Many analysts expected cyber operations to play a major role in Iran’s response to the US-Israeli military campaign. Yet Iranian-linked cyber activity initially played little visible operational role and has so far produced limited strategic effect. Activity has since become more extensive and visible—including cyber-enabled influence operations, disruptive operations, and operations against exposed infrastructure—but cyber has still not become a major instrument of Iran’s wartime response.
Strategic restraint aimed at managing escalation provides a partial explanation for why Iran did not conduct a high-profile attack on US critical infrastructure. Although parts of US critical infrastructure are known to have long-standing vulnerabilities, Iran had reasons not to exploit them and create a public spectacle. US public opinion toward the war, especially toward a possible large-scale ground deployment, has been strongly negative, and congressional opposition to further escalation has also been substantial. Cyberattacks, especially those that cause deaths, can increase public support for military retaliation. Therefore, a spectacular Iranian attack, especially one with lethal consequences, could have shifted attitudes and legitimized wider US attacks on Iranian infrastructure—an outcome Iran had strong reasons to avoid. In other words, Iran may have favored lower-risk cyberattacks and refrained from those likely to create such a spectacle, even where opportunities may have existed.
However, potential Iranian restraint toward the United States cannot explain the limited visible effects against Israel. Iran and Israel were already exchanging large-scale kinetic strikes, including missile and drone attacks, so many forms of cyberattack against Israeli military or critical infrastructure targets would not have represented a higher step on the escalation ladder. Nor can the outcome be explained purely by an absence of Iranian cyber capability. Although Iran is not among the world’s most sophisticated cyber powers, it is widely regarded as a capable one, with growing expertise and a long record of cyber operations.
This case therefore presents an important puzzle for military planners: How can a state have experienced cyber operators, a long record of cyberattacks, and an incentive to retaliate, yet struggle to produce major effects when it needs them most?
The Anatomy of a Cyber Operation
Answering this question requires looking at how cyber operations work in reality. Cyber retaliation is often discussed as if it were a form of instant firepower, but it works more like espionage. Its most serious effects usually depend on preparation carried out over months or even years before a crisis begins. Without such groundwork, operators must go through much of this process after a war begins. As a result, major cyber effects may not only arrive late but also prove lackluster, as the work must be carried out against an adversary that is already alert and actively looking for intrusions. This helps explain why Iranian cyber activity, especially against Israeli targets, appeared limited at first and then became more visible over time.
This same war also provides a contrasting case. For many years, the United States and Israel had been prepositioning by building access inside Iran, so they were able to rapidly produce visible operational effects. For example, their access to Iranian camera and communications networks was reportedly used to locate targets.
Part of the confusion stems from how frameworks for understanding offensive cyber operations—such as the commonly used Lockheed Martin Cyber Kill Chain—are often misinterpreted. These frameworks are very useful teaching tools, but a reader who takes them too literally may overlook the messy reality of the process. A military planner with less technical expertise can easily imagine the process as climbing a ladder—that is, first conducting reconnaissance, then finding a vulnerability, developing an exploit, gaining access, securing that access, and finally producing the intended effect. In reality, there is a great deal of back and forth between these stages. More importantly, the stages are nowhere near equal in terms of the time and effort they require in a particular operation.
A complicated and hardened computer network is typically less like a mission to take a hill and more like a campaign of attrition in which control is gained incrementally, one position at a time. As operators make progress, they often need to return to reconnaissance, find a new vulnerability or path forward, weaponize an idea, and determine whether it leaves them in an incrementally better position. In some cases, target development and reconnaissance take years. In others, finding the vulnerability really means waiting long enough for one to appear—perhaps because the target installs a new component or an update introduces a vulnerable dependency. A vulnerability may also be too minor to matter on its own and become useful only when chained with another vulnerability—or even with a long series of individually minor vulnerabilities.
Consider a realistic but fictional scenario. Imagine that a state tasks a team of cyber operators both to reduce the wartime output of an adversary’s advanced munitions plant and to steal the designs of several products manufactured there. Both goals require reaching systems that are not directly accessible from the internet. The production equipment may be connected through segmented industrial networks separated from the plant’s ordinary business systems, while complete weapons designs may be held in a highly secure, air-gapped engineering environment—perhaps a restricted room containing only a small number of computers with no external connection.
The operation begins with reconnaissance. The team collects open-source intelligence but also studies the plant’s physical surroundings, organizational structure, employees, suppliers, contractors, and other external relationships. This may include examining aerial imagery, contacting publicly listed numbers, studying professional profiles, or gathering information through informal conversations with people who know the organization. At this point, the objective is to map the overall structure of the target and identify possible routes through which access might eventually be gained.
This work alone can take considerable time. Useful information may be scattered across technical documents, procurement notices, job advertisements, supplier websites, professional profiles, news coverage, and photographs taken inside the facility. For instance, the name and contact details of an IT administrator may appear in a recruitment advertisement that also reveals information about the plant’s systems. A supplier may list the organization as one of its customers, indirectly revealing a possible supply chain dependency. A newspaper photograph may reveal the type of equipment used on a production line. Although these fragments do not individually provide a route into the plant, together they gradually reveal how the organization functions, which technologies it depends on, and where its digital, physical, and human boundaries may be weakest.
