Reports & Papers
from Belfer Center for Science and International Affairs, Harvard Kennedy School

Rational Not Reactive

Download
Iranian flag on a circuit board

Re-evaluating Iranian Cyber Strategy

Executive Summary

The increasing tempo of offensive cyber operations by Iran and its adversaries, including the U.S. and Israel, has led many commentators to label them as “tit-for-tat”: a cyclical action-reaction dynamic where each side seeks to respond appropriately to an earlier violation by the other. However, this interpretation has significant theoretical and empirical deficiencies. Why, then, does a tit-for-tat narrative dominate our understanding of Iranian cyber activity, and what are the consequences? 

This paper revisits the longer-term arc of Iranian cyber operations, as well as examining a key “negative” case of the aftermath of the U.S. killing of IRGC General Qassem Suleimani in January 2020, where relevant expert and policy communities expected an Iranian cyber response that was not forthcoming. It argues that unfulfilled U.S. expectations of Iranian cyber responses can be explained by two key factors.

First, these expectations stem from the framing power of historic incidents that do not reflect current operational dynamics. Early cyber operations attributed to Iran, some nearly a decade ago, perpetuate an outdated perception that Iranian cyber actors are responsive, unpredictable, and even irrational, despite extensive changes to the strategic landscape and Iranian cyber capabilities in the intervening period. While the decision to emphasize such historic incidents may be well motivated—in order to highlight risks to skeptical audiences, or to stand in for more current threat intelligence that cannot be disclosed—it leads to an inaccurate analysis of current tensions. For Iran, the strategic benefit from worldwide espionage and disinformation, along with sporadic regional disruption, likely outweighs the advantage gained from a briefly impactful but difficult-to-control and reputationally awkward U.S.-targeted operation.

Second, U.S. analyses of Iranian cyber operations can be mirror-imaging: projecting the U.S. posture onto Iranian actors, especially during Gulf tensions in 2019. During these tensions, many policy and media commentators argued that Iran could use cyber operations to retaliate while avoiding further escalation in an already highly inflammatory situation. However, it was U.S. strategy—especially in the administration of President Donald J. Trump—that viewed offensive cyber operations as the most appropriate retaliatory tool in such situations. This U.S. shift, from prioritizing legal measures and defensive actions toward explicit acknowledgment of its own retaliatory cyber operations, made it tempting to believe Iranian decision-makers think in the same way. Instead, Iranian cyber operations focus on widespread efforts to obtain intelligence, spread supportive narratives, and suppress political opposition, punctuated by more disruptive events that are precisely not clearly tied to specific prior events.

Why does this matter? Thinking in terms of tit-for-tat leads to important policy miscalculations: namely, expecting disruptive Iranian cyber operations that never materialize. In the context of the new Iranian President and ongoing nuclear negotiations, presenting an accurate picture of Iranian cyber activity is vital to prevent cyber operations becoming part of unwanted escalatory cycles in the region. This conclusion has one key caveat: because it is based only on publicly available data, this study omits incidents or operations that occur but are not publicly reported, as well as operations that are detected and mitigated in their early stages before becoming a publicly reported incident. 

The five policy recommendations that conclude this paper seek to help avoid future miscalculations. There are already examples of good practice, including the care of some actors to avoid associating regional cyber incidents with the Suleimani killing in early 2020. The overall goal is to view Iranian actors as rational participants in geopolitical cyber competition, rather than reactive and often irrational adversaries, taking our understanding of Iranian cyber strategy beyond tit-for-tat.


See the attached PDF for the complete paper. 

Recommended citation

Shires, James and Michael McGetrick. “Rational Not Reactive.” Belfer Center for Science and International Affairs, Harvard Kennedy School, October 2021