In the aftermath of the assassination of Iranian Maj. Gen. Qasem Soleimani, commander of the Islamic Revolutionary Guard Corps’ Quds Force, the Department of Homeland Security warned: “Iran maintains a robust cyber program and can execute cyber attacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
The warning comes amid alarming reports about Iranian cyber capabilities.
Iran has a proven history of using cyberattacks against financial systems, oil companies and U.S. dams. Furthermore, the United States and Iran have engaged in cyberattacks before and throughout this crisis. However, research suggests that the consequences of cyberattacks are more complicated than these warnings might suggest. Here’s what you need to know.
Cyber is a poor substitute for other forms of violence
The first way cyberattacks can be used is for direct offense. Here, people often think of cyberattacks as a possible substitute for other more conventional weapons of warfare (such as airstrikes or missile attacks). However, there is no historical evidence of cyberattacks leading to immediate and extensive physical casualties (civilian or military). It turns out that it is hard to use cyberattacks to achieve physical consequences, much less serious physical harm. The damage that cyberattacks can do is more subtle and long-term than, say, a missile strike. Furthermore, it is difficult to predict how much damage a cyberattack will do. In short, cyberattacks are typically more difficult to carry out and less useful than more conventional attacks, such as missile attacks, drone or manned airstrikes, or naval engagements.
Cyberoperations are not good deterrents
The second possible use of cyberoperations is as a deterrent against further escalation. Here, the idea is that the threat of cyber-retaliation might deter others from attacking. For example, in June, the Trump administration threatened cyberattacks against critical infrastructure in Iran as a way to deter further Iranian escalation after a drone and missile strike on a Saudi oil facility.
Evidence from war games and U.S. decision-making discussions suggests that the United States has been restrained in its cyberoperations, because it fears starting a tit-for-tat series of cyber-retaliations that might end up hurting the United States overall. However, there is no publicly available evidence that cyberoperations have successfully deterred physical attacks (for example, missile and airstrikes) by either the United States or Iran. Academic research suggests that the characteristics that make cyberoperations unique (they are virtual in nature, covert and often reversible) mean that they are poorly suited for deterrence. Virtual attacks have less tangible consequences, and covert actions are less likely to deter, precisely because they are unknown.
Cyberoperations can provide influence and intelligence
Cyberoperations aren’t very good at delivering violence or deterrence. What they can do is to gather intelligence and spread influence. Iran is not as good as Russia at gathering information via hacking. However, it does have a history of attempting to influence regional populations and in stoking anti-U.S. sentiment. Further, the United States has said on record that it uses “defend forward” counter-cyberoperations to make it harder for the Islamic States to use cyberoperations for intelligence and influence. U.S. and Iranian information-gathering and influence operations may not be violent or create immediate physical effects. However, they may affect the willingness of domestic constituencies (in both countries) to support further escalation of the crisis.
The real dangers are quite subtle
The real danger of cyberoperations is not that they will create the same kind of violent effects as an airstrike or missile strike. Instead, they can have short-term consequences if they slow down and confuse militaries, making it harder for them to carry out their missions. Daily attacks and probes can also be an irritant and distraction, drawing attention and resources away from more serious challenges, and increasing the fog of war. This can help equalize the balance between more powerful digitally dependent militaries (like the U.S. armed forces) and weaker, less digitally dependent states such as Iran.
There are also possible long-term costs to cyberattacks. Even when they are aimed at soft economic targets rather than important military systems, it is costly for businesses to defend against, respond to and survive cyberattacks. More broadly, there are long-term risks if key infrastructures, such as financial systems and elections, are degraded. Cyberattacks are not likely to have devastating short-term consequences, but they can gradually erode the foundations of social, political and economic stability over time.
Jacquelyn Schneider is a Hoover Fellow at the Hoover Institution.
Read more TMC analysis of the Middle East crisis:
- Trump thought escalating the Iran crisis would solve it. That’s not how escalation works.
- How will Iran respond to the Soleimani killing — and where will the escalation end?
- Trump threatens ‘sanctions like they’ve never seen before’ if Iraq evicts U.S. forces. Can Iraq do it?
- How did the U.S. get to the brink of war with Iran?
- How terrorism helps — and hurts — Iran
- Iran can use cyberattacks against the U.S. That’s not nearly as bad as it sounds.
- Does Trump need Congress’s approval to go to war with Iran?
- Don’t expect Congress to rein in Trump’s use of force in the Middle East
- 2020 is the year to worry about nuclear weapons
