We have updated our Privacy Policy and Terms of Use for Eurasia Group and its affiliates, including GZERO Media, to clarify the types of data we collect, how we collect it, how we use data and with whom we share data. By using our website you consent to our Terms and Conditions and Privacy Policy, including the transfer of your personal data to the United States from your country of residence, and our use of cookies described in our Cookie Policy.
The cyberattacks reported by Yahoo News on Friday and by others in recent days targeted Iran's Islamic Revolutionary Guard Corps and a proxy militia. Although this isn't the first time the US has used its cyberweapons against Iran — back in 2010 the US and Israel hit Tehran's covert nuclear program hard with a computer worm called Stuxnet — the decision to unleash a cyberattack while refraining from a conventional military response raises some interesting questions:
Why launch a digital strike? It sends a message — but stops short of outright war. President Donald Trump didn't want to further escalate the conflict, but he did want to respond to the triumphant downing of an unmanned US drone, as well as to the tanker attacks that his administration has blamed on Iran. While computer code is undoubtedly dangerous — knocking out a power grid could easily kill thousands of people — dropping a payload of malicious ones and zeroes isn't nearly as provocative as physically bombing the country and killing people.
What next? Expect more digital shenanigans from both sides. Iran has history of launching disruptive cyberattacks against the US and its allies (and companies), and US officials are already warning of more. As Trump runs out of parts of the Iranian economy to sanction (see Hard Numbers, below), he'll likely see cyber as an increasingly attractive option: it can hurt Iran without provoking precisely the kind of wider war that he says he wants to avoid.
What could possibly go wrong? The first worry is collateral damage. Malicious code is hard to control once it's been released "in the wild," and it can affect systems that attackers didn't intend to hit. That leads to the other problem: unintended escalation. Cyberspace is a domain of conflict with few if any real rules, and no consensus on what constitutes an appropriate response to a damaging cyberattack. Put these two risks together, and what looks like a convenient way to smack an adversary without sparking an armed conflict could accidentally spin out of control.