Iranian cyberattacks: A likely retaliation scenario?
After the Soleimani strike, security pundits warned of a wave of Iranian cyber retaliation. Systematic evidence on Denial-of-Service attacks around sanctions and foreign policy events suggests large-scale disruptive cyberattacks are less likely than expected, though patriotic hacker activity remains a real possibility.
This article was originally published at Political Violence @ A Glance on 20 January 2020. It is reposted here with the original wording largely preserved. The working paper referenced below has since been published in the Journal of Global Security Studies.
Following the lethal drone strike against the Iranian general Qassem Soleimani on 3 January 2020, many experts, pundits, and news outlets outlined different scenarios predicting how the Iranian government might respond. Experts agreed that Iran would retaliate. The only remaining questions were how and when.
Recent missile strikes against Iraqi bases housing American military forces showed that Iran was ready to use conventional weapons in response, albeit in a limited capacity. But as Navin Bapat noted at PV@G, the Iranian government might also opt for more irregular responses. Iran could ramp up activities to disrupt shipping in the Strait of Hormuz or support Houthi rebels in targeting oil facilities on the Arabian Peninsula. Both tactics would impose severe economic costs on the United States and the world economy.
Cyberspace as a response
Another scenario put forward by security pundits was that Iran would respond in cyberspace. Iran and the United States have a long history of cyber conflict, and some cyberattacks appear linked to foreign policy events. In 2012, for example, Iran-based hackers targeted US banks with Denial-of-Service attacks, in which servers become unavailable to users. The attacks were reportedly a response to newly issued sanctions. Denial-of-Service attacks are not particularly sophisticated. They simply overload servers with data traffic. But the economic costs can be substantial, running into millions of dollars for banks and other companies when servers are taken offline. Telecommunication server outages can be even more costly.
How common are these attacks after foreign policy events?
In a working paper (later published in the Journal of Global Security Studies), I explore this question empirically. I ask whether Denial-of-Service attacks against the United States and the European Union rise after threats or impositions of sanctions. Unlike earlier empirical work, I use internet traffic data to measure Denial-of-Service attacks. This allows me to include covert and failed attacks that never make it into the media.
The main finding is that, in most cases, sanction threats or impositions are not associated with Denial-of-Service attacks in the short or medium term.
There is evidence of a large-scale increase during some incidents. At the beginning of the Crimean crisis in 2014, Denial-of-Service attacks against servers in the United States and the European Union rose sharply. But qualitative accounts suggest the likely perpetrator was not the state. Patriotic groups and citizens appear to have used cyberattacks to express displeasure and protest. Attribution in cyberspace is hard, and governments may still have been involved directly or through sponsorship of patriotic hacker groups. Studies on the large-scale Denial-of-Service attacks against Georgia in 2009 and Estonia in 2007 reach similar conclusions.
What this means for the Iranian case
Cyber operations have features that make them a poor substitute for conventional coercion. They are covert, hard to attribute, temporary, and impose only limited damage. This makes it unlikely that the Iranian government will initiate large-scale disruptive cyberattacks as a foreign policy response to recent events. We are more likely to see continued low-level conventional responses such as the missiles fired at military bases in Iraq.
That said, we may also see dynamics similar to Crimea in 2014, where citizens and pro-government groups launch Denial-of-Service attacks to protest. Recent defacements of government websites condemning the drone strike and praising the Iranian regime point in this direction.
To be clear, this does not mean Iran is inactive in cyberspace. It is very active, and its future operations will likely be more sophisticated and part of a longer-term strategy. But while Iran expands its espionage and infiltration capacity, my analysis shows no systematic evidence of a link between aggressive foreign policy events and direct responses in cyberspace. States still tend to rely on conventional means in these scenarios.
Originally published at Political Violence @ A Glance, 20 January 2020. The working paper referenced above is now published as Lutscher, P. M. (2022), “Digital Retaliation? Denial-of-Service Attacks after Sanction Events”, Journal of Global Security Studies.