<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Cyberattacks | Philipp M. Lutscher</title><link>https://philipplutscher.net/tag/cyberattacks/</link><atom:link href="https://philipplutscher.net/tag/cyberattacks/index.xml" rel="self" type="application/rss+xml"/><description>Cyberattacks</description><generator>Wowchemy (https://wowchemy.com)</generator><language>en-us</language><copyright>© 2026 Philipp M. Lutscher</copyright><lastBuildDate>Sat, 18 Jul 2026 00:00:00 +0000</lastBuildDate><image><url>https://philipplutscher.net/media/icon_hu8adef5b4a50bb129ed49533269d2b982_8923_512x512_fill_lanczos_center_3.png</url><title>Cyberattacks</title><link>https://philipplutscher.net/tag/cyberattacks/</link></image><item><title>Hot topics: What type of reporting attracts cyberattacks in autocracies?</title><link>https://philipplutscher.net/post/hot_topics/</link><pubDate>Sat, 18 Jul 2026 00:00:00 +0000</pubDate><guid>https://philipplutscher.net/post/hot_topics/</guid><description>&lt;p>Most authoritarian governments censor the press. Many independent outlets respond by moving online. But the internet is not as safe as it used to be. In &lt;a href="https://doi.org/10.1017/psrm.2021.68" target="_blank" rel="noopener">an article in &lt;em>Political Science Research and Methods&lt;/em>&lt;/a>, I explore what type of reporting attracts Denial-of-Service (DoS) attacks on news websites in autocracies. It is the paper I worked the longest on (and the one I am proudest of), and here is the short version.&lt;/p>
&lt;h2 id="the-theory-censorship-through-friction">The theory: censorship through friction&lt;/h2>
&lt;p>DoS attacks flood a server with traffic until the website becomes unreachable. As a censorship tool, they have two attractive properties. They work against websites hosted anywhere in the world. And they are covert. Users just see a website that will not load, and attribution is notoriously difficult.&lt;/p>
&lt;p>Building on Molly Roberts' fear, flooding, and friction framework, I argue that DoS attacks censor primarily through friction: they raise the costs of accessing and distributing undesirable information. The paper&amp;rsquo;s core theoretical contribution is to unpack these friction costs along two dimensions. Costs fall on news consumers and on news providers, and they materialize both immediately and over time:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Consumers, temporary.&lt;/strong> During an attack, the website is unreachable at a potentially critical moment. Most readers will not wait or investigate. They move on.&lt;/li>
&lt;li>&lt;strong>Consumers, long-term.&lt;/strong> Frequent outages train readers to switch to more stable sites. Unreliability also erodes the outlet&amp;rsquo;s credibility.&lt;/li>
&lt;li>&lt;strong>Providers, temporary.&lt;/strong> Outlets must hire IT experts and DoS mitigation services. While offline, they lose advertising revenue, their main income.&lt;/li>
&lt;li>&lt;strong>Providers, long-term.&lt;/strong> Accumulated costs and shrinking readership can push outlets toward self-censorship. Attacks can also serve as a signal that harsher censorship will follow if the content does not change.&lt;/li>
&lt;/ul>
&lt;p>This framework explains why DoS attacks are used selectively rather than constantly. Their value as a covert friction tool diminishes if a site is permanently down, since readers would start asking why. If the goal is friction, attacks should follow the publication of undesirable content. That is the observable implication the paper tests.&lt;/p>
&lt;h2 id="the-measurement">The measurement&lt;/h2>
&lt;p>Reported attack data is of little use here. Attacks on independent outlets in autocracies mostly go unreported. So I measured them myself.&lt;/p>
&lt;ul>
&lt;li>I monitored 19 private and independent Venezuelan news websites every 30 minutes for seven months (November 2017 to June 2018), a period spanning municipal and presidential elections.&lt;/li>
&lt;li>Server status codes reveal likely attacks: repeated 503 errors indicate a server overloaded by traffic.&lt;/li>
&lt;li>In parallel, I scraped each site&amp;rsquo;s headlines daily and used topic models to classify what they reported on.&lt;/li>
&lt;/ul>
&lt;p>This design avoids two classic problems in cyber conflict research: selection bias (only looking at attacked sites) and reporting bias (only counting attacks that made the news).&lt;/p>
&lt;h2 id="the-findings">The findings&lt;/h2>
&lt;p>Attacks were rare but patterned. Six websites were hit, on 19 attack days, clustering around the elections.&lt;/p>
