Why and When Do States Target Financial Institutions?

On request by a global financial institution, the Columbia University School of International and Public Affairs (SIPA) Capstone team assessed the likelihood that the Islamic Republic of Iran (“Iran”) will adopt a policy of financially motivated cyber attacks against international financial institutions within a two-year timeframe. The team concluded that it is unlikely that the Iranian government will adopt the policy for two main reasons:

• The costs of the policy would outweigh the potential benefits. Despite facing international isolation for decades, Iran continues to demonstrate an interest in reintegrating into the international system. Targeting financial institutions would likely jeopardize these efforts and damage Iran’s credibility as an economic partner.
• The potential gains from a financially motivated cyber attack campaign would likely be immaterial compared to the size of Iran’s ~$610 billion Gross Domestic Product (GDP) and would need to be of an unprecedented scale and persistence to represent a meaningful and reliable source of income for the Iranian government.

The team used structured analytic techniques to develop an assessment and a scenario analysis framework that the client can utilize to monitor ongoing developments. The Capstone team interviewed leading cyber and Iran specialists in and outside the US with experience in the White House, National Security Council, the Intelligence Community, private sector, and academia to collect original insights to answer the client’s question. The team also analyzed strategic and cyber decisions by North Korea and Iran to develop its assessment.