In the aftermath of the American killing of Iran’s top general, Maj. Gen. Qassim Suleimani, and amid anxieties about Iranian retaliation, many are wondering what role cyberwarfare will play.
Cyberattacks certainly complicate things. A country that might not be able to attack the United States with an aircraft, missile or submarine can use a cyberattack to strike targets on American soil. And as the most common targets are civilian — electrical grids, hospitals, water facilities, transportation infrastructure — cyberwarfare disproportionately threatens citizens, linking American foreign policy with the everyday lives of ordinary Americans. It has the power to transform overseas crises into urgent domestic concerns.
So it’s no surprise that ordinary Americans are more alarmed by the specter of a cyberattack than by the distant threat of an Iranian attack in Iraq, Saudi Arabia or Israel.
But while the doomsday scenarios — of Iranian cyberattacks knocking out digitally dependent infrastructure like electric grids or health services — are alarming, they are a distraction. Tehran is a capable and prolific actor in the realm of cyberwarfare, but it has no proven ability to create large-scale physical damage through cyberoperations.
In an already dangerously volatile situation, the United States should not focus unwarranted attention on potential cyberattacks by Iran. Recent history suggests as much. Though Iran has launched cyberattacks on American dams, financial systems and government networks, their impact has been short-term, reversible and relatively limited in scope.
One of the best-known Iranian cyberattacks on the American financial system, Operation Ababil, targeted some of the country’s largest financial institutions as well as the Nasdaq stock exchange, but only briefly affected customers’ access to their accounts.
Even Iran’s most successful cyberattack — the Shamoon attack on Saudi Aramco, the world’s largest oil company, which devastated thousands of the company’s computers and cost millions — had limited impact on oil prices or global oil supply.
These attacks destroyed data. And sometimes the corruption of data or loss of control over it can cause physical repercussions — as when the Stuxnet computer worm, a destructive program run by the United States and Israel, caused great damage to Iran’s nuclear centrifuges.
Yet because digital vulnerabilities are so diffuse and networks so complex, very few cyberattacks could ever cause immediate physical harm to a large portion of the American population. It is much more difficult for cyberattacks to destroy people.
That matters. Recent research suggests that the effects of cyberattacks must be extensive in order to sway American public opinion: Americans are significantly less likely to support retaliation against cyberattacks than against airstrikes, even if both caused the same damage.
In a 2017 war game, conducted with leaders from 14 critical infrastructure sectors, the Naval War College found that only the most destructive cyberattacks led to requests for retaliation. These findings strongly suggest that Iranian cyberattacks must overcome a high bar to significantly affect American willingness to use force in the region.
And in reality, American airstrikes in Iraq, and Iranian drone and missile strikes in Saudi Arabia, have already surpassed the violent effects of any cyberattack in history.
Focus on the destructive effects of cyberattacks is a distraction from the real risk of escalation — highly alert military forces in the region inadvertently firing at one another or crossing redlines toward all-out war.
The Iranian cyberthreat the United States should be most concerned about is the way its online operations — defacing websites, altering military communications and running social media influence campaigns — slow down and frustrate American activities in the region.
In the short term, these types of cyberoperations, small scale but prolific, will hinder American capabilities to navigate the crisis. For a digitally dependent military like America’s, such cyberattacks degrade trust in navigation systems, communication and logistics, slowing down and confusing the precise, surgical operations the United States needs to execute to limit inadvertent escalation.
But the real effects of Iran’s cyberoperations won’t be felt in the immediate crisis; instead they will shape the long-term balance of power between Iran and the United States. Low-level but highly prolific cyberoperations degrade the viability of American economic and social institutions.
A 2018 White House Council of Economic Advisers report estimated that cyberoperations cost the American economy up to $100 billion in 2016. Small businesses spend on average $200,000 a year on cybersecurity-related expenses. More than cost, the threat can be existential for some industries, like finance, that are built on customers’ trust in the integrity of their data.
And the rise in cyber-enabled information operations and the exploitation of social media threatens American democratic processes. Iran is an active participant in these activities, magnifying our divisions to influence American domestic and foreign policy.
The good news is that the United States has already started to deal with these long-term cyberthreats. The current crisis shouldn’t derail these efforts. The Department of Defense’s 2018 cyberstrategy shifted the focus from deterring destructive cyberattacks to making an active effort to pre-emptively degrade the cybercapabilities of Iran (and other states).
But the response to such cyberthreats needs to go beyond the Department of Defense. The Department of Homeland Security should continue to disseminate timely cyberthreat intelligence to the private sector. And the government should provide resources to American businesses to defray the costs incurred from Iranian cyberattacks, especially those that stem from the current tensions.
Cyberoperations affect the ability of the United States to achieve its strategic goals, domestically and abroad. But they won’t push the current crisis toward war.
Jacquelyn Schneider (@JackieGSchneid) is a fellow at the Hoover Institution at Stanford University.
The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: email@example.com.
Follow The New York Times Opinion section on Facebook, Twitter (@NYTopinion) and Instagram.