Cyber & Technology

What Really Happened in the Cyber Command Action Against Iran?

By Vishnu Kannan
Thursday, July 11, 2019, 10:15 AM

Amid rising tensions with Iran following the country’s downing of a U.S. surveillance drone last month, President Trump reportedly ordered and then called off military strikes against targets in Iran. Soon, news reports indicated that, in lieu of those strikes, U.S. Cyber Command had taken offensive action against Iranian targets. The operation was first reported by Yahoo News, which described it as a “retaliatory digital strike against an Iranian spy group.” Shortly afterward, several other outlets picked up the story.

After the news broke, Bobby Chesney, writing about the legal context for the reported operations on Lawfare, offered a note of caution: “Details remains sparse, and so the analysis that follows is necessarily subject to revision as more emerges.” But two weeks later, the specifics of the operation remain unclear. The Pentagon has declined to provide further details, saying that “as a matter of policy and for operational security, we do not discuss cyberspace operations, intelligence or planning.” Moreover, the available reports demonstrate a lack of agreement, even among major news outlets, as to what precisely happened. But a careful reading of the reporting suggests that the U.S. response consisted of three distinct operations.

Multiple outlets have reported that U.S. Cyber Command targeted command and control systems used by the Islamic Revolutionary Guard Corps (IRGC) to launch missiles and rockets. This appears to be the first operation. The Washington Post writes, “President Trump approved an offensive cyberstrike that disabled Iranian computer systems used to control rocket and missile launches,” and adds that the attack was carried out “against the Islamic Revolutionary Guard Corps.” Reports from the Wall Street Journal and the New York Times, meanwhile, confirm that Cyber Command targeted control systems for missile launches. The Journal, however, refers to the target organization as “an Iranian intelligence group,” which could be understood to mean either the IRGC or an affiliated organization. The Times does not identify the target organization at all.

But the Times, unlike the other outlets, reports explicitly that multiple operations took place. The article states that in addition to targeting missile control systems, “an additional breach” compromised “multiple computer systems … including those believed to have been used by an Iranian intelligence group that helped plan the tanker attacks.” This seems to be a distinct, second operation that targeted the systems of an IRGC-affiliated intelligence organization seeking to manipulate or destroy software used to track tankers in the Strait of Hormuz. CNN reports similarly: According to the outlet, the target organization was a “spy group, which has ties to the Islamic Revolutionary Guard Corps,” and the “online strike targeted an Iranian spy group’s computer software that was used to track the tankers that were targeted in the Gulf of Oman on June 13.” Yahoo News offers a similar identification of  this second target organization, writing it was an “Iranian spy group that supported last week’s limpet mine attacks on commercial ships, according to two former intelligence officials.”

Finally, CNN also reports what appears to be a third operation targeting the “networked communications” of Kata'ib Hezbollah, an Iranian-backed paramilitary organization, “in the days after Iran shot down a US drone.”

There also appears to be disagreement about whether any of the operations were successful— and, if so, which. The Times acknowledges that “determining the effectiveness of a cyberattack on the missile launch system is particularly difficult” and that the only way to know would be “if Iran tried to fire a missile and failed” because the U.S. operation had successfully disabled the systems necessary to communicate and authorize launch orders. Similarly, CNN said of the operation against Kata’ib Hezbollah that “neither of the officials … would discuss how successful the cyberattack may have been.” Though the Journal writes that sources characterized the operations in aggregate as “very” effective and the Post quotes a source as saying, “This is not something they [Iran] can put back together so easily,” it is not clear precisely what the sources mean or what it is that Iran will have difficulty “put[ting] back together.”

Understanding this reporting in all its complexity is particularly important given that the operations described constitute Cyber Command’s first major, publicly known offensive actions after being elevated to the status of a full combatant command in May 2018. Therefore, it has the potential to set several precedents, one of which concerns the behavior of government officials, some of whom appear to be sources for the reporting. In this instance, leaks to the press about these operations from government sources are likely serving strategic purposes. Perhaps the government hoped to send a message to the public and adversaries that, while the president reversed his decision to order a kinetic strike, the United States did in fact retaliate against Iran for downing the drone. Or perhaps it intended to signal technical capacity to adversaries as a deterrent. The problem is that fragmented reporting has produced a muddled message about what actually happened, calling into question how clear and effective any message could have been to the intended recipients. Whatever the case may be, Cyber Command has not released a statement and seems content to wait out the news cycle without correcting the record—suggesting that this pattern of silence will continue through future such operations.