In the aftermath of the assassination of Iranian Maj. Gen. Qassem Soleimani, commander of the Quds Force, the Department of Homeland Security warned: “Iran maintains a robust cyber program and can execute cyberattacks against the United States. Iran is capable, at a minimum, of carrying out attacks with temporary disruptive effects against critical infrastructure in the United States.”
The warning comes amid alarming reports about Iranian cyber-capabilities.
Iran certainly has a proven history of using cyberattacks against financial systems, oil companies and U.S. dams. Furthermore, the United States and Iran have engaged in cyberattacks before and throughout this crisis. However, research suggests that the consequences of cyberattacks are more complicated than these warnings might suggest. Here’s what you need to know.
Cyber is a poor substitute for other forms of violence.
The first way in which cyberattacks can be used is for direct offense. Here, people often think of cyberattacks as a possible substitute for other more conventional weapons of warfare (like airstrikes or missile attacks). However, there is no historical evidence of cyberattacks leading to immediate and extensive physical casualties (civilian or military). It turns out that it is hard to use cyberattacks to achieve physical consequences, much less serious physical harm. The damage that cyberattacks can do is more subtle and long term than, say, a missile strike. Furthermore, it is difficult to predict how much damage a cyberattack will do in advance. In short, cyberattacks are typically more difficult to carry out and less useful than more conventional attacks, such as missile attacks, drone or manned airstrikes, or naval engagements.
Cyberoperations are not good deterrents.
The second possible use of cyberoperations is as a deterrent against further escalation. Here, the idea is that the threat of cyber-retaliation might deter others from attacking. For example, in June the Trump administration threatened cyberattacks against critical infrastructure in Iran as a way to deter further Iranian escalation after a drone and missile strike on a Saudi oil facility.
Evidence from war games and U.S. decisionmaking discussions suggests that the U.S. has been restrained in its own cyberoperations, because it fears starting a tit-for-tat series of cyber-retaliations that might end up hurting the U.S. overall. However, there is no publicly available evidence that cyberoperations have successfully deterred physical attacks (for example, missile and air trikes) by either the U.S. or Iran. Academic research suggests that the characteristics that make cyberoperations unique (they are virtual in nature, covert and often reversible) mean that they are poorly suited for deterrence. Virtual attacks have less tangible consequences, and covert actions are less likely to deter, precisely because they are unknown.
Cyberoperations can provide influence and intelligence.
Cyberoperations aren’t very good at delivering violence or deterrence. What they can do is to gather intelligence and spread influence. Iran is not as good as Russia at gathering information via hacking. However, it does have a history of attempting to influence regional populations and in stoking anti-U. S. sentiment. Further, the United States has said on record that it uses “defend forward” counter-cyber-operations to make it harder for the Islamic States to use cyberoperations for intelligence and influence. U.S. and Iranian information gathering and influence operations may not be violent or create immediate physical effects. However, they may affect the willingness of domestic constituencies (in both countries) to support further escalation of the crisis.
The real dangers are quite subtle.
The real danger of cyberoperations is not that they will create the same kind of violent effects as an airstrike or missile strike. Instead, they can have short-term consequences if they slow down and confuse militaries, making it harder for them to carry out their missions. Daily attacks and probes can also be an irritant and distraction, drawing attention and resources away from more serious challenges, and increasing the fog of war. This can help equalize the balance between more powerful digitally dependent militaries (like the U.S. armed forces) and weaker, less digitally dependent states such as Iran.
There are also possible long-term costs to attacks. Even when they are aimed at soft economic targets rather than important military systems, it is costly for businesses to defend against, respond to and survive cyberattacks. More broadly, there are long-term risks if key infrastructures, such as financial systems and elections, are degraded. Cyberattacks are not likely to have devastating short-term consequences, but they can gradually erode the foundations of social, political and economic stability over time.
Jacquelyn Schneider is a Hoover Fellow at the Hoover Institution. She wrote this article for the Monkey Cage, an independent blog anchored by political scientists from universities around the country and hosted by the Washington Post.