In cyber conflict, uncertainty is leverage. Has Iran nullified its threats of electronic devastation by demonstrating how little it can do?
US political scientist Kenneth N. Waltz wrote in 1990 that the power of nuclear weapons resides in what a nation can do, not what it does. Similar rules apply to cyber threats: uncertainty over possible capabilities is far more powerful, than absolute certainty over their limitations and shortcomings.
For a decade, there has been a steady stream of concerns and reports about Iran’s cyber capabilities, fueled by bold statements from Tehran. They have reached new levels during the US-Israeli war on Iran, with assertions that Western infrastructure, businesses and governments could be severely damaged by cyber-attacks.
As the air campaign began on the February 28, there was widespread understanding that cyber retaliation against the $30 trillion US economy was on its way.
Declaring that it was the “response to ongoing cyber assaults against the infrastructure of the Axis of Resistance,” Handala, an Iran-linked hacking group, said the world would see the wrath of the Islamic Republic and its cyber warfare units.
Then it happened, and the retaliation turned out to be the targeting of a medical device company headquartered in Michigan. The hackers wiped remote devices running on the Windows operating system by using a Microsoft utility that was not properly configured.
While the attack scraped the surface of the corporate system, it did not harm the core of the company’s IT-infrastructure. There was no systematic targeting of other companies or organizations and no major lateral jumping from entity to entity.
The group also managed to hack the personal emails of FBI director Kash Patel, a breach of security that was embarrassing but showed no evidence that they had broken into any US government systems.
By March 18, the US government had not identified an increase in Iranian cyber activity, Nick Andersen, acting director of the Cybersecurity and Infrastructure and Security Agency, told the Record.
The impact has been much smaller than claimed by Iran’s Revolutionary Guard and cyber units. They had some success targeting US banks and Middle Eastern companies before the war, but their performance since the bombing began suggests their capabilities were wildly exaggerated.
While Iran’s cyber capacity should not be underestimated, as it comprises an extensive system of state and state-aligned actors with shared funding, tactics and procedures, bragging about its capabilities, then delivering microscopic impact has minimized cyber as a strategic tool for Tehran.
The existence of cyber capabilities should force an adversary to consider what could happen, especially in an increasingly tech-dense and digital society amid the secrecy and fog of war, and can have a direct impact on their decision-making.
But the Iranian Revolutionary Guard’s cyber operation has failed to create deterrence or to affect its adversaries’ thinking because it has highlighted the limits of its abilities and outlined what it can’t do.
By contrast, the Ukrainian and Russian cyber communities, with the experience of four years of war, have successfully maintained uncertainty for their opponents about their true capacity. This has forced both sides to constantly consider the possibility of the enemy using capabilities that are unknown, with effects that cannot be predicted.
This uncertainty creates the leverage Kenneth N. Waltz noted: it is not what you do, but what you can do. Without uncertainty about what it could do, a cyber force’s impact on its enemy’s decision-making evaporates.
Jan Kallberg, Ph.D., LL.M., is a non-resident Senior Fellow with the Transatlantic Defense and Security program at the Center for European Policy Analysis (CEPA) and a George Washington University faculty member. Follow him at cyberdefense.com and @Cyberdefensecom.