WASHINGTON — When Chairman of the Joint Chiefs of Staff Gen. Dan Caine briefed reporters today on the US military operation against Iran, he made a point to say that US Cyber Command and US Space Command were the “first movers … layering non-kinetic effects, disrupting and degrading and blinding Iran’s ability to see, communicate and respond.”
Caine didn’t go into details about what exactly CYBERCOM, in particular, did — even if there’s plenty of informed speculation.
But whatever it was, several former officials and cyber operators told Breaking Defense that they expected the cyber mission to evolve as Operation Epic Fury continues, potentially for the next few weeks, perhaps sliding into more intelligence-gathering mode and saving some key kinetic capabilities for specific moments.
One former cyber operator said that there still are likely multiple phases in the operations plan, and there would be a cyber operations annex in support of each phase. If the planning cell determines that CYBERCOM could support a specific effect during a phase, that would be in the plan.
But for the most part, they said, “in sustained operations you transition to intelligence support/indications and warning.”
CYBERCOM has not responded to a request for information regarding its role in the operations. The Pentagon has previously said, “Due to operational security concerns, U.S. Cyber Command does not comment nor discuss cyber intelligence, plans, operations, capabilities, or effects.”
A Question Of Access
Any cyber effects require pre-posisitioned access to effect systems or networks, which in some cases can take months to years to gain and require persistence to maintain.
“You just don’t flip this switch on automatically,” a former military cyber lawyer said. “I’m not saying that the planning and operational pace hasn’t gotten better over time, but still, it takes time to develop the accesses, etc., that you’ll need to be able to execute on the right targets at the right time to integrate that into something broader.”
For one-time operations, such as America’s strike on Iran last June or against Venezuela last month where air defense radars and communications were disrupted via cyber, perpetual access might not always be as big a concern as sustaining a military campaign over time.
A former senior cyber commander noted Epic Fury will likely be an enduring operation with many missions, evolving and changing parameters and priorities as the battlefield —and cyberspace — evolves, vastly different than a single strike.
Another former senior cyber commander noted that one of the biggest differences between one-off strikes like Operation Midnight Hammer last June and the current operation is that supporting elements will be working 24/7, focused on targets offensively, defensively, information operations and intelligence.
A second military lawyer who dealt with cyber operations said in an extended campaign, they would be worried about available access if Iran cuts them off to some networks. It’ll be on cyber operators to find more in a continuously shifting playing field.
But once cyber operators are in, there’s the question of what to do with that access: to gather intelligence, or to break something. Breaking something almost certainly eliminates the ability for cyber to impact that target again while also closing any intelligence value the access allowed for collection.
Supporting Ops Through Intel-Gathering
As the first former cyber operator previously told Breaking Defense, online operations will likely will continue to play a support role gathering intelligence — not only to support direct military action but to more broadly determine adversary intent and plans, as well as damage assessment.
“If the US campaign against Iran continues, there will likely be a large effort to determine if the initial wave killed any senior leaders, for the senior leaders still alive what they are planning to do in response, and where those high value targets are located for secondary strikes,” the ex-operator said.
A second former cyber operator, similarly, noted that for anything beyond a raid, cyber is best used for persistent intelligence collection as opposed to creating warfighting effects, particularly when a conflict has entered the kinetic phase. It is rare for a cyber effect to offer a meaningful improvement over standard munitions, they said.
They added an example of what not do was Russia’s cyber activity against Viasat in the beginning of its invasion of Ukraine. While that action it caused short-term havoc for Ukrainian government and military long-range communications, the result was that the Russians burned a valuable intelligence collection posture, pushed the Ukrainians to use Starlink capabilities — that are faster, cheaper, more robust and more portable — and isn’t something to which Russian intelligence had access.
“The net result was that the Russians forced a massive modernization of Ukrainian capabilities, saved their adversary money, and found themselves in an espionage deficit,” the former operator said.
When To Go Kinetic
There are scenarios, of course, where it could make sense for CYBERCOM to conduct operations with more overt consequences, like interfering with public-facing government websites or turning off the lights.
Another former military cyber lawyer indicated such operations could come into play if a popular uprising coalesces in Tehran, as President Donald Trump has encouraged. Cyber operations, along with air power providing cover, could aid such a movement. Or more broadly it could be more beneficial for specific military operations if the power goes out in a certain part of town at a certain time.
And, crucially, in that case many of the cyber effects would be reversible if the uprising succeeds or the operation has finished.
“One advantage from these techniques in a longer campaign is that civilian impacts are minimized because cyber effects can be turned on and off. For example, a kinetic strike on the power grid takes it down for the foreseeable future. Not so cyber capabilities. Same for telecoms, which affect emergency services,” they said.
With the conflict now in its third day, it’s likely cyber operators are continually updating their options, should such chances present themselves. Beyond that, CYBERCOM isn’t saying.