WASHINGTON -- A secret cyberattack against Iran in June wiped out a critical database used by the country's paramilitary arm to plot attacks against oil tankers, degrading Tehran's ability to covertly target shipping traffic in the Persian Gulf, at least temporarily, according to senior U.S. officials.
Iran is still trying to recover information destroyed in the June 20 attack and to restart some of the computer systems -- including military communications networks -- taken offline, the officials said.
Senior officials discussed the results of the strike in part to quell doubts within President Donald Trump's administration about whether the benefits of the operation outweighed the cost -- lost intelligence and lost access to a critical network used by the Revolutionary Guard, Iran's paramilitary force.
The United States and Iran have long been involved in an undeclared cyberconflict, one carefully calibrated to remain in the gray zone between war and peace. The June 20 strike was a critical attack in that ongoing battle, officials said, and it went forward even after Trump called off a retaliatory airstrike that day after Iran shot down a U.S. drone.
Iran has not escalated its attacks in response, continuing its cyberoperations against the U.S. government and corporations at a steady rate, according to U.S. government officials.
U.S. cyberoperations are designed to change Iran's behavior without initiating a broader conflict or prompting retaliation, said Norman Roule, a former senior intelligence official. Because they are rarely acknowledged publicly, cyberstrikes are much like covert operations, he said.
"You need to ensure your adversary understands one message: The United States has enormous capabilities which they can never hope to match, and it would be best for all concerned if they simply stopped their offending actions," Roule said.
Cyberoperations do not work exactly like conventional warfare. A cyberattack does not necessarily deter future aggression in the same way a traditional military strike would, current and former officials say. That is in part because cyberoperations are hard to attribute and are not always publicly acknowledged by either side, a senior defense official said.
Yet cyberoperations can demonstrate strength and show that the United States will respond to attacks or other hostile acts and impose costs, the official said.
U.S. Cyber Command has taken a more aggressive stance toward potential operations under the Trump administration, thanks to new congressional authority and an executive order giving the Defense Department more leeway to plan and execute strikes.
The head of Cyber Command, Army Gen. Paul Nakasone, describes his strategy as "persistent engagement" against adversaries.
Operatives for the United States and for various adversaries are carrying out constant low-level digital attacks, the senior defense official said. The U.S. operations are calibrated to stay well below the threshold of war, the official added.
The strike on the Revolutionary Guard's intelligence group diminished Iran's ability to conduct covert attacks, a senior official said.
The U.S. government obtained intelligence that officials said showed that the Revolutionary Guard was behind the limpet mine attacks that disabled oil tankers in the Gulf in May and June, although other governments did not directly blame Iran. The U.S. military's Central Command showed some of its evidence against Iran a day before the cyberstrike.
The White House was said to have judged the strike as a proportional response to the downing of the drone -- and a way to penalize Tehran for destroying crewless aircraft.
The database targeted in the cyberattacks, according to the senior official, helped Tehran choose which tankers to target and where. No tankers have been targeted in significant covert attacks since the June 20 cyberoperation, although Tehran did seize a British tanker in retaliation for the detention of one of its own vessels.
Though the effects of the June 20 cyberoperation were always designed to be temporary, they have lasted longer than expected, and Iran is still trying to repair critical communications systems and has not recovered the data lost in the attack, officials said.
Officials have not publicly outlined details of the operation. Air-defense and missile systems were not targeted, the senior defense official said, calling media reports citing those targets inaccurate.
In the aftermath of the strike, some U.S. officials have privately questioned its effect, saying they did not believe it was worth the cost. Iran probably learned critical information about U.S. Cyber Command's capabilities from the attack, one midlevel official said.
Cyberattacks, unlike conventional attacks, can be used only a few times or sometimes only once. Targets can find the vulnerability used to gain access to their networks, then engineer a patch to block that opening.
"Iran is a sophisticated actor. They will look at what happened," said Mark Quantock, a retired major general who served as the director of intelligence for Central Command, which oversees operations related to Iran.
"Russia, China, Iran and even North Korea would all be able to see how they were penetrated."
Cyberstrikes also inevitably cut off access to intelligence that American operatives gained from exploiting that vulnerability, once the adversary discovers and fixes it. Losing even some access to Iran's Revolutionary Guard, Tehran's paramilitary force that is deeply involved with proxy forces around the Middle East, is a high price to pay, according to some officials.
Military and intelligence agencies always weigh the costs of a cyberoperation and the risks of lost information before a strike, according to former officials.
Intelligence officials have long been skeptical of some cyberoperations, worried that the benefits are not worth the costs.
"It can take a long time to obtain access, and that access is burned when you go into the system and delete something," said Gary Brown, a professor at the National Defense University and former legal counsel for Cyber Command.
"But on the same token, you cannot just use that as an excuse not to act. You can't just stockpile access and never use it."
A Section on 08/29/2019