran's energy is lost because of faulty transmission lines. And so whether it's pouring billions of dollars into the nuclear program, pouring billions of dollars into Bashar Assad or Shia militias or Hezbollah, I think the chickens are coming home to roost. And as you we've seen in some of the slogans people are chanting, forget about Syria, think about us. And these places in Iran which are most affected by mismanagement and environmental issues whether it's because of poor water management or the building controls. It's astounding for me when I lived in Iran how it was actually a premium for people to live in buildings that were built before the revolution rather than post-revolution. People wanted to live in buildings pre-1979 because they thought there was a more proper building code than those were built post-revolution. So I think this is going to be, it's one of those, the issue you raise, environmental issues in a month ago, a month before in the month of December I co-authored a report on Iran's demographics. And it's a country which is as much older than many of its regional peers and they're totally not prepared for the future of an older aging society and how you reform pension systems. And I think the challenge the Islamic Republic has is that the leadership, the leader is 77, 78 years old. He's so focused on near-term crises and just making sure he dies as supreme leader that these colossal monumental issues like the country's natural resources, water issues, earthquake. There's an incredible statistic I once heard when I was living in Iran after the BAM earthquake the British embassy did a study from a British seismologist who estimated there was upwards of 97 or 90% chance of earthquake over seven on the Richter scale in the city of Tehran. That could be one of the great natural disasters of modern times, but I have no indication that the leadership in Iran is focused on these issues because they're focused on how do we keep, as I said in power, how do we project our power regionally, how do we suppress an internal insurrection? Another question from the audience? Yes, sir. I'm Mike Nelson with Cloudflare. This is a question primarily to Colin. Those of us in cybersecurity industry know that you have to worry about confidentiality, integrity, and availability. And most discussions about Iran focus on theft of data and DDoS attacks. We don't hear a lot about attacks designed to manipulate databases, whether it's bank records or hospital records or some other critical data set which if altered could really undermine trust in institutions. I'm just curious, Colin, or anyone else whether there's been any indication that the Iranians are trying to do this kind of undermining of institutions, not by stealing data but by altering it and maybe deleting every fifth character or something? Well, I would maybe take a step back further in the sort of chain of progression and I would say one of the things that I was looking for and I thought that I would see is Iran engaging more in information operations. I was really convinced that what Russia did during the US election would inspire Iranian groups to engage in the same behavior during the Iranian presidential election last May. I especially since it's clear that those people have been targeted, it's clear that a number of people in Rohani's circle have even been compromised. And so clearly they must have some sort of embarrassing material about members of Rohani's inner circle. I was thoroughly convinced that you would see some sort of operation to that effect. But you actually hadn't and I'm surprised that despite clear indication that a number of organizations such as opposition organizations outside of the country have been compromised that you haven't seen the leaks of embarrassing material or this sort of behavior. And I think that I would be looking for that first. I would be looking for them to start to instrumentalize and weaponize information before they started to get into more subtle forms of coercive campaigns. And that just hasn't seemed to whoever occurred. I don't know if the issue is intent or capacity. I could certainly understand that the Iranians are less likely to attempt to do that or be able to do that towards the United States because what is clear is that Iran doesn't seem to understand that actually hacking requires human resources as much as technical resources. There are times in which Iran seems to get to a certain level of sophistication which is respectable, engages in certain attacks which are credibly complex. And then they're entirely betrayed by the fact that the attackers speak terrible English. They're like beautiful, well-written malware and it's like please dear open attachment, thank you, goodbye, have a nice day. Yours, love truly. All of it, all of it misspelled. All of it misspelled, grammatically strange. For some reason enough hubris to think that they could try, don't go to Google translate and end up worse. And so this is also, they're better at attacking Iranians than there are other people because they know Iranians at least. And so that to me says that they would be less likely to be able to pull off something like the DNC attacks, the attacks against the Democratic Party because they don't understand the human resource issues. And so I do think that there is at least a limit of capacity in that they haven't made that investment thus far. But in terms of domestic audiences, maybe I'm accidentally inspiring them, maybe I'm like