Guest post by Philipp Lutscher
Following the lethal drone strike against the Iranian general Qassem Soleimani on January 3, many experts, pundits, and news outlets outlined different scenarios predicting how the Iranian government might respond. Experts agree that the Iranian government will retaliate, the only remaining questions are how and when?
Recent missile strikes against Iraqi bases housing American military forces show that Iran is ready to use conventional weapons in response to the killing of Soleimani, albeit in a limited capacity. However, as described by Navin Bapat in PV@Glance, the Iranian government may also opt for more irregular responses. Iran could ramp up their activities to disrupt shipping in the Strait of Hormuz or support Houthi rebels in targeting oil facilities on the Arabian peninsula. Both tactics would impose severe economic costs on the United States and the world economy.
Another scenario put forward by security pundits is that the Iranians will respond in cyberspace. Indeed, Iran and the United States have a history of cyber conflict and some cyberattacks are apparently linked to foreign policy events. For instance, in 2012, Iranian-based hackers targeted US banks with Denial-of-Service attacks (wherein a network becomes unavailable to users), supposedly in response to issued sanctions against Iran. Although these attacks are not particularly sophisticated—they simply overload servers with data traffic—they can cause severe economic costs depending on the target, costing banks or other companies several million dollars when their servers are taken offline. The costs of telecommunication server outages can be even higher.
But how common are cyberattacks after foreign aggression? In a new working paper, I empirically explore this question and investigate whether Denial-of-Service attacks rise against the United States and the European Union after the threat or impositions of sanctions. Unlike earlier empirical research, I rely on Internet traffic data to measure Denial-of-Service attacks, which allows inclusion of covert and failed attacks not reported in the media.
My main finding: though it might seem intuitive that Denial-of-Service attacks would rise in response to sanction threats or impositions, usually, they don’t. In the most cases sanction threats or impositions are not associated with Denial-of-Service attacks in the short- and medium-term.
However, there is evidence of a large-scale increase in cyberattacks during some incidents. For example, at the beginning of the Crimean crisis in 2014, there was a rise in Denial-of-Service attacks against servers within the United States and the European Union. Qualitative accounts suggest that in that case, the likely perpetrator was not the state (Russia), but rather patriotic groups and citizens using cyberattacks to express displeasure and protest. Cyberattacks are hard to attribute, and governments may still have been involved in these attacks, either directly or by sponsoring patriotic hacking groups. But studies on the large-scale Denial-of-Service attacks against Georgia in 2009 and Estonia in 2007 also conclude that (more plausibly) activists and patriotic groups used the attacks against news, government, and economically important websites to show their disapproval.
Factors that make cyber operations unique—they are covert, hard to attribute to any one actor, temporary, and impose only limited damage—make them a poor substitute for conventional coercion. This means that it is rather unlikely that we will see the Iranian government initiate large-scale disruptive cyberattacks as a foreign policy response to the recent events. Instead, we will likely see more low-level conventional responses such as the fired missiles against military bases in Iraq.
Nevertheless, we may also see dynamics similar to those during the Crimean crisis in 2014—wherein citizens and pro-government groups launch Denial-of-Service attacks to protest against the United States. Recent defacements of government websites condemning the drone strike and praising the Iranian regime, as well as more systematic work of a contentious use of Denial-of-Service attacks support this conclusion.
To be clear, this does not mean that the Iranian government is not an active player in cyberspace—it is, and future actions will likely be much more sophisticated and part of a long-term strategy. But while Iran grows its espionage and infiltrations campaigns capacity, my analysis shows no systematic evidence for a relationship between aggressive foreign policy events and direct responses in cyberspace. Instead, it appears that states still rather rely on conventional means in such a scenario.
Philipp Lutscher (@philutsc) is a Ph.D. candidate in political science at the University of Konstanz (Germany). He investigates questions related to technology, contentious politics and authoritarian politics.