&lt;p>Reporting on certain topics raised the likelihood of being attacked:&lt;/p>
&lt;ul>
&lt;li>&lt;strong>Protest and repression.&lt;/strong> In line with what we know from censorship in China.&lt;/li>
&lt;li>&lt;strong>Regime-delegitimizing topics.&lt;/strong> Reports on exiled opposition figures, resignation demands, and elections. These showed the most robust associations.&lt;/li>
&lt;li>Clearly non-political topics showed no relationship.&lt;/li>
&lt;/ul>
&lt;figure id="figure-categorization-of-the-50-identified-news-topics-bold-topics-display-significant-positive-correlations-with-the-likelihood-of-dos-attacks-source-political-science-research-and-methodshttpsdoiorg101017psrm202168-cc-by-40">
&lt;div class="d-flex justify-content-center">
&lt;div class="w-100" >&lt;img alt="Categorization of the 50 identified news topics. Bold topics display significant positive correlations with the likelihood of DoS attacks. Source: [*Political Science Research and Methods*](https://doi.org/10.1017/psrm.2021.68), CC-BY 4.0." srcset="
/post/hot_topics/topics_huca5b6c321eab1f6109d06e0a353a29b2_111143_5cd713b31b85244339bf4a28a89c98c1.png 400w,
/post/hot_topics/topics_huca5b6c321eab1f6109d06e0a353a29b2_111143_878f7836408d039987d052168a51c8bb.png 760w,
/post/hot_topics/topics_huca5b6c321eab1f6109d06e0a353a29b2_111143_1200x1200_fit_lanczos_3.png 1200w"
src="https://philipplutscher.net/post/hot_topics/topics_huca5b6c321eab1f6109d06e0a353a29b2_111143_5cd713b31b85244339bf4a28a89c98c1.png"
width="760"
height="376"
loading="lazy" data-zoomable />&lt;/div>
&lt;/div>&lt;figcaption>
Categorization of the 50 identified news topics. Bold topics display significant positive correlations with the likelihood of DoS attacks. Source: &lt;a href="https://doi.org/10.1017/psrm.2021.68">&lt;em>Political Science Research and Methods&lt;/em>&lt;/a>, CC-BY 4.0.
&lt;/figcaption>&lt;/figure>
&lt;p>Who is behind the attacks is harder to establish. Attribution is an inherent limitation in studying cyberattacks. The perpetrators may be state units, state-sponsored proxies, or pro-government groups acting on their own. What the patterns show is that the attacks follow the logic of censorship: they concentrate on content that threatens the regime.&lt;/p>
&lt;p>The Venezuelan case extends the China-focused censorship literature. In an electoral autocracy, it is not just collective action potential that draws censorship attempts. Anything that questions the regime&amp;rsquo;s legitimacy appears to raise the likelihood of being targeted.&lt;/p>
&lt;h2 id="why-it-matters">Why it matters&lt;/h2>
&lt;p>The internet made it easier for the press to evade traditional censorship. This paper shows the countermove. Cyberattacks make it possible to disrupt news websites globally, cheaply, and deniably. DoS attacks are one tool in a growing kit of authoritarian information control that includes filtering, flooding, and harassment.&lt;/p>
&lt;p>The article is open access. Read the full version &lt;a href="https://doi.org/10.1017/psrm.2021.68" target="_blank" rel="noopener">here&lt;/a>. Replication materials are on &lt;a href="https://doi.org/10.7910/DVN/AK1C65" target="_blank" rel="noopener">Dataverse&lt;/a>.&lt;/p></description></item><item><title>Iranian cyberattacks: A likely retaliation scenario?</title><link>https://philipplutscher.net/post/iran/</link><pubDate>Mon, 20 Jan 2020 00:00:00 +0000</pubDate><guid>https://philipplutscher.net/post/iran/</guid><description>&lt;blockquote>
&lt;p>&lt;em>This article was originally published at &lt;a href="https://politicalviolenceataglance.org/2020/01/20/iranian-cyberattacks-a-likely-retaliation-scenario/" target="_blank" rel="noopener">Political Violence @ A Glance&lt;/a> on 20 January 2020. It is reposted here with the original wording largely preserved. The working paper referenced below has since been published in the &lt;a href="https://doi.org/10.1093/jogss/ogab001" target="_blank" rel="noopener">Journal of Global Security Studies&lt;/a>.&lt;/em>&lt;/p>
&lt;/blockquote>
&lt;p>Following the lethal drone strike against the Iranian general Qassem Soleimani on 3 January 2020, many experts, pundits, and news outlets outlined different scenarios predicting how the Iranian government might respond. Experts agreed that Iran would retaliate. The only remaining questions were how and when.&lt;/p>
