Reuters reported on an interesting event from September 2019 today (16 October 2019):

“The United States carried out a secret cyber operation against Iran in the wake of the Sept. 14 attacks on Saudi Arabia’s oil facilities, which Washington and Riyadh blame on Tehran, two U.S. officials have told Reuters.

The officials, who spoke on condition of anonymity, said the operation took place in late September and took aim at Tehran’s ability to spread “propaganda.””

https://www.reuters.com/article/us-usa-iran-military-cyber-exclusive/exclusive-u-s-carried-out-secret-cyber-strike-on-iran-in-wake-of-saudi-oil-attack-officials-say-idUSKBN1WV0EK

As one would expect, sources in Iran denied any such event occured, but what is interesting about this entire sequence of events is the combination of timing, messaging, and what this may mean for the efficacy of the alleged attack (provided it even took place).

First, for reference, we should look to an earlier claimed cyber attack executed by the US against Iran in response to Iranian efforts to disrupt maritime shipping and downing a US-operated unmanned aerial vehicle (UAV). Of note, this event appears to have taken place immediately after the US abandoned plans for a kinetic response to the event. For this event, initial reporting followed within days of execution, indicating that some level of cyber response took place. In this case, the compressed timeline and messaging all appeared to reflect a deliberate effort to signify – to those watching – that the cyber event was in retaliation for (or at least linked to) the UAV shoot-down.

The more recent event represents a different story entirely. In this case, the motivating factor is the Iranian-sponsored or -conducted attack on oil facilities in Saudi Arabia in September 2019. Post-attack, there were arguments for and against retaliating via kinetic strike, yet despite conducting an astounding attack (in scope and ambition) outside of any declared conflict, Iranian elements appeared to face no consequences aside from firm words and public condemnation. Some publications called for a plethora of responses – including cyber – in response, but again nothing appeared to actually happen – until the “leak” of the (previously) secretive attack conducted to counter Iranian “propaganda” capabilities.

While the attack nature and precise targeting are murky at best, it does appear that the sequence of events shows something markedly different from the “resolve” and (potential) impact of the UAV incident. For the Abqaiq attack aftermath, an attack was launched several days (perhaps weeks) later, with no fanfare, timely leaks, dogged investigative reporting, or Presidential tweets announcing that this had occurred.

Presumably, if you retaliate in response to some act (the downing of a UAV over international waters, the bombing of critical infrastructure), you would prefer the recipient of such response is aware that it occurs. An attack or reprisal that is successful but that goes unnoticed or regarded as something other than retaliation would presumably be a waste of effort and resources, as any opportunity for messaging (both to the aggressor and potential observers that the act causing the response is unacceptable and faces consequences) is completely lost. While not quite the same, one’s mind goes to the idea of establishing the physical means for deterrence but never telling anyone about it.

Thus, in the race to create a response that was both proportional to the act in question while also minimizing the chances of escalation (items which appeared to motivate the US from canceling kinetic strikes in June, then responding via cyber), the US seems to have achieved something rather strange: a retaliation which was not noticed by the perceived aggressor, seemingly necessitating a public “leak” weeks after the fact to let anyone know that such an event had occurred. 

Admittedly, there are a number of assumptions in this argument – not the least of which being that such a cyber event even took place at all. However, as pointed out by a friend, it remains possible that “no one even noticed” could be the entire point, as with other covert actions for which you would rather a victim be either unable to discern an effect (at least immediately) or unable to determine who was responsible. Yet, in this particular case, such considerations do not apply. The (alleged) timing, public (if unofficial) discussion of the “need” for a US response, and subsequent leak all indicate the action in question was designed to not only be noticed, but to be perceived as a consequence of the physical attack in September 2019. So while there are certainly cases where “not noticing” may be of paramount importance in operations, this particular event does not seem to be relevant to such a perspective.

Another consideration is that perhaps the attack was noticed, but overlooked in the non-Iranian media. On 20 September 2019, the NetBlocks organization appeared to identify a disruption in Iranian internet traffic, with claims that such an outage disproportionately impacted government and industrial entities. While it is certainly possible that the identified activity may represent a reflection of the supposed US-directed cyber response, in this particular case the link appears unlikely. For one, after initially reporting this information via social media, it appears NetBlocks itself lacked sufficient information to develop a comprehensive report on the matter as it has for other observations. Alternatively, after publishing an analysis of Iranian internet connectivity issues in June 2019, it is possible that a second report was deemed unnecessary, especially given no subsequent evidence has emerged linking June 2019 overall connectivity problems to any large-scale cyber impact. (Note: all available evidence and public reporting indicates the June 2019 response was narrowly targeted against Iranian intelligence and military entities, while the newly-revealed event focused on unspecified “propaganda” capabilities.)

Given the above, it appears circumstances would require a (rationally acting) entity to pursue a noticeable response to the September 2019 attacks for messaging and (potential, future) deterrence reasons, but also one narrowly focused to meet the criteria of proportionality and non-escalation. If these assumptions are true – and they at least appear reasonable – the scope of any attack seems very narrow, and its “success” potentially very doubtful. That any awareness of the issue only came about because of anonymous, unsubstantiated leaks weeks later with no noticeable, clearly related impacts and an Iranian response of a collective shrug would appear that no “message” was communicated, and any “resolve” to punish the entity perceived to be responsible for the Saudi attacks quite weak indeed.

While we can laugh about this series of events, I think we can also learn something from it as well. “Cyber” is often seen as some catch-all, pseudo-magical mechanism to bloodlessly respond to events through some sort of attack that results in no significant damage (at least not in lives lost), but still produces enough impact (or the potential for impact) as to frighten or otherwise punish an entity for some transgression. Yet the reality of cyber is, unless you’re fairly willing to accept unpredictable second-order effects (from malware spreading too widely, or being more impactful than was initially thought or desired), an entity delivering such an attack needs to be careful. When throwing at least notional adherence to the laws of war (such as proportionality) into consideration along with a desire to control or manage any potential escalation, the range of options begins to narrow quite quickly. Finally, when adding considerations of tool, access, and source preservation (e.g., to deliver an impact, but one that will not reveal or compromise really useful capabilities best left for actual wartime), the scope of retaliatory cyber “response” may be quite small – leaving us with an attack so narrow and restricted as to be barely perceptible to the victim.

Given the difficulties concerning an adequate cyber-nexus response to events – maintaining proportionality, avoiding escalation, maintaining tools and capabilities, AND still delivering a noticeable impact – one wonders if such an avenue is worth pursuing at all. While there may be some visceral sense in which a “cyber response” just feels good after the fact, in cases like this alleged “propaganda network takedown”, the result almost looks laughable in hindsight. Although a bit more difficult to construct and drawn-out in execution, sanctions and other items seem far more impactful and damaging than making a bunch of state-sponsored social media operators spin up new troll or propaganda accounts, or lease new servers from Hetzner or OVH. And yet, because cyber is “sexy” and new, I fear we’ll continue to see efforts such as this attempt to make cyber events go through multiple contortions within numerous limitations, all to produce an impact that is either small in size or (worse yet) irrelevant to the overall strategic calculus.