challenging them, I apologize. But I'm surprised that they at least haven't come that far, let alone these sort of more subtle degradation attempts. Just to add two points on that. Iran is also a really good case study for I think how the government used its offensive cyber tools as part of the broader political game and context that was being played. And I think it's a good idea, the negotiations for the JCPOA and others. So I think there's always the question, what would actually be the incentive for Tehran to conduct these more coercive effects, especially given where we are currently in the political environment and the relationship with the US. And the second thing that I would add is, actually it's something that we at Carney at the Cyber Policy Initiative have very concerned about and we have a project dedicated to the integrity of financial data because we think it's something that might be coming down the pipe in the next five to 10 years and that we should be focusing on it. But as Colin just said, right now we are still in the comfortable, but in the position that we haven't seen this yet, but it's limited to data breaches and DDoS attacks with regard to Iran. Well, yeah, sir. Thank you, Patrick Tucker with Defense One. I wonder, two questions, I wonder if briefly you could describe whether or not you observed any change in Iranian cyber activity following the March 2016 Justice Department indictments of seven Iranians for a particular cyber activity that we ruled to be illegal. Was that, did the activity increase? Basically, did sanctions have any effect on what they were doing? And the second question is, if you've seen the CUDS force using any of these tactics to any degree, does that differ from the way the rest of the government uses them? Thanks. So I would, I think that would be, on the first question with regard to whether these indictments have deterred Iran or not, I think it's difficult to tell. I think that we tried to take a, as broad of a possible view in terms of the behaviors and the activity, but it's very difficult to understand internally the calculation, whether somebody decided not to do something because there was a concern about an indictment. An indictment. I think that this also takes place within the context of, we certainly say that after the JCPOA, and certainly during the negotiations as well, that there's overall been a decline in disruptive attacks towards Iran and from Iran. And so that seems to be really the overriding political event that is shaping the nature of Iranian behavior rather than the indictments itself. What I would be interested in, which I don't think that we'll ever really know, is at least on a personal basis, how has that shaped the decisions of individuals to participate in these campaigns? Do the indictments stop people from working for the government? Have they withdrawn? I don't think that we have, at least I haven't seen a direct insight into the seven individuals that were indicted and whether they have continued to engage in certain actions. We certainly see that often when people have been published upon, that they tend to disband or change their operations, that it does in some way affect their calculation. But we don't necessarily understand to what extent, whether they go away completely and whether certain people just have not participated just because they are now fearful of being indicted, that they want to emigrate, for example, and they know that if they are named in an indictment that they won't be able to emigrate from the country. On the second case, I think that we, one of our primary contributions is that we use, that I think that we make the most clear case for an affiliation between these groups and the revolutionary guard. And we do so based off of a particular insight that only civil society has, which is the direct consequences to individual, individuals as a result of these hacking and the relationship that Kareem described with CMAC Namazi of people being arrested and attacks being launched from their accounts that can be directly tied to known threat actors. Those often seem to be, my guess has been, although there's not a level of confidence that this is said in the paper, my guess is that this is intelligence parts of the IRGC, but we don't go to a certain extent to say that this is affiliated or asked requested by the Quds force that this is aligned with certain segments of the IRGC. We just sort of make a broader attribution to the revolutionary guard. Any other questions from the audience? Yes, sir, back there. We've seen them use the DDoS. Sorry, can you identify yourself? John Holkerson from FireEye. We've seen the Iranian actors use DDoS in the past with Operation Abba Bill. I wonder if we've seen anything more recently in the domestic sphere, especially to maybe knock out opposition media or something hosted outside of the country. Yeah, that's a great question. I've been interested in that especially because at the same time that you saw denial of service attacks being used disruptively against American baking institutions, you see a number of reports that say, or cases in which they were used against Persian language social media platforms, Persian language independent media sites. The BBC in 2012 disclosed that they were the subject of a denial of service attack that they attributed to Iran timed with the exact same day as the 2012 parliamentary election. You've seen other cases where even, for example, the Mujahideen, the MEK, said