Kevin Allison is a Senior Editor for Signal. Based in Washington DC, he looks at how technology is reshaping global affairs. Kevin is also a Director in the Geo-Technology practice at Eurasia Group. Kevin holds degrees from the University of Missouri and from Harvard's Kennedy School of Government. He was also a Fulbright Scholar in Vienna, Austria and a 2015 Miller Journalism Fellow at the Santa Fe Institute. Prior to GZERO Media and Eurasia Group, Kevin was a journalist at Reuters and the Financial Times. He has lived in eight US states and has been an expat four times.
The cyberattacks reported by Yahoo News on Friday and by others in recent days targeted Iran's Islamic Revolutionary Guard Corps and a proxy militia. Although this isn't the first time the US has used its cyberweapons against Iran — back in 2010 the US and Israel hit Tehran's covert nuclear program hard with a computer worm called Stuxnet — the decision to unleash a cyberattack while refraining from a conventional military response raises some interesting questions:
Why launch a digital strike? It sends a message — but stops short of outright war. President Donald Trump didn't want to further escalate the conflict, but he did want to respond to the triumphant downing of an unmanned US drone, as well as to the tanker attacks that his administration has blamed on Iran. While computer code is undoubtedly dangerous — knocking out a power grid could easily kill thousands of people — dropping a payload of malicious ones and zeroes isn't nearly as provocative as physically bombing the country and killing people.
What next? Expect more digital shenanigans from both sides. Iran has history of launching disruptive cyberattacks against the US and its allies (and companies), and US officials are already warning of more. As Trump runs out of parts of the Iranian economy to sanction (see Hard Numbers, below), he'll likely see cyber as an increasingly attractive option: it can hurt Iran without provoking precisely the kind of wider war that he says he wants to avoid.
What could possibly go wrong? The first worry is collateral damage. Malicious code is hard to control once it's been released "in the wild," and it can affect systems that attackers didn't intend to hit. That leads to the other problem: unintended escalation. Cyberspace is a domain of conflict with few if any real rules, and no consensus on what constitutes an appropriate response to a damaging cyberattack. Put these two risks together, and what looks like a convenient way to smack an adversary without sparking an armed conflict could accidentally spin out of control.