The brief though explosive conflict between Iran and Israel, which included the US bombing of Iranian nuclear facilities on June 22, appears to have settled into a fragile cease-fire. But US leaders should nonetheless be on guard for potential retaliatory attacks from Iran, including by nonconventional means.
For years, Iran has turned to cybercrime and ransomware targeting critical infrastructure sectors. It has targeted water, healthcare, energy, defense, finance, and transportation infrastructure. It has also conducted election influence operations. Though not a destabilizing cyber campaign, Iran and its proxies are reportedly at work conducting distributed denial-of-service attacks and data leaks, as well as using destructive malware, such as data wipers.
While there is disagreement among experts on the likelihood of Iran achieving a truly catastrophic cyberattack on the United States, Tehran will almost certainly continue its use of cyber capabilities as elements of deniable, low-cost, and disruptive asymmetric warfare. More significant operations may come if the ground situation deteriorates.
Is the United States adequately prepared to withstand such attacks? There are some trends in motion that could reduce its readiness. Washington, for example, is shifting away from national coordination toward state-level responsibility. It is also downsizing resources and its support for international partnerships, which are critical for enforcement and economic disruption against transnational cybercrime. Without other corresponding measures, deregulation risks reducing economic incentives for security. Given these trends, it’s hard to identify high-impact levers—other than perhaps the Trump administration’s focus on optimizing offensive cyber operations—working to address strategic cyber threats.
While there is significant debate around the nature of cyber warfare and deterrence, there are several parallels with more traditional, well-known forms of warfare that are worth exploring for the lessons they offer about defense. Take, for example, the Battle of Thermopylae, a famous Greek tactical defeat by the Persian Empire, and what followed. Fought in 480 BC, Thermopylae was a strategic victory for the Persians, who had stronger numbers and used terrain advantages. Following the loss, the Greeks regrouped, unified, and eventually expelled the Persian invasion. Applying lessons from the Battle of Thermopylae to present-day cyber warfare is surprisingly instructive.
Offensive scale and distribution versus fragmented defense
In Ancient Greece, the Persian Empire invaded with overwhelming numbers, supported across extensive supply lines and with supply points across the vast communities the empire had previously conquered. The Greeks presented a fragmented and decentralized defense against an adversary that, at the time of the invasion, had larger numbers and greater cohesion. Greece operated as a group of mostly independent city-states, each with varying levels of training and resources, to oppose the Persians. Although some of the Greeks, especially the Spartans, were better fighters than the Persians, their limited numbers meant that they were often overwhelmed. The Greeks only defeated Persia after regrouping and unifying under the Delian League.
In the modern era, Iran has turned to cyberattacks because of the low barriers to entry, the difficulty in attributing attacks to specific perpetrators, and the interconnected attack surfaces that make them attractive as an asymmetric force equalizer. Iran uses a mix of state authorities and distributed, low-cost cyber proxies that conduct reconnaissance, influence operations, data theft, ransomware, and sabotage activities. Iranian actors also augment their capabilities through limited experimentation and the use of artificial intelligence tools.
All of this means that Tehran can, at relatively low cost, launch volley after volley of cyberattacks against the United States and its allies and partners, often with some assurance that not all of the attacks will be tied back to the regime.
In defending against these attacks, the United States’ cyber response today can feel similar to the coalition warfare of the Greek alliance system. What is required is improved coordination across multiple levels of government and industry stakeholders, each with their own priorities, processes, and capacity. While enhancing capacity for state and local authorities is welcome, shifts away from federal coordination and critical support to states and critical infrastructure could exacerbate coordination issues for defense and response. Just as the Delian League’s increased coordination led to victory, the US government should look for ways to unify a fractured landscape of forces.
Terrain advantages and chokepoints
Use of terrain was perhaps the most critical factor at Thermopylae. Like Iranian cyber actors