29 Sept 2025
The country's critical infrastructure suffers from a catastrophic lack of security, stemming from an exodus of experts, hardware sanctions, and systemic mismanagement. This pervasive insecurity leads to frequent hacks of vital services, eroding public trust and stifling economic activity.
The country faces a catastrophic state of infrastructure security, a persistent issue highlighted by frequent hacks across various sectors during times of both conflict and peace.
There is a fundamental inability to develop essential security tools like firewalls, attributed to a severe shortage of deep software engineering specialists and the inability to acquire necessary hardware due to political sanctions.
Many so-called local security products are merely repackaged open-source components with superficial web interface changes, often running on cheap, unbranded Chinese hardware, indicating a lack of genuine innovation and quality development.
Internet infrastructure companies struggle to provide adequate security, often resorting to aggressive filtering as their primary security policy. This leads users to rely on VPNs, which bypass existing security measures and further compromise overall network safety.
Even basic DDoS attack prevention mechanisms, such as Content Delivery Networks (CDNs), are either non-existent or ineffective, leading to frequent internet outages and data center disruptions as a primary response to attacks.
Frequent internet cuts and service disruptions devastate businesses, from large enterprises to small online vendors, making it difficult to operate and discouraging investment in the digital economy.
While VPNs are intended for secure networking, widespread filtering forces users to rely on less secure proxies, making their online activities vulnerable to inspection. Many anonymous VPN apps downloaded from app stores are dubious, often requesting excessive permissions and potentially exfiltrating user data to entities like Chinese companies.
Policymakers and the government are criticized for making ill-conceived decisions whose negative consequences become apparent much later. There is a notable lack of accountability for security failures, with responsible individuals often merely reassigned rather than held to account.
Numerous critical institutions have recently suffered hacks, including Sepah Bank, Pasargad Bank, the Nobitex crypto exchange, the national broadcasting corporation (IBC), and the national fuel system, often with public denials despite evidence of data breaches.
The cybersecurity economy is dysfunctional, with a severe undervaluation of quality work. Banks and government organizations prioritize the cheapest tenders for security services and equipment, leading to substandard security measures and vulnerabilities.
Citizens have lost trust in nearly all digital services, including banking, email, electricity grids, and fuel systems, prompting some to revert to traditional, non-digital methods of managing assets and daily life, though even traditional banking has been affected by systemic issues.
Government organizations are often forced to use software with AFTA licenses (a local certification), despite these products frequently containing critical vulnerabilities. Independent security tests often reveal dozens of severe flaws that are subsequently ignored or downplayed by authorities.
Government systems are notoriously unreliable and frequently 'broken,' hindering public services and illustrating the poor quality and management of indigenous technical solutions.
Decision-makers often resort to primitive solutions like completely cutting off internet access during cyberattacks, believing it will protect data, a strategy that is ineffective against sophisticated threats like Stuxnet, which successfully targeted closed systems.
There is a significant lack of digital literacy education, leading users to employ poor security practices like reusing passwords. Government policies often further hinder user-initiated security by blocking access to secure foreign services like Signal.
Authorities employ sophisticated Deep Packet Inspection (DPI) to differentiate and block VPN traffic, making it increasingly difficult for users to maintain secure and private internet connections. The use of services like Starlink, a potential solution for stable internet, is criminalized as 'espionage.'
The current security situation is predicted to worsen, with infrastructure becoming even more vulnerable. The primary solution is for the government to seriously prioritize cybersecurity, understand the value of expertise, invest in quality solutions, and accept responsibility for failures, rather than relying on restrictive and ineffective measures.
The outcome of a government that lacks understanding, fails to go deep, and does not comprehend value is a mixture of disasters.
| Problem | Cause_or_Effect |
|---|---|
| Lack of Skilled Cybersecurity Personnel | Exodus of deep software engineers; inability to develop essential security products like firewalls. |
| Hardware and Software Procurement Issues | Sanctions prevent acquisition of quality hardware; local 'security products' are re-branded, vulnerable open-source or Chinese hardware. |
| Ineffective Internet Security Policies | Reliance on aggressive content filtering, forcing users to insecure VPNs/proxies, bypassing any existing policies. |
| Frequent Cyberattacks and Data Breaches | Banks, exchanges, critical infrastructure repeatedly hacked due to systemic vulnerabilities and inadequate defenses. |
| Lack of Accountability and Poor Governance | No consequences for decision-makers or executives following security failures; policies are ill-conceived and lead to long-term issues. |
| Dysfunctional Cybersecurity Economics | Prioritization of cheapest tenders over quality, leading to substandard security services and products; undervaluation of expert work. |
| Erosion of Public Trust in Digital Services | Citizens lose confidence in banks and other online services due to constant hacks and data leaks, forcing a return to traditional methods. |
| Flawed Licensing and Approval Processes | Government-mandated software with AFTA licenses contains critical vulnerabilities, yet independent security testing is often ignored. |
