Editors’ note: In this archival piece, Gil Baram details the long history of Israeli and Iranian cyberattacks against each other, and why both countries have become more public about these attacks. Her analysis was originally published in the Washington Post on July 25, 2022.
In late June 2022, Iran’s state-owned Khuzestan Steel Co. and two other steel companies were forced to halt production after suffering a cyberattack. A hacking group claimed responsibility on social media, saying it targeted Iran’s three biggest steel companies in response to the “aggression of the Islamic Republic.”
Israel’s defense secretary then ordered an investigation into leaked video showing the damage to the steel plants, citing “operational events in a manner that violates Israel’s ambiguity policy.” This incident came close on the heels of a statement by the Israeli Security Agency, or Shin Bet, claiming a May cyberoperation by Iran was intended to generate actions outside of the cyber-domain.
Both incidents show how the cyberconflict between the two countries has grown increasingly public in the past two years. While Israel traditionally sticks to ambiguous responses, these latest examples and others suggest that may be changing. Iran also broke its silence and chose to publicly discuss some of these incidents.
Why are Israel and Iran going public about these cyberoperations? Here are three things to know about the not-so-covert cyberconflict between Israel and Iran.
Cyber-actions are becoming less covert
Iran and Israel have long engaged in mutual offensive covert cyber-actions, although neither government took credit for them in public. More than a decade ago, Iranian officials discovered the Stuxnet malware in the uranium enrichment centrifuges in one of Iran’s nuclear facilities, marking the first public evidence of the use of cyberweapons against Iran. But the alleged cyberattacks and intrusions between Iran and Israel have intensified, gaining global attention and coverage, giving a new public dimension to the ongoing covert conflict.
Examples include an April 2020 attempt to breach Israel’s water and sewage infrastructure, a cyberattack on Iran’s Shahid Rajaee port in May 2020, cyberattacks on Iranian transportation systems in July 2021, a hack of an Israeli hosting company and leak of users’ personal information in October 2021, and a cyberattack disrupting gas stations across Iran the same month — and many more.
The long-running shadow conflict between Israel and Iran, in both the cyber realm and on the ground, landed in the spotlight last month with a comment from then-Israeli Prime Minister Naftali Bennett. In an interview for the Economist addressing the shift in Israel’s strategy toward Iran, he said, “We no longer play with the tentacles, with Iran’s proxies: we’ve created a new equation by going for the head.”
Why is this happening?
What causes countries to abandon the advantages of the covert space and shift their cyberconflict into the public arena? In my research, I argue that choosing to make details public isn’t a binary political decision between revealing or concealing the attack. Instead, victims of a cyberattack might choose respond in a variety of ways, including complete silence, attributing the attack and assigning blame. Previous research theorized that strategies for the attacker, similarly, range from complete silence to claiming credit.
Both Israel and Iran have become noticeably more public about these attacks. For example, in April 2020, the Israel National Cyber Directorate confirmed an “attempted cyber-breach” of water command and control systems. Media reports pointed a finger at Iran, but Israeli officials didn’t comment.
In this event, Israel chose to publicize the attack without official public attribution. This strategy allowed Israel to stay ahead of the news cycle and set the public narrative — but also avoid greater humiliation in case Iran or a third party publicized the attack. At the same time, refraining from directly blaming Iran allowed Israel to minimize the risk of escalation. Iran remained silent, a strategy that also helped avoid escalation at the time.
A few weeks later, a cyberattack on the Shahid Rajaee port severely disrupted the movement of goods into the Iranian port for several days. Initially, Iran claimed the massive delays were caused by a technical malfunction, but officials later admitted the incident was the result of a cyberattack. Media reports quoted an unnamed U.S. official as saying that many believed Israel was behind the attack.
Further declarations from both countries left little doubt about their intentions. Without directly mentioning Iran, the director of the Israel National Cyber Directorate said the events of April and May 2020 marked a “changing point in the history of modern cyberwarfare.” Iran, having publicly acknowledged the incident as a cyberattack, declared that it would not allow Israel to challenge it on the cyber-front.
What about international law?
International law sets down a minimum standard of responsible behavior that is binding on countries. Many countries — including Israel and Iran — agree that the general principles of international law based on the U.N. Charter also apply to cyberspace. However, there are various disagreements regarding the specific ways it should apply. For instance, Israel’s deputy attorney general said, “Israel considers that international law is applicable to cyberspace […] However, when seeking to apply particular legal rules to this domain, we are mindful of its unique features.”
One recent reference to international law in the context of government-sponsored cyberoperations came during the coronavirus pandemic, when the Netherlands declared that cyberattacks on the health-care sector, in many instances, constitute violations of international law.
Israel and Iran have shifted from traditional covertness and ambiguity to an increasingly public forum. Considering what has unfolded over the past two years, it appears the international community does not view these types of cyber-intrusions as crossing a certain threshold of violating international law, as no other country has addressed them. And the objectives of these cyberattacks have shifted from mostly defense targets to disruptions of critical infrastructure and civilian life. The greater the public exposure to these cyberattacks, the greater the risk that they could extend beyond cyberspace and influence other areas of this conflict, too.
Gil Baram is a Fulbright cybersecurity postdoctoral fellow at the Center for International Security and Cooperation at Stanford University and an adjunct research fellow at the Center of Excellence for National Security at Nanyang Technological University in Singapore. Her research focuses on government decision-making during cyberattacks and strategic attribution-related policy.
Note: Updated Oct. 11, 2023.