In the weeks before two Japanese and Norwegian oil tankers were attacked, on June 13th, in the Gulf of Oman—acts which the United States attributes to Iran—American military strategists were planning a cyberattack on critical parts of that country’s digital infrastructure. According to an officer involved, who asked to remain anonymous, as Iran ramped up its attacks on ships carrying oil through the Persian Gulf—four tankers had been mined in May—and the rhetoric of the national-security adviser, John Bolton, became increasingly bellicose, there was a request from the Joint Chiefs of Staff to “spin up cyber teams.” On June 20th, hours after a Global Hawk surveillance drone, costing more than a hundred million dollars, was destroyed over the Strait of Hormuz by an Iranian surface-to-air missile, the United States launched a cyberattack aimed at disabling Iran’s maritime operations. Then, in a notable departure from previous Administrations’ policies, U.S. government officials, through leaks that appear to have been strategic, alerted the world, in broad terms, to what the Americans had done.
During much of the Obama Administration, the United States’s cyber arsenal was strictly classified. As Michael Hayden, a former director of the N.S.A. and the C.I.A., told the filmmaker Alex Gibney in the documentary “Zero Days,” from 2016, “For the longest time, I was in fear that I actually couldn’t say the phrase ‘computer network attack.’ ” This past September, the Department of Defense issued a strategic plan that not only confirmed the existence of cyber weapons but declared its commitment to using them “to advance U.S. interests” and “defend forward.” The cyberattack on Iran in June was a manifestation of this new, more aggressive approach. (A spokesperson from Cyber Command, the military unit that oversees U.S. digital warfare, said, “As a matter of policy and for operational security, we do not discuss cyberspace operations, planning, or intelligence.”)
At Cyber Command, teams are assigned to specific adversaries—Iran, North Korea, Russia, and China, among them—and spend years working alongside the intelligence community to gain access to digital networks. Cyber weapons are stealth ordnance, written in zeros and ones, like all computer code. They can infiltrate whole networks or infect individual computers. They have the capacity to confuse enemy signals, shut down military attacks before they occur, and stymie communication systems, all without the flash and bang of the typical weapons of war. They rely on software vulnerabilities, poor cyber hygiene, and people who inadvertently open attachments infected with malware. According to Eric Rosenbach, the Pentagon’s cyber czar during the Obama Administration, speaking on the Lawfare podcast, offensive cyber activity is “painstaking work” that involves identifying a platform in another country, gaining access, and then remaining undetected, often for years, inside the system. While the cyberattack on Iranian maritime installations appeared to be an immediate response to the destruction of the drone, it was actually a long time in the making. “We didn’t just press a button,” Herbert Lin, a senior research scholar for cyber policy and security at Stanford, explained. “We’d done lots of work in advance to figure out what targets to hit and to maintain access to them. That happened months and years ago.”
Unlike most physical targets, which are stationary, digital targets are wily and dynamic. “A building is not going anywhere,” Robert Spalding, a retired Air Force general, told me. “You have its coördinates. If you decide you’re going to take out that building, it’s fairly easy. But say they just upgraded all the computer systems in that building. You’re going to have to go back to the drawing board if you want to launch a cyberattack.” And, of course, an adversary can simply turn off a computer or shut down a network, taking the target with it.
Last year, the Pentagon gave Cyber Command equal status with the nine other combat commands, which include Central Command and Special Operations Command, an indication of the Internet’s growing importance as both a strategic domain and a military asset. Cyber Command, Spalding said, likely keeps a range of options available at any given time, all of which can be “dusted off” as needed. Until then, he said, “it’s all kind of notional.” That appears to be what happened in the weeks before the drone was shot down. “The boat thing happened, and there was a national-security planning meeting, and they wanted specific courses of action,” the cyber official said. “I mean, those things are already on the shelf, so the question was, Did they want the big enchilada that would inflict a lot of damage, or did they want small ones that would just send a little scare?”
As he described it, planning a cyberattack follows strict military protocol, moving up and down the chain of command as the parameters of an attack are determined, and its benefits and costs are assessed. President Obama had to sign off on all cyberattacks, but in August, 2018, Congress passed a military-authorization bill that allowed some cyberattacks to be authorized by the Secretary of Defense. Around the same time, the Trump Administration issued “National Security Presidential Memorandum 13,” a secret directive which reportedly further eased requirements for Presidential approval in certain cyberattacks. According to Brandon Valeriano, the Donald Bren Chair of Armed Politics at the Marine Corps University, under the old policy, there “was too much concern about authorities and legalities, and, by the time everything was signed off on, it was past the time to operate. The idea is that the new policy allows more leeway to rapidly react as situations evolve.” (Because the directive has not been made public, its specific contents are unknown; members of the House Armed Services Committee have repeatedly demanded a copy of the document, but the White House has thus far refused to release it. The spokesperson said that Cyber Command “does not act without Presidential authorization.”)
