Executive Summary

Iran's Cybersecurity Command has implemented a sweeping and severe security directive, banning all government officials and their security personnel from using any device capable of connecting to the internet or public telecommunication networks. This includes personal and government-issued smartphones, laptops, tablets, and smartwatches. The policy, reported by the IRGC-affiliated Fars news agency on December 5, 2025, is a direct response to escalating fears of cyber-espionage and the use of mobile device tracking for targeted assassinations by foreign adversaries, particularly Israel. The move represents a radical shift towards a policy of complete digital isolation for key personnel, prioritizing physical security over the operational efficiencies of modern communication.

Policy Details

The directive is absolute, prohibiting the use of any 'smart' or connected device by the specified personnel. The stated rationale is that such devices pose an unacceptable risk, as they can be exploited for:

• Geolocation Tracking: Adversaries can track the precise location of an official, even when the device is powered off, through various hardware and network-level techniques.
• Eavesdropping: Device microphones and cameras can be remotely activated for surveillance.
• Data Exfiltration: Sensitive government data can be stolen from the device.

The policy explicitly references past incidents, including the assassination of Iranian nuclear scientists and the recent coordinated attacks in Lebanon where pagers and walkie-talkies provided to Hezbollah were remotely detonated. This context suggests the decision is driven by a perceived failure of defensive cybersecurity measures to protect high-value targets.

Affected Organizations and Personnel

• Target Audience: All Iranian government officials and their associated security staff.
• Banned Devices: Any device that can connect to a public network, including smartphones, smartwatches, tablets, and laptops.
• Recommended Alternative: The directive suggests the use of secure, non-networked, 'anti-tracking' devices, though specifics on these devices were not provided.

Impact Assessment

This policy, while potentially effective at preventing certain types of attacks, will have significant negative consequences for government operations.

• Operational Inefficiency: The inability to use modern communication tools will drastically slow down decision-making, information sharing, and day-to-day government functions. It effectively forces a return to analog or closed-network communication methods.
• Security Philosophy: The move highlights a security philosophy of risk avoidance rather than risk management. Instead of attempting to secure connected devices with technology (e.g., EDR, MDM, encryption), the Iranian government has chosen to eliminate the risk entirely by eliminating the technology. This is a stark contrast to the approach taken by most Western governments.
• Potential for Circumvention: Such a strict ban may be difficult to enforce universally, and officials may seek to circumvent it for convenience, creating a new form of shadow IT that is completely unmanaged and potentially even less secure.

Geopolitical Context

The directive must be understood within the broader context of the long-standing covert conflict between Iran and its adversaries, including Israel and the United States. This 'shadow war' has increasingly played out in the cyber domain, with both sides engaging in espionage, sabotage, and influence operations. Iran perceives itself as being under constant cyber-assault and views this extreme measure as a necessary defense for its key personnel and leadership.

Compliance Guidance and Lessons Learned

While few other nations would consider such a drastic measure, the Iranian directive offers several key takeaways for security leaders:

1. Understand the Physical Threat: The policy underscores that for some high-value individuals, the primary cyber threat is one that enables a physical attack (kinetic action). Security strategies for such individuals must prioritize location privacy and protection against remote surveillance.
2. The Limits of Technology: It serves as a reminder that no defensive technology is foolproof. A sufficiently motivated and resourced state actor can often find a way to bypass defenses. In some ultra-high-security scenarios, physical air-gapping and digital isolation remain the ultimate security control.
3. Balancing Security and Usability: The Iranian approach represents one extreme end of the security-usability spectrum. Most organizations must find a more balanced approach, but the case illustrates the trade-offs that leaders must consider when setting security policy.