Full Report
Many analysts expected cyber operations to play a major role in Iran’s response to the U.S.-Israeli military campaign. Yet Iranian-linked cyber activity initially played little visible operational role and has so far produced limited strategic effect. Activity has since become more extensive and visible—including cyber-enabled influence operations, disruptive operations, and operations against exposed infrastructure—but cyber has still not…
Analysis Summary
# Research: More Espionage Than Firepower: The Right Analogue for Understanding Cyber Operations
## Metadata
- **Authors:** Aybars Tuncdogan
- **Institution:** Modern War Institute (MWI) at West Point / McCrary Institute
- **Publication:** *Threat Beat* (originally appearing in *Modern War Institute*)
- **Date:** July 02, 2026
## Abstract
This research examines why Iranian-linked cyber operations failed to meet the expectations of a high-impact "cyber war" during the U.S.-Israeli-Iranian military escalation of 2026. While many projected a devastating campaign against critical infrastructure, the reality was characterized by cyber-enabled influence operations and low-level disruption. The study argues that cyber operations are better understood as tools of espionage and calibrated political signaling rather than "firepower" or kinetic substitutes, primarily due to the logic of escalation management and the limitations of operational utility in active conflict.
## Research Objective
The research addresses a central puzzle in modern conflict: Why has Iran, a capable cyber power with a history of hitting critical infrastructure, refrained from conducting "spectacular" or lethal cyberattacks against the U.S. and Israel despite being engaged in significant kinetic hostilities?
## Methodology
### Approach
The researcher employs a **qualitative strategic analysis** and **case study approach**, evaluating Iranian cyber behavior against prevailing international relations theories (escalation ladders) and public opinion data.
### Dataset/Environment
- Observed Iranian cyber activity during the 2026 U.S.-Israeli military campaign.
- U.S. Congressional records and public opinion polling regarding military involvement in the Middle East.
- Historical data on Iranian cyber capabilities (CISA/ODNI reports).
### Tools & Technologies
- Strategic escalation modeling.
- Analysis of "Cyber-enabled Influence Operations" (CEIOs).
- Review of open-source intelligence (OSINT) regarding Israeli cyber-defense reports.
## Key Findings
### Primary Results
1. **Strategic Restraint:** Iran purposefully avoided high-consequence attacks on U.S. soil to prevent "legitimizing" a full-scale U.S. conventional military response.
2. **Espionage > Firepower:** Cyber operations functioned more effectively as tools for intelligence gathering and "noise" creation rather than as decisive battlefield weapons.
3. **Political Sensitivity:** Iranian planners recognized that lethal cyberattacks could shift U.S. public opinion from "strongly negative" toward war to supporting military retaliation.
4. **Limits of "Cyber War":** Even when kinetic strikes were already occurring (between Israel and Iran), cyber operations did not graduate to more destructive forms, suggesting inherent limitations in their reliability or impact during "hot" wars.
### Supporting Evidence
- **Public Opinion:** Reuters/Ipsos polling (March 2026) showed substantial U.S. public opposition to ground deployments; the paper cites research indicating lethal cyberterrorism is the specific trigger that flips such sentiment.
- **Operational Data:** Israeli cyber chiefs reported a "surge" in activity but noted that it focused on exposed infrastructure and influence rather than strategic military degradation.
### Novel Contributions
- Challenges the "Cyber Pearl Harbor" myth by demonstrating that the **political cost** of a cyberattack often outweighs its **military utility**.
- Proposes a recalibration of how analysts view "capable" cyber powers: move away from seeing them as having "bottled lightning" and toward seeing them as careful practitioners of "escalation management."
## Technical Details
The research prioritizes strategic logic over code-level analysis, but highlights three specific modes of operation observed:
- **Cyber-Enabled Influence Operations:** Blending hacking with propaganda to demoralize civilian populations.
- **Exposed Infrastructure Attacks:** Targeting "low-hanging fruit" (unsecured IoT or public-facing industrial controls) to create a perception of reach without causing systemic failure.
- **Espionage:** Prioritizing the maintenance of access for intelligence over the "burning" of exploits for one-time disruptive effects.
## Practical Implications
### For Security Practitioners
- Recognize that "visibility" of an attack often correlates with its lack of strategic depth; the most dangerous Iranian activities likely remain silent and espionage-focused.
### For Defenders
- **Focus on Resilience:** Because Iran targets "exposed infrastructure," basic hardening of public-facing assets remains the most effective deterrent against the "spectacle" operations Iran favors.
- **Information Environment:** Prepare for hybrid threats where a minor technical breach is amplified via social media to create an outsized sense of panic.
### For Researchers
- Move beyond "capability" assessments (what *can* they do?) to "intent" and "logic" assessments (why *wouldn't* they do it?).
## Limitations
- The paper relies on the 2026 timeframe, which involves projected or ongoing events (given the source date), making some conclusions subject to the fog of war.
- It assumes rational-actor behavior from Iranian leadership, which may not account for rogue elements or technical accidents that cause unintended escalation.
## Comparison to Prior Work
Unlike earlier scholarship that viewed cyberattacks as a "cheap" way to strike a superior power, this research suggests cyberattacks are actually **expensive in terms of political risk**, building on the work of scholars like Erik Gartzke and Lennart Maschmeyer.
## Real-world Applications
- **Policy Calibration:** Shaping U.S. and Israeli responses to Iranian activity to avoid overreacting to "loud" but low-impact cyber operations.
- **Deterrence Strategy:** Using the "threshold of lethality" as a clear red line in diplomatic signaling.
## Future Work
- Analysis of whether the deployment of AI-driven "autonomy czars" (as mentioned in related news) alters the escalation calculus.
- Tracking the shift from "firepower" models to "influence" models in other regional conflicts (e.g., Eastern Europe).
## References
- CISA Advisory AA20-006A (Iranian APTs).
- ODNI Annual Threat Assessment.
- *British Journal of Political Science*: Cyber Terrorism and Public Support.
- [defanged] hxxps://mwi.westpoint[.]edu/more-espionage-than-firepower/