While the situation was evolving in the narrow shipping lanes between Iran and Oman, in late spring and early summer, private cybersecurity firms reported that Iranian hackers had stepped up their attacks, including what appears to be a sophisticated influence and disinformation campaign, on American institutions. This was to be expected. In 2011, Stuxnet, the joint American-Israeli cyberattack on an Iranian nuclear facility, disabled thousands of centrifuges. In response, the Iranians quickly mobilized their own technical resources to target at least forty-six U.S. financial institutions, including the New York Stock Exchange, JPMorgan Chase, and Wells Fargo with cyberattacks carried out over the course of more than five months. They also infiltrated the operating system of a dam in New York State, in 2013; attacked the servers of a casino owned by the prominent Republican donor Sheldon Adelson, in 2014; and held the city of Atlanta hostage with a ransomware attack, in 2018. “Every single day we’re basically under attack at all levels—not just the military but private citizens, businesses, government, academia—everything,” Spalding, the retired Air Force general, told me. “To prevent adversaries from doing this mercilessly, you have to create a deterrent, and the deterrent is the fear of retaliation.” (Stuxnet—which was widely credited with prompting the seven-country Iran nuclear deal of 2015—has never been officially acknowledged by the United States or Israel.)
The current hostilities were exacerbated after Trump pulled out of the Iran deal, last year, and tightened the grip of economic sanctions, which he claimed would force a better agreement. Instead, the Iranians began attacking the ships of countries that might, in turn, put pressure on the Americans to back off. And then they shot down the American drone. “I think Iran was trying to signal three things to the United States,” Amy Zegart, a cyberwarfare expert at the Hoover Institution and a professor at Stanford, told me. “One, that it’s serious and it’s willing to escalate. Two, that it’s still trying to be cautious and not escalate too precipitously. And three, that its defensive capabilities are better than we thought, because it takes a pretty sophisticated attack to shoot down the drone. It’s flying high enough so that it isn’t supposed to get shot down.” That the drone was unmanned, she said, was meaningful: the Iranians were not aiming to kill anyone.
In Valeriano’s estimation, choosing to respond to a physical attack with a cyberattack was an act of de-escalation under the circumstances. (Trump claimed that he’d called off military strikes capable of killing an estimated hundred and fifty people, minutes before they were supposed to begin.) “Retaliation often means escalating the situation,” he said. “What happened here is that there was an attack on Iranian facilities that were seeking to harm American equipment and capabilities in the region. The cyberattack was done below the level of war. It did not harm civilians. It was an off-ramp to war.” But Zegart cautioned, “What most people don’t think about, and what the national-security people are really alarmed by, is that we could stumble into a war that neither side wants because of the feeling that you have to retaliate.” She added, “We don’t understand escalation in cyberspace.”
In the past, the threat of mutually assured destruction was the way that nuclear powers kept one another’s lethal capabilities in check. Cyber weapons may offer some of the same assurances, but only to a point. Unlike nuclear weapons, which are expensive and stockpiled by a small number of states, cyber weapons are cheap and widely available, not just to nation-states but to criminals and malign actors. (According to a new study from the University of Maryland, American computers are attacked every thirty-nine seconds.) And unlike conventional weapons, whose trajectories are easily traced, cyber weapons, which move through fibre-optic cables that crisscross the globe, lend themselves to plausible deniability. How do you levy a threat when it’s not clear where an attack is coming from or who is responsible? The impact of a cyber attack can prove similarly elusive. As Lin, the scholar of cyber policy and security at Stanford, pointed out, “we don’t know what it means that we took the Iranian cruise missiles and its command and control systems down. Maybe it means we took them offline for a few days. Maybe it was more serious. We just don’t know.”
We do know that on July 11th, three weeks after the cyberattack, three Iranian boats tried to block a British tanker carrying oil through the Strait of Hormuz. In the weeks since the American cyberattack, the U.S. has imposed further economic sanctions, and Iranian hackers have continued their assault on American businesses. Cyber Command is planning its next moves, and not just in Iran. In June, the New York Times reported that the U.S. has been injecting malware into the Russian power grid. (The spokesperson from Cyber Command declined to comment on the Times’s reporting, but described it as inaccurate.) Shutting down an electrical grid, if that is the purpose of the operation, has the capacity to kill people. The Trump Administration, with Bolton in the lead, has made offensive cyber operations an integral arm of statecraft. It remains an open question whether they will also become lethal weapons of war.
Dr. Hans Mumm