Iran spent years building a cyber arsenal. Will it unleash that arsenal now?

Iranian people carry a coffin of Iranian Major-General Qassem Soleimani, head of the elite Quds Force, who was killed in an air strike at Baghdad airport, during a funeral procession in Tehran, Iran January 6, 2020. Official Khamenei website/Handout via REUTERS ATTENTION EDITORS - THIS IMAGE WAS PROVIDED BY A THIRD PARTY. NO RESALES. NO ARCHIVES

In 2007, a computer virus crippled centrifuges at Iran’s uranium enrichment facility in Natanz, setting back its nuclear program by years. The Stuxnet attack — not uncovered until a few years later — taught the revolutionary regime in Tehran a valuable lesson about how effective cyber weapons can be, prompting Tehran to invest heavily in cyber capabilities of its own. The results speak for themselves: Iranian hacking groups have graduated from conventional distributed denial of service (DDoS) and domain name system (DNS) attacks to more sophisticated operations against critical infrastructure and industrial control systems.

In the wake of Qassem Soleimani’s killing last week, the question of how Iran aims to use its cyber arsenal has acquired a newfound urgency. Tehran will need to respond forcefully to Friday’s attack, as well as related recent strikes. Iran’s cyber weaponry would seem to offer a ready-made option for high-impact, low-cost retaliation, as Iran’s national security chiefs have apparently recognized.

Yet fears of a devastating Iranian cyberattack are premature. The coming days and weeks will almost certainly bring an uptick in Iranian activity, as always happens when the two countries are engaged in brinksmanship. But it would be surprising if Tehran’s promised retaliation leveraged cyber operations alone.

Consider Iran’s three options going forward: a response that escalates the conflict further, a strike that maintains the status quo, and an attack that “saves face” while de-escalating the conflict. In each case, cyber weapons would not be able to signal Iran’s preference effectively.

Option 1: Escalation. Iran repeatedly escalated its shadow war with the U.S. last year, first by downing an American drone over the Strait of Hormuz and then by striking oil fields in Saudi Arabia. If Iran wants to escalate again, it will need to carry out an operation even more consequential than Soleimani’s killing or either of those attacks. For all their sophistication, Iran’s APT33 and other hacking groups have yet to demonstrate that they can inflict sufficient damage — such as a “digital 9/11” that shuts down power grids nationwide — to dramatically escalate the conflict from here. If Iran wants to escalate, a major military attack or even outright war is the most likely path forward.

Option 2: Status quo. Now that the Soleimani killing has brought Iran and the U.S. to the brink of war, Tehran may decide it wants to stay there. In that case, Iran will need to respond in a way that signals it does not seek war but has no interest in backing down either. Ironically, the revolutionary regime is more aware than anyone of how poorly suited cyber operations are for that task. If cyberattacks worked well as a non-escalatory deterrent, Soleimani would likely still be alive: In response to the drone downing and Saudi oil field attacks last summer, the U.S. launched major cyber operations designed to prevent further escalations like the recent embassy breach. That Soleimani escalated the conflict even after massive U.S. cyber operations suggests they have limited value as a strategic deterrent. If Tehran wants to match but not exceed the Pentagon’s latest show of force, it knows all too well that cyber operations alone won’t be enough.

Option 3: De-escalation. Finally, although it seems unlikely, Iran’s revolutionary regime may seek de-escalation. With America’s key European allies urging restraint — and a Saudi delegation in Washington to do the same — Tehran may decide it has more to gain through discretion than bellicosity, particularly in the short run. Yet if Iran opts to de-escalate, it will need to respond in a way that signals to its allies and adversaries strength, and to the Trump administration acquiescence. Cyberattacks are one way of doing that, but in this case they will be insufficient: Soleimani was too public a figure, and the weight of his office too solemn, for his killing not to warrant a public response. Even if Iran seeks to de-escalate from here, it’s unlikely to resort to cyberattacks in doing so.

None of this is to suggest that Iran’s cyber capabilities will go unused altogether. As my colleague Suzanne Maloney has noted, Iran is likely to take some time to evaluate its options — and in the interim, it will want a low-cost way of probing for vulnerabilities while signaling to the White House that it fully appreciates the seriousness of what has just taken place. Cyber operations are ideally suited for such a task.

The U.S. and its allies would do well to prepare for heightened cyber activity from Iran. But they would do better to prepare for military force more.