The Trump administration is reportedly considering launching another cyber attack against Iran to deter it from further aggression in the region. In June, the U.S. carried out a cyber attack on an Iranian paramilitary targeting database in retaliation for the downing of an American drone. Now, after the strike on the Saudi oil refinery at Abqaiq, a cyber attack is apparently the favored option to establish deterrence and avoid American entanglement in a protracted regional conflict.

Establishing deterrence through a cyber attack, however, would face serious obstacles.

Iranian leaders have declared their willingness to retaliate if attacked, and it is generally understood (including by the U.S. Defense Department) that a cyber attack can constitute an act of war. It is not clear how a cyber attack could be powerful enough to incentivize Iran to deescalate tensions without heightening its sense of vulnerability in relation to its neighbors.

The June cyber attack on Iran’s targeting database reportedly reduced its capacity to attack tankers in the Persian Gulf and did not escalate tensions substantially. However, it was also unambiguously a response to the attack on the U.S. drone, which Iran claimed responsibility for. Iran denies carrying out the attack on Abqaiq and public evidence of its responsibility remains limited. A retaliatory cyber attack on an Iranian drone command-and-control center (for example) would be viewed as unjustified and strategically damaging, likely raising the stakes for Iran to attack back.

Strategic analysts of cyber warfare are often skeptical of deterrence through cyberspace, especially deterrence by punishment. States often prefer cyber weapons because they are seen as less escalatory than physical attacks, but that preference applies to adversaries as well. After the U.S. and Israel attacked Iranian nuclear infrastructure with Stuxnet — an incredibly sophisticated operation that just as easily could have targeted Iran’s electric grid — Iran, utterly undeterred, established its own cyber offenses and has since attacked U.S. banks, the Sands Casino, and Saudi Aramco.


Michael Sexton is a Fellow and Director of MEI's Cyber Program. Eliza Campbell is the Co-Director of the Cyber Program.

Photo by Chip Somodevilla/Getty Images

The Middle East Institute (MEI) is an independent, non-partisan, non-for-profit, educational organization. It does not engage in advocacy and its scholars’ opinions are their own. MEI welcomes financial donations, but retains sole editorial control over its work and its publications reflect only the authors’ views. For a listing of MEI donors, please click here.