Published by The Lawfare Institute
in Cooperation With
It turns out that U.S. Cyber Command’s June 2019 Iran operation may have been narrower—and more effective—than previously understood.
Those following the evolution of Cyber Command’s authorities, capabilities and activities will want to read this Aug. 28 article from Julian Barnes in the New York Times. It picks up the thread of reporting that made considerable waves two months ago, when the United States apparently considered a kinetic response to Iranian attacks on oil tankers and a U.S. Global Hawk surveillance drone but ultimately settled on conducting one or more operations in the cyber domain instead. Critically, the reporting on the target(s) of those operations varied in important ways, as I summarized here at the time. The initial scoop (from Yahoo! News) indicated that the target was an Islamic Revolutionary Guard Corps (IRGC) component involved in threats to shipping. Subsequent reporting from other sources expanded the story in an important way, asserting that there also was a Cyber Command operation to disrupt the systems supporting at least some of Iran’s missile-launch capabilities.
The story from the Times this week picks up the threads of those stories, clarifying the nature of one of those operations while denying the existence of the other. And, in the course of doing so, the article also provides a number of interesting insights about larger questions surrounding cyber operations.
1. Clarifying the nature of the operation that did occur, and denying the occurrence of another operation
First, the clarification: As noted above, the original story described in broad terms a Cyber Command operation to disrupt the capabilities of an IRGC component that focuses on shipping. Barnes explains that senior officials have now disclosed the precise nature of that operation. It “wiped out a critical database” IRGC used to track tanker movements in the Persian Gulf (one that facilitated target selection, apparently). Moreover, the operation also appears to have destroyed the functionality of at least some associated systems, most notably “including military communication networks” related to anti-shipping activities.
Second, the denial: The U.S. officials who spoke to Barnes were at pains to deny that Cyber Command also took action to impact Iranian missile systems, as had been reported previously. Such prior reports, they said, were “inaccurate.” Assuming that this is the case, it is a powerful reminder for those of us on the outside to be cautious in crediting accounts of these sorts of operations.
2. A fresh example of tension between securing the benefits of disruption operations and preserving the benefits of intelligence collection
Not surprisingly, the Iran operation is shaping up to be another case study concerning the perpetual problems of reaping benefits by disrupting an adversary’s systems while also incurring costs in terms of lost opportunities for intelligence collection (a tension intertwined with the ongoing questions regarding whether, when, and how to separate the Cyber Command/National Security Agency “dual hat” command arrangement).
The terms here are familiar: The United States has penetrated an adversary’s system on a sustained basis and, presumably, is reaping valuable intelligence as a result. But U.S. access is not just an opportunity for collection; it’s also an opportunity to disrupt functionality, perhaps even to delete data and brick hardware. This too can be valuable, but it runs a risk: Achieving a disruptive effect might come at the cost of at least a temporary loss of collection capacity. Why? Well, the answer is more complicated than is sometimes said, for it is not necessarily the case that collection capabilities will be lost in their entirety or permanently, and it might not even be the case that they are lost at all.
As an initial matter, it is not necessarily the case that the adversary will be able to locate the implants used in the attack or the vulnerability vector(s) through which the implants were placed. That said, it’s a very real possibility, and generally should be assumed to be the case. But what then? Commentators have to bear in mind the possibility—the likelihood—that the U.S. has established redundant and resilient access to the adversary’s system. A disruption option may well burn one pathway, on that view, yet it does not necessarily follow that the adversary will thereby find and remedy other penetrations. The bottom line is that those of us on the outside who are speculating about the trade-offs in such operations should not be too quick to assume that collection opportunities will be wholly foreclosed when Cyber Command carries out a disruption operation. (By the same token, of course, we should not dismiss the costs to collection, either.)
3. An illustration that disruption effects can be lasting?
Against that backdrop, Barnes’s article is fascinating. There’s a lot of discussion about these trade-offs, with much expression of concern from officials who seem focused on the collection side of the ledger. But while similar stories have appeared in the past in which the offsetting benefits from the disruption operation may have proved fleeting, Barnes’s account has officials expressing surprise at how long the effects of this operation have lasted. Those effects may or may not outweigh whatever collection costs we’ve experienced. I’m in no position to judge that from the outside. Still, the Iran example seems likely to become a pro-disruption counterpoint in debates over the utility of cyber operations, in which those arguing against a disruption operation often suggest that it might not be worth the candle due to the ability of an adversary to recover functionality quickly. Indeed, Barnes writes that the officials making this disclosure did so “in part to quell doubts within the Trump administration about whether the benefit of the operation outweighed the cost—lost intelligence and lost access to a critical network.”
4. More deterrence talk
A final observation: As has become expected in conversations relating to the policy wisdom of conducting disruption operations in the cyber domain, there is a lot of deterrence discussion in Barnes’s piece. This includes a reference to the idea that such operations are not necessarily escalatory (as some have warned they might be) but, on the contrary, can be particularly useful from an escalation-avoidance perspective (insofar as they can impose real costs on an adversary, yet without placing the adversary in a position from which it feels it has no choice but to escalate).