As the United States weighs possible cyberattacks against Iran, it is looking for options that would deter Tehran from further strikes but avoid creating more conflict in the region.
After spending billions of dollars to assemble the world’s most potent arsenal of cyberweapons and plant them in networks around the world, United States Cyber Command — and the new era of warfighting it has come to represent — may face a critical test in the coming weeks.
President Trump is considering a range of options to punish Iran for this month’s attack on Saudi oil facilities, and has toughened sanctions on Iran and ordered the deployment of additional troops to the region. But a second cyberstrike — after one launched against Iran just three months ago — has emerged as the most appealing course of action for Mr. Trump, who is reluctant to widen the conflict in a region he has said the United States should leave, according to senior American officials.
But even as the Pentagon considers specific targets — an attempt to shut down Iran’s oil fields and refineries has been one of the “proportionate responses” under review — a broader debate is taking place inside and outside the administration over whether a cyberattack alone will be enough to alter Iran’s calculations, and what kind of retaliation a particularly damaging cyberstrike might provoke.
“The president talked about our use of those previously, but I’m certainly not going to forecast what we’ll do as we move forward,” Secretary of State Mike Pompeo said Sunday on CBS’s “Face the Nation” when asked whether a cyberattack might be an artful, non-escalatory response to this month’s drone or missile strikes on two of Saudi Arabia’s most important facilities. “This was Iran true and true, and the United States will respond in a way that reflects that act of war by this Iranian revolutionary regime.”
Mr. Pompeo noted that the American military was already sending additional troops to Saudi Arabia and the United Arab Emirates, largely to bolster air defenses. But those moves alone are viewed as unlikely to be enough to prevent further Iranian actions.
The question circulating now through the White House, the Pentagon and Cyber Command’s operations room is whether it is possible to send a strong message of deterrence with a cyberattack without doing so much damage that it would prompt an even larger Iranian counterstrike.
At least three times over the past decade, the United States has staged major cyberattacks against Iran, intended to halt its nuclear or missile programs, punish the country or send a clear message to its leadership that it should end its support for proxy militant groups.
In each case, the damage to Iranian systems could be repaired over time. And in each case, the effort to deter Iran was at best only partly successful. If the American charge that Iran was behind the attack in Saudi Arabia proves accurate, it would constitute the latest example of Tehran shaking off a cyberattack and continuing to engage in the kind of behavior the United States had hoped to deter.
The most famous and complex effort was a sophisticated sabotage campaign a decade ago to blow up Iran’s nuclear enrichment center using code, not bombs. The Obama administration later began a program, accelerated by Mr. Trump, to try to use cyberattacks to slow Iran’s missile development. And this past June, Mr. Trump approved a clandestine operation to destroy a key database used by the Iranian military to target oil-carrying ships — and canceled a traditional missile strike he had ordered to respond to the downing of an American surveillance drone.
The June cyberattack, according to two American officials, also did damage that Iran has not yet detected.
“Cyber can certainly be a deterrent, it can be a very powerful weapon,” said Senator Angus King, the Maine independent who is a chairman of the Cyberspace Solarium Commission, created by Congress, that is examining American offensive cyberstrategy. “It is an option that can cause real damage.”
Mr. King and other experts said Iran would most likely respond to a cyberattack with one of its own, given the vulnerabilities that exist in the United States and the hyper-connected nature of American life.
But current and former intelligence officials say a cycle of retaliation need not be confined to one military domain. Just as the United States responded in June to the Iranian downing of a drone and sabotage of oil tankers with a cyberattack, Iran could respond to an American cyberoperation with a terrorist attack by a proxy force or a missile strike.
The Pentagon has long held that a cyberattack could constitute an act of war that requires a physical response, and there is no reason to think that Iran would not pursue the same policy.
One senior administration official recently acknowledged that even Gen. Paul M. Nakasone, the commander of Cyber Command and the director of the National Security Agency, has warned Mr. Trump and his aides that the cyberarsenal is “no magic bullet” for deterring Iranian aggression in the Middle East.