&lt;p>Recent missile strikes against Iraqi bases housing American military forces showed that Iran was ready to use conventional weapons in response, albeit in a limited capacity. But as Navin Bapat noted at PV@G, the Iranian government might also opt for more irregular responses. Iran could ramp up activities to disrupt shipping in the Strait of Hormuz or support Houthi rebels in targeting oil facilities on the Arabian Peninsula. Both tactics would impose severe economic costs on the United States and the world economy.&lt;/p>
&lt;h2 id="cyberspace-as-a-response">Cyberspace as a response&lt;/h2>
&lt;p>Another scenario put forward by security pundits was that Iran would respond in cyberspace. Iran and the United States have a long history of cyber conflict, and some cyberattacks appear linked to foreign policy events. In 2012, for example, Iran-based hackers targeted US banks with Denial-of-Service attacks, in which servers become unavailable to users. The attacks were reportedly a response to newly issued sanctions. Denial-of-Service attacks are not particularly sophisticated. They simply overload servers with data traffic. But the economic costs can be substantial, running into millions of dollars for banks and other companies when servers are taken offline. Telecommunication server outages can be even more costly.&lt;/p>
&lt;h2 id="how-common-are-these-attacks-after-foreign-policy-events">How common are these attacks after foreign policy events?&lt;/h2>
&lt;p>In a working paper (later &lt;a href="https://doi.org/10.1093/jogss/ogab001" target="_blank" rel="noopener">published in the Journal of Global Security Studies&lt;/a>), I explore this question empirically. I ask whether Denial-of-Service attacks against the United States and the European Union rise after threats or impositions of sanctions. Unlike earlier empirical work, I use internet traffic data to measure Denial-of-Service attacks. This allows me to include covert and failed attacks that never make it into the media.&lt;/p>
&lt;p>The main finding is that, in most cases, sanction threats or impositions are not associated with Denial-of-Service attacks in the short or medium term.&lt;/p>
&lt;p>There is evidence of a large-scale increase during some incidents. At the beginning of the Crimean crisis in 2014, Denial-of-Service attacks against servers in the United States and the European Union rose sharply. But qualitative accounts suggest the likely perpetrator was not the state. Patriotic groups and citizens appear to have used cyberattacks to express displeasure and protest. Attribution in cyberspace is hard, and governments may still have been involved directly or through sponsorship of patriotic hacker groups. Studies on the large-scale Denial-of-Service attacks against Georgia in 2009 and Estonia in 2007 reach similar conclusions.&lt;/p>
&lt;h2 id="what-this-means-for-the-iranian-case">What this means for the Iranian case&lt;/h2>
&lt;p>Cyber operations have features that make them a poor substitute for conventional coercion. They are covert, hard to attribute, temporary, and impose only limited damage. This makes it unlikely that the Iranian government will initiate large-scale disruptive cyberattacks as a foreign policy response to recent events. We are more likely to see continued low-level conventional responses such as the missiles fired at military bases in Iraq.&lt;/p>
&lt;p>That said, we may also see dynamics similar to Crimea in 2014, where citizens and pro-government groups launch Denial-of-Service attacks to protest. Recent defacements of government websites condemning the drone strike and praising the Iranian regime point in this direction.&lt;/p>
&lt;p>To be clear, this does not mean Iran is inactive in cyberspace. It is very active, and its future operations will likely be more sophisticated and part of a longer-term strategy. But while Iran expands its espionage and infiltration capacity, my analysis shows no systematic evidence of a link between aggressive foreign policy events and direct responses in cyberspace. States still tend to rely on conventional means in these scenarios.&lt;/p>
&lt;hr>
&lt;p>&lt;em>Originally published at &lt;a href="https://politicalviolenceataglance.org/2020/01/20/iranian-cyberattacks-a-likely-retaliation-scenario/" target="_blank" rel="noopener">Political Violence @ A Glance&lt;/a>, 20 January 2020. The working paper referenced above is now published as Lutscher, P. M. (2022), &lt;a href="https://doi.org/10.1093/jogss/ogab001" target="_blank" rel="noopener">&amp;ldquo;Digital Retaliation? Denial-of-Service Attacks after Sanction Events&amp;rdquo;&lt;/a>, Journal of Global Security Studies.&lt;/em>&lt;/p></description></item></channel></rss>