Industry reckons with fear of Iranian cyberattacks

YARMOUTH, Maine — Military action involving Iran in recent days has sparked fears of digital reprisal, as cybersecurity experts across the industry prepare for potential attacks targeting critical systems and private data. 

The consequences of such attacks could even spill into the physical world, according to RunSafe Security CEO Joe Saunders. 

“With the U.S. and Israeli military bombing of Iran, the cyber domain becomes a channel for asymmetric response,” Saunders said. “Our infrastructure operators need to remain on heightened alert, especially since our critical infrastructure sectors are interconnected and even limited cyber incidents could have cascading economic and public safety consequences.” 

To better understand the potential ramifications of this conflict for the security industry, Security Systems News spoke with Raj Ananthanpillai, founder and CEO of Trua, a reusable verified ID and screening company, and author of the upcoming book, The Trust Crisis: How Big Tech Stole Your Identity—and the New Model That Takes It Back. 

SSN: You’ve argued that the real vulnerability in an AI-driven cyber conflict isn’t perimeter defenses but the concentration of sensitive identity data. What practical steps should organizations take to rethink how they store and manage identity data, and what would a more resilient identity infrastructure look like? 

Raj Ananthanpillai: The real risk isn’t just perimeter defenses—it’s the massive honeypot created when organizations hoard sensitive personally identifiable information (PII), such as Social Security numbers, driver’s license details, biometrics and background data, in centralized databases. This makes them prime targets for breaches, ransomware or nation-state exfiltration. 

Practical steps include shifting away from collecting and storing raw PII and toward reusable, user-centric verification models. Organizations should implement zero-knowledge or minimal-data-sharing protocols, eliminate redundant identity checks by integrating reusable credentials through APIs and adopt continuous, real-time monitoring. 

In this model, users verify their identity once through a trusted, privacy-preserving provider such as Trua. They are then issued a cryptographically signed, portable credential that they control and can share selectively. One way to think about it is a “Trust Bureau” that verifies trust in the same way a credit bureau verifies credit risk. 

SSN: If nation-state actors such as Iran begin deploying AI offensively in cyber operations, how does that change the threat model for enterprises compared to traditional cyberattacks, and why does it make large, centralized data stores a strategic liability? 

Ananthanpillai: Traditional cyberattacks often seek financial gain or disruption and can be mitigated through strong perimeter defenses, patching and monitoring. Nation-state actors using AI offensively escalate the threat. AI enables hyper-targeted spear-phishing, deepfake-driven social engineering, automated vulnerability discovery and exploitation at scale, and sophisticated data exfiltration techniques designed to evade detection while prioritizing high-value intelligence. 

Centralized data stores become massive strategic liabilities because a single breach can yield vast troves of PII. That information can then be used for identity theft, credential stuffing across multiple sectors or building dossiers for future operations. Nation-states can weaponize stolen identities at scale. 

SSN: You helped architect national-scale identity systems such as TSA PreCheck. Based on that experience, what lessons can governments and private companies apply today to build digital trust and reduce the risk that identity data becomes a high-value target in geopolitical cyber conflicts? 

Ananthanpillai: Trua management’s experience developing national security threat-mitigation systems informed the reusable trust credential model—essentially “TSA PreCheck for the digital age.” It relies on a one-time, rigorous vetting process that produces a portable, reusable trust token that can be used repeatedly without re-exposing sensitive data. 

Key lessons from that experience include enabling one-time, high-assurance verification and reuse, giving users control and selective disclosure over their data, and preserving privacy by design. Organizations should avoid maintaining large, centralized databases of sensitive PII. 

For companies today, prioritizing standards for portable trust credentials can significantly reduce identity data’s value as a geopolitical cyber target. When verification data is fragmented and user-controlled, attackers gain far less from breaches than they would from compromising large, centralized identity databases.