The United States launched a cyber operation against Iran in response to the September attacks on Saudi oil facilities, according to Reuters. Citing two unnamed U.S. officials, the report claims that the cyber operation “affected physical hardware” in an effort to degrade Iranian capabilities to spread “propaganda.”
The Houthi rebels in Yemen originally claimed responsibility for the missile and drone attack on the Aramco oil refinery. The United States, Saudi Arabia, Germany, France, and the United Kingdom, however, have pinned the blame on Iran. Iran has denied involvement in the attack.
The reported U.S. cyberattack is the latest in an ongoing cyber conflict between the United States and Iran that stretches back at least a decade. During that time, there have been multiple cyberattacks and reprisals between the two countries and their allies. This included the 2010 U.S.-Israeli Stuxnet cyberattack against the Iranian nuclear program. This was followed by Iranian reprisals in the form of denial of service attacks against U.S. businesses and the Shamoon attack against Saudi Aramco.
More recently, in June, the United States carried out cyberattacks against Iran in response to Iranian disruptions of shipping through the Strait of Hormuz and the downing of a U.S. surveillance drone. At the same time, two cybersecurity companies reported a spike in Iranian cyberattacks against U.S. government and critical infrastructure targets.
This latest attack is not the first time the United States has used cyber operations to disrupt adversary disinformation or propaganda campaigns. In 2018, U.S. Cyber Command undertook operations meant to counter Russian disinformation during the U.S. midterm elections.
The long-term effects of these recent cyber operations for the wider conflict between the United States and Iran remain unclear, however. New research by scholars of cyber conflict casts doubt on their potential effectiveness and alerts us to their potential risks.
Recent U.S. cyber operations against Iran seem to have had the benefit of providing response options short of armed conflict, which, as Brandon Valeriano and Benjamin Jensen argued, “can help de-escalate deadly militarized disputes.”
Nonetheless, it remains unclear whether such operations can lead to positive, long-term strategic effects. A recent study from RAND, for example, argued that most cyber operations that are intended to be coercive—which is a small portion—are not generally successful. In their research, Valeriano, Jensen, and Maness agreed that the ability of cyber operations to achieve coercive effects is limited, but that the “the United States achieves coercive success far more often than other cyber powers.”
Nonetheless, even for the United States, success is certainly not a forgone conclusion. Writing in the wake of the Saudi oil facility attack, Jacquelyn Schneider asked whether cyber operations were a viable U.S. response option that could deter future Iranian attacks. Her answer: achieving such effects would be difficult at best.
While cyberattacks do not generally lead to escalation and may even be de-escalatory, she argued that “cyberattacks are less likely to deter adversaries for the same reasons they are less likely to lead to escalation. Deterrence is all about sending signals to other countries that there will be consequences if they behave badly.” In general, however, cyberattacks fail to send signals that are “costly, visible, and credible,” making them “harder to use to send clear signals.”
Jensen reached the same conclusion in the wake of June 2019 revelations about U.S. hacking of the Russian electrical grid. He wrote, “There are real concerns about whether cyber operations are a sufficiently costly signal or even the right instrument of power to coerce rivals.”
Even some of the most prominent examples of offensive U.S. cyber operations are not clear successes. For example, Jon Lindsay and Ivanka Barzashka have called into question the success of the Stuxnet operation, arguing that it was not merely ineffective in achieving its goals but may even have been counterproductive. Jason Healey concurred, arguing that unmatched U.S. offensive cyber capabilities have not deterred adversaries like Iran “but, instead, has done the opposite. Iran became a far more serious cyber threat after Stuxnet.”
What’s more, Valeriano, Jensen, and Maness warn that though the United States is more successful in cyber coercion than other states, nonetheless these operations come with significant risks. These include “unintended proliferation” of cyber capabilities to nation-state rivals and criminals alike, as well as potentially damaging our ability to develop norms against aggressive use of cyberattacks against civilian critical infrastructures.
We can be thankful that, so far at least, the Trump administration has chosen to respond to Iran with cyber operations instead of kinetic military strikes that would certainly risk a deadly escalation of the ongoing conflict. But recent research on the nature of international cyber conflict indicates that whether those operations will have a positive, long-term effect on the conflict remains uncertain at best.
Sean Lawson is an adjunct scholar at the Modern War Institute at West Point and an associate professor at the University of Utah.