In war games — essentially online simulations — held before the attack on the Saudi oil fields, officials have tried to figure out how Iran’s increasingly skillful “cyber corps” would respond to an American cyberattack. These Iranian fighters have already racked up a significant record: wiping out 30,000 computers at Saudi Aramco, freezing operations at American banks with a “denial of service” attack, and crippling a Las Vegas casino. Last year, they began to study the ins and outs of election interference, according to private experts and government studies of the 2018 midterms.
When General Nakasone was nominated for his job, he acknowledged that one of the biggest problems facing Cyber Command was that it had not cracked the deterrence problem. Nations that are attacking the United States via cyber “do not think much will happen to them,” he told Senator Dan Sullivan, Republican of Alaska. “They don’t fear us.”
In his first 18 months in office, General Nakasone has raced to bolster Cyber Command’s authority to act preemptively — and its preparations to respond to attacks. New, classified directives given to him by Mr. Trump, and built upon by Congress, allow Cyber Command to place “implants” of malicious software inside foreign networks without lengthy approval processes that run up to the president. Congress has called such efforts part of “traditional military authority.”
Iran has reportedly been a major target — no surprise, since General Nakasone was a key player in designing a plan called “Nitro Zeus” to shut down Tehran and other Iranian cities in the event of a war. The idea was to put together an attack so devastating that Iran might surrender without a shot being fired.
The 2015 nuclear agreement between the Iranian leadership and President Barack Obama eased the threat of war, and the American cyberoperations plan was put back on the shelf, at least until recently.
At the Pentagon, and even at Cyber Command, many senior officers are cautious about cyberwarfare, arguing that it is difficult for such weapons alone to deter an enemy.
The attack using the “Stuxnet” virus that crippled Iranian nuclear-enrichment centrifuges a decade ago was successful in a narrow sense: It blew up 1,000 of the 5,000 centrifuges up and running at the time. But when it recovered, Iran built upward of 14,000 more, and counterattacked by crippling Saudi Aramco’s computer systems.
A long-running series of cyberattacks has slowed but not stopped Iran’s missile program — and Iran has continued to provide thousands of short-range rockets to Hamas and other terrorist groups. The Saudis are studying whether a new generation of Iranian-made missiles were central to this month’s attack on its oil facilities.
The Pentagon and other military officials have told the White House that neither another cyberattack nor the new deployment announced Friday will likely prove robust enough to re-establish deterrence and prevent another attack by Iran on United States allies.
Part of the problem is that most cyberactivity is clandestine, so it is easy for a government to play down the consequences of an attack or deny it even took place.
But some people who favor stepping up cyberoperations suggest that officials are simply thinking too small. If a cyberstrike is damaging enough — taking a refinery offline or shutting down an electric grid, for example — it would be hard to hide. That might have a much more deterrent effect than the smaller bore operations the United States has undertaken so far, they argue.
But such a devastating cyberoperation would also increase the risk of escalation — just as a bombing run on the oil refineries would. Iran, or any other adversary, could claim that people were killed or injured, and that might be difficult to disprove.
A key element of deterrence is ensuring that an adversary understands the other side’s basic capabilities. Unlike nuclear weapons, though, which are widely understood, the American cyberarsenal is shrouded in secrecy, for fear adversaries will develop counter measures if even basic capabilities are known.
General Nakasone has argued that his cyberwarriors must be roaming cyberspace “persistently engaging” enemies — a euphemism for skirmishing with adversaries inside their networks.
“We must ‘defend forward’ in cyberspace, as we do in the physical domains,” he wrote in a Defense Department publication in January. “Our naval forces do not defend by staying in port, and our air power does not remain at airfields. They patrol the seas and skies to ensure they are positioned to defend our country before our borders are crossed. The same logic applies in cyberspace.”
But there is a growing consensus within Cyber Command that if cyberweapons are going to shape the actions of adversaries, they must be used in combination with other elements of power, including economic sanctions, diplomacy or traditional military strikes.
Mr. King, the Maine senator, sees the decisions over the next few weeks on Iran as a test case. “The president’s instinct is not to get in a shooting war, and I think he is right about that,” he said. “So the question is how do we respond?”
He argued that there was no urgency. “This was not a strike on New York City,” Mr. King said. “This was not even a strike on Riyadh. There needs to be a response. But there is time to pause and take a deep breath and consider all of the options — one of which is cyber — but also to think about how we de-escalate the situation.”