that in tandem with attacks against their location in Iraq, which they linked with Shia militants, there was also denial of service attacks against their properties. You've seen this really consistently. What has been interesting is I've reached out to a number of those people that were the subject of attacks and asked them if they had seen anything since 2014, 2015, and they actually hadn't seen much at all. And what I attribute that to is that, again, in terms of investment of resources under the internet freedom agenda and coordinating private sector contributions, this is a place in which we've actually excelled. And so there are a number of resources free or paid for by development agencies to protect against denial of service attacks. And a lot of those platforms that were targeted now have either free Cloudflare services, Google's Deflect service, or Google's, oh no. Google's free. Shield, thank you, it's his competitor too. Yeah, it's very generous. Or civil society organized efforts such as the Deflect network. And those have been very effective at fending off the level of attacks that Iranians are capable of. And I think that actually that improvement of defense has overall disincentivized from Iranians, Iranians from believing that that's a useful way of knocking people offline. Just to extend that, my answer a little bit too far, the reason why that was especially effective was that the platforms that were being denial of service attacked were often still forced to pay for the bills. And so what you'd have is somebody would be DDoS'd and they'd either face a choice. I mean they're gonna get a $5,000 Amazon bill or I'm going to turn my services off until I think that they've gotten bored. And so people will stay down for multiple days after a five minute denial of service attack. So it's just even the threat of a DDoS that was effective. And so since we've shifted that and we've been able to provide those resources, you just haven't seen that anymore. You make the interesting point in the report that Iranian civil society and their internal targets are often sort of the canary in the coal mine for where Iranian threat actors are going to look next and what the methods that they're going to use. And so the private sector and the targets, potential targets in the West and in the Gulf would do well to sort of pay close attention to the attacks that happen against Iran's civil society. Yes. Yes, sir. Hello, I'm Makram Rabah. I'm a lecturer at the American University of Beirut. Actually I'm interested in two aspects. One aspect we saw Hassan Nasrallah recently disclose his salary in a way to appease these voices calling for Iranian taxpayers' money going to Hezbollah. You think that this would actually resonate within these people. Second, and more importantly, the counter-terrorism for these cyber attacks. I feel that, be it the American administration or even Google, they are playing too nice. So they have a lot of restrictions when they were trying to counter ISIS. They had so much restrictions on these counter-messaging that it was ridiculous. You couldn't use blood, you couldn't use violence. And we know that initially in the Syrian Revolution when revolutionaries used cyber attacks against Bashar al-Assad and they got their hands on these pictures of... They say it's one of his assistants sending him nude pictures. It had a huge effect on his image. So why don't we see people reacting, individuals going after these people in Shiraz and actually putting up a real fight instead of telling us they want to counter these messages and do nothing about it? Thank you. I can maybe take a little bit of the second part. One of the challenges is how do you not only defensively but actively confront these attacks against activists? The reality is that the people that are conducting it are random individuals. And so there's not a lot of surface for retaliation against the attackers themselves. Similarly, if you broaden the scope of if you were to engage in some sort of active measures campaign, the hard line establishment has been very effective at staying kind of technologically behind for strategic purposes. I don't think that there's a lot of as much infrastructure exposed to kind of embarrass them through retaliating. And so what you've seen instead is an emphasis and a focus on the defensive aspect of it, making sure that people are secure. And I think that we have been very effective, again, at providing the tools for the dissidents that are being attacked to protect themselves. But the problem in this case is that one of the things that attackers are able to exploit is the fact that the internet is open and decentralized. And so when you start to look at the things in which you could potentially curtail individuals that have a malicious intent, you start to look at the sort of measures and organization that internet can maybe speak more articulately about this. You start to envision a model of the internet that is the one espoused by China and Russia. You know, if you want to absolutely control all of the attacks that occur on the internet, you're going to have to start to close down the internet. If you even wanted to, if we talk about using sanctions to deter Iranians, for example, the reality is that if you look back at the person who, there was a case in which there was a Dutch security company that was compromised by Iranians and in order to issue fake certificates to impersonate Google to spy on basically all Gmail users