The United States and Iran have already clashed in the cyber-sphere. A report a few months back suggested that the Trump administration conducted a cyberattack to retaliate when Iran downed a U.S. drone. Iranian-sponsored hackers reportedly have launched cyberattacks on U.S. government sites.
But retaliatory cyberattacks may have complicated consequences. Successful retaliatory strikes need to do two things. First, they send a credible signal to the target that attacks of this kind will not be tolerated. Second, they need to limit the risk of escalation through spiraling retaliation and counter-retaliations.
Can cyber-operations do this? Research suggests that this is difficult, but maybe not for the reasons you’d expect.
The Trump administration is thinking more aggressively about cyberattacks
The Trump administration, in contrast, sees cyber-operations as a way to “defend forward” and “persistently engage” — terms that describe the Defense Department’s new strategy of preemptive cyber-operations to degrade adversary nations’ ability to conduct cyberattacks. The White House has delegated authorities for action (or permission to conduct cyber-operations) to the Defense Department to make it easier to respond quickly, and has approved cyber-operations against the Islamic State and Russia.
So it’s not surprising that the Trump administration is actively considering cyberattacks. However, the idea is getting pushback from national security reporters including David Sanger and Julian Barnes, who suggest that cyberattacks are ineffective and likely to lead to escalation.
There’s evidence to suggest cyberattacks aren’t escalatory
Recent work by myself and Sarah Kreps finds that the American public is less likely to support retaliation against cyberattacks than against an airstrike, even when they create similar effects. U.S. government security decision-makers seem to feel the same way. Research by Brandon Valeriano and Benjamin Jensen, as well as evaluation of strategic war games, finds that players are less likely to respond to a crisis by escalating when they are given cyber-tools — and less likely to respond with violent escalation when the adversary conducts a cyberattack.
These researchers looked at responses from people in the United States for the most part. However, statistical analysis of international cyber-incidents reaches mostly similar conclusions, as does research on battlefield operations in Ukraine. The emerging consensus among researchers is that cyberattacks aren’t unusually escalatory. If anything, the opposite is true.
Less escalatory may mean less effective
However, cyberattacks are less likely to deter adversaries for the same reasons they are less likely to lead to escalation. Deterrence is all about sending signals to other countries that there will be consequences if they behave badly.
As other scholars have noted, the best deterrence signals are ones that are costly, visible and credible. Here’s why cyber-operations often fail this test: They may be hard to detect, hard to attribute to their source and hard to turn into a credible threat, because they may rely on vulnerabilities that are easy to plug if the target knows about them. This all makes cyber-operations less escalatory, but also harder to use to send clear signals.
Moreover, as Sanger and Barnes note, the United States is in a particularly vulnerable position when it uses cyberattacks, because the U.S. way of life is more dependent on digitally dependent technologies than Iranian society. So if Iran retaliates to a cyberattack with another cyberattack, the United States may come off worse. Furthermore, the United States depends more on the global communications infrastructure than Iran does, generating further vulnerabilities that might deter America from using cyberattacks.
Cyberattacks have trade-offs
These are the kinds of trade-offs that the Trump administration will think about when deciding whether to use cyber-retaliation to deter attacks from Iran. But it’s important to note that cyber-operations aren’t just used for deterrence.
The Defense Department is also engaged in “defending forward,” which focuses on undermining the enemy’s ability to conduct cyberattacks through cyber-operations and special partnerships with critical infrastructure and the Department of Homeland Security. These operations are not specifically about deterring future attacks as much as they are actively degrading capabilities to conduct attacks today. Related, the United States could use cyber-operations to decrease Iranian military capabilities, especially in conjunction with conventional military strikes. The United States may very well be contemplating the benefits and disadvantages of such actions, especially if relations with Iran deteriorate further.
Jacquelyn Schneider is a Hoover Fellow with the Hoover Institution at Stanford University and a nonresident fellow at the Naval War College’s Cyber and Innovation Policy Institute. Follow her on Twitter @jackiegschneid.