Next—unless the state already has a well-placed operative or cooperative insider who can make it possible to attack one of the internal systems directly—the team starts looking for a foothold at the outer edge of the target’s digital environment. It examines internet-facing technologies, tries to understand which software and versions are running on them, and looks for ways inside. This may involve probing different parts of the system or trying to identify a new vulnerability in custom-built software used by the organization. At the same time, the team may pursue much slower avenues, such as setting alerts for newly disclosed vulnerabilities affecting technologies used by the target, acquiring a relevant exploit through a broker, or asking specialist researchers to investigate one of those products.
Once an internet-facing system—such as a remote-access service, email system, or externally accessible enterprise application—is compromised, this would still not normally provide direct access to the inner systems. However, more targets have now become visible, and reconnaissance begins once again. Most likely, the account through which the team has gained access is also restricted, with privileges limited to its intended function (e.g., sending and receiving email). Sometimes, the level of access provided by this account allows the team to escalate privileges within the same system. Other times, it makes it possible to pivot toward another server or an internal network segment. In still other cases, its initial value may not be as a technical route deeper into the network, but as a source of useful information—for example, when internal emails reveal hidden systems, trusted relationships, or people who connect different parts of the organization.
Even describing key systems as internal can be misleading, however, because a network may contain several distinct segments, some of which may not be reachable through digital means alone and may require the involvement of human operatives. After every successful step, the process returns to reconnaissance. After an unsuccessful step—such as being detected on a server by an intrusion-detection system—substantial progress may also be lost, as the server may be taken offline or further hardened.
Because of this, even compromising several important parts of the target environment, if this can be achieved at all, does not end the back-and-forth process. The team must also find ways to maintain access without being detected, which becomes even more difficult when the goal is to reduce the output of an advanced munitions plant. Simply crashing a system is not an option, as doing so may immediately reveal the operation and lead the defenders to isolate and harden affected systems. Instead, the team must find ways to produce a meaningful effect on production without immediately exposing its presence and losing the access it has slowly accumulated. This again requires the team to monitor changes within the environment, interpret internal communications, and, in general, repeatedly return to reconnaissance.
Cyber Effects Require More Than Experienced Operators
As the process described above illustrates, cyber capabilities closely resemble and, in important respects, extend espionage capabilities. They can sometimes be used to cause direct damage or temporarily incapacitate parts of an adversary’s infrastructure, as in a sabotage operation or denial-of-service attack, just as intelligence agencies can be used for such purposes. However, this does not change the fact that cyber operations function much more like intelligence operations than like conventional firepower.
Consequently, preparing for cyber operations is also a broad, long-term process that is partly entangled with civilian institutions. Access to well-trained cyber operators—including civilian specialists willing to act as force multipliers—is an important dimension of offensive cyber power. However, these operators still need tools and technologies to help them conduct an operation. Having ready-made exploits with which to breach defenses, or well-tested stealth tools that can turn a temporary foothold into more stable access, can significantly increase the likelihood of success. Similarly, many operations seeking an initial foothold begin with an attack on the human element, such as social engineering. This again shows that success in cyber operations often depends on capabilities traditionally associated with intelligence agencies and, in some cases, on close coordination with them.
This also suggests that having a well-developed technology ecosystem—including prominent technology vendors—is another key dimension of national cyber power. This advantage does not necessarily depend on direct vendor cooperation, although some governments may sometimes obtain or compel technical assistance, access, or changes to how products and services operate. Even without such cooperation, having key vendors and their suppliers within a national technology ecosystem can generate deep knowledge of the relevant technologies, valuable international connections, and a pool of experienced specialists—such as secure software development engineers who have previously identified or fixed vulnerabilities in relevant codebases.
These advantages can make a substantial difference because every sufficiently difficult intrusion presents an innovation problem; the cyber team must understand a system well enough to identify the conditions under which it will behave abnormally and perform an action it was not intended to perform. The ability to solve the innovation problems inherent in cyber operations therefore depends on more than skilled operators. Research on collective innovation shows that access to varied information and the capacity to synthesize it effectively are shaped by the architecture of the wider innovation system—including ecosystems of vendors and suppliers, international information flows, high-tech institutions, diverse human capital, and supportive state policies. The innovation challenges presented by cyber operations are similarly shaped by this wider technological and institutional environment.
Cyber operations, then, resemble espionage more than firepower not only in their modus operandi, but also in their dependence on a broader ecosystem of access, tools, expertise, institutions, and target-specific knowledge. Even a state with capable cyber operators may therefore be unable to produce major cyber effects as soon as it needs them. For military planners, the key question is not only whether an adversary has capable hackers or hostile intent, but whether it has already accumulated the access, tooling, expertise, and target knowledge needed to turn cyber capability into operational effect.
Aybars Tuncdogan is a reader (associate professor) in digital innovation and information security at King’s College London. He is a research affiliate of the King’s Institute for Artificial Intelligence and a member of both the King’s Cybersecurity Research Centre in the Department of Informatics and the Cyber Security Research Group in the Department of War Studies. His books have been published by Oxford University Press, Routledge, and Edward Elgar, and his writing has appeared in outlets including War on the Rocks, RUSI Commentary, Defence Strategic Communications, IEEE Security & Privacy, Scientific American, Harvard Business Review, Times Higher Education, The Conversation, and Dark Reading.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, or Department of Defense.