inside of the country, this was an incredibly consequential attack. And the fundamental resources that were used to orchestrate the attack were servers outside of the country paid for by a stolen Israeli credit card. And so even if you wanted to go to such an extreme that you were to cut Iran off of most platforms, you still wouldn't be able to because malicious actors are going to be malicious actors. And until we start to change the model of the internet that we all appreciate and love and take advantage of, they're also going to take advantage of that model as well. Can I just address the Hezbollah question? I read Nasrallah's speech last night and for context, several, I think it was several months ago, Nasrallah was asked about the risk of US sanctions against Hezbollah. And he said, all of our resources come from Iran. All right, all of our resources come from Iran. And so therefore we're impervious to US sanctions. In this speech, in the last 48 hours, he said he was significantly downplaying the support that Hezbollah got from Iran. And particularly his salary, he said, I only get a salary of about $1,300, $1,300 a month. And he also went on to say that the people in the streets shouting, forget about Syria, think about us, forget about Hezbollah, think about us. These are just a very, very small minority of Iranians and the vast majority of Iranians do support Iran's support for Hezbollah in its foreign wars. A couple of things I'd say. One is that there, I would argue, are far more people who resent Iran's external spending on Arab wars than the folks we saw in the streets. And this is a long time phenomenon. You hear this, this has actually been reported for some time, including at the recent earthquake sites, people saying that if this earthquake had happened in South Lebanon, the government would have been much quicker to react than it had happened in Iranian Kurdistan. I think if you look at the Islamic Republic, it has been the highest exodus of Iranians from Iran and probably the 2,500 year history of Iran. The people have left Iran post 1979. And I think what many people resent that I have to say myself included is that you do have lots of Arab Shiites who have open access to Iran and they go back and forth and some of these are Arab Shiite journalists who work for Hezbollah news services and they are operating also in the Western realm, writing pieces for our monitor and elsewhere. And you have an individual like Siam Aknamozi and his father, Baughar Namozi, who if anyone knows them are really the embodiment of Iranian patriots. They're languishing and having prison and you have others who are not even Iranians who are able to go back and forth through the country. So I do think one of the battles in Iran today is between the forces of Persian nationalism and Shiite nationalism. It goes back in some ways to what Kissinger said is Iran a nation or a cause. And I would argue that many amongst the younger generation Iranians want, Iran to be a nation state which puts its national interest before revolutionary ideology. And when you look at things through that prism, spending tens of billions of dollars on Bashar Assad in order to be part of the resistance against Palestine, doesn't make a whole lot of sense in the context of national interest. Or if you want, yes, the woman in the back. My name is Tove Abash. I'm with the Department of Defense. You mentioned earlier in the conversation a lack of resources, of human resources. Do you see any correlations or attempts at active recruitment within the computer programs in the universities straight into cyber programs or straight into the military? And do you see any indications of a willingness to spend more money on this recruitment and a willingness to train people? Some of that is hard to see externally. I think that you can start to see fragments of that. Firstly, one thing to keep in mind is that we aren't able to find any cases in which the attacks that we're talking about are conducted by members of the military establishment itself. So there's a sort of recruitment but it's sort of a public-private initiative, the cyber warfare. But that being said, you see an increase in investments, but those are not necessarily proportional to what you would expect for a country like Iran. And so there was, for example, Rohani increased the budget for cybersecurity and there was a lot of attention to the fact that it was like a 1,700 percent increase in a budget. But Iran still, that was an increase from maybe like a couple million dollars to tens of millions of dollars. Whereas an American bank alone spent something like hundreds of million dollars, hundreds of million dollars on information security and in cybersecurity. Iran's investments have been actually fairly minimal for a country of 80 million that have been systemically compromised for purposes of coercion and espionage. And so there is still this, one of the things that I'm just surprised is is that they actually are much further behind than they should be. Why haven't they invested more? You've seen an attempt at fostering a more professional information security community, certainly. You see an increase of events such as capture the flag tournaments in Iranian universities. You do see more cybersecurity programs within the country. You see a greater emphasis by the cyber police on issues of fraud and personal security and other sorts of economic crime. So what I would say is that I would say, certainly Iran is getting better, but incrementally so. And you don't see the sort of investment that would be proportionate to what you would expect a more mature country where they would be at. And the gulf between the two, I think is substantial and I think it will take years and I think it'll take a greater focus in order to get there. I think we have time for one last question if anyone has one. Yes, this one in here. Oh, you, ma'am, in the sort of middle section. Thank you. My name is Ali Skas Alexander with the US Commission on International Religious Freedom. You had mentioned earlier the two points about the ongoing bipartisan support for the internet freedom agenda and about clarifying OFAC licenses and stuff. I was just wondering if you had any other specific policy recommendations based on this report? Well, your affiliation was what exactly? Okay, the reason why I ask is that one of the things we talk about, I know it's a beast of a report and probably I haven't gotten to the end of it yet because it just came out, but in the end we do talk about some of the attacks on religious minorities, including religious minority, Baha'i minorities, you know, Baha'i minorities in the US. And you do talk about some of the policy prescriptions that they're not J.P. Morgan, right? They can't afford to hire Palantir and pay them tens of thousands of dollars a month to protect them. And so one of the things that Colin talks about is that it's important we think about policies and measures to protect these organizations who have, you know, are smaller fish, have much more minor resources, but are oftentimes the first warning of what's to come because as we've talked about, same groups that are hacking are going after Baha'i organizations in the US are oftentimes the same folks going after Oramco or going after infrastructure sites in the US, but I would say one of the problems that we run into and with the Baha'i there's a specific case actually, which I think is extraordinary, which is that in March, 2014 there was a disclosure of a widespread espionage campaign that was very good at building up a social media presence that looked legitimate in order to conduct espionage against the defendants sector. And there was an FBI report that followed a private sector report by eyesight. There was an FBI bulletin that listed actually the profiles that were involved in order to allow companies to see if they were affected, potentially targeted and respond to it. So this was a set of Facebook profiles, a set of LinkedIn profiles. What was interesting about that is that the private sector report had put out like 10 profile names. The FBI had put out something like 46, 52, and in about 40 of those names had been actually Persian names. And you think about it, it's like, who's gonna try to spearfish the defense sector with a Persian Iranian identity. And the reason why that is is that actually you go back and one of those, this was reported, one of those fake profiles was actually impersonating Ambassador Bolton. And that fictitious Ambassador Bolton profile had actually targeted a senior member of the Baha'i establishment. It was at John Bolton LinkedIn profile, wasn't it? Yes, yes. Also great English, terrible English. Good profile, terrible English. And what I found was that this was a really a stark example of how much there's a difference of opportunity for organizations and protecting itself. That the private sector had released this very well composed, they're not always well composed, but this was well composed piece of information on protecting yourself against attacks. And civil society was never given access to this. This was privately held until it leaked to a site. And I think that this shows that the differences when civil society are left out of the conversation that the FBI could have extended that opportunity. The document was gonna leak anyway. One of those organizations was probably hacked. The hackers were gonna get it anyway. So, but by share voucher of not including civil society or giving them the resources, they were less capable of defending themselves against this very consequential campaign. I think that there is opportunities for the private sector to invest more in making available resources for securing their users. Right now you have a situation in which during these campaigns, a hard line affiliated organizations like Tasname News are using them in order to identify protesters and the platforms not having Persian language capabilities are not taking down those accounts. Similarly, there's an opportunity to invest more in the resources in order to protect users and take down those accounts. There is certainly more opportunity for making sure that the private sector is being responsive to these sorts of attacks. That there's a closer information loop. That there are digital security resources that are being made available. And not just being made available to the diaspora, but the religious minorities that are inside of the country and further isolated from anything else. We go into this a bit, but there's always measures that can be extended, especially when you start to prioritize dissidents, religious minorities and understand that they are the canary in the coal mine if you wanna be utilitarian, but also just kind of morally the center of these attacks. So this is just a taste of all the insights and information that are in the reports. I really urge you all to read it and please join me in thanking the speakers. Thank you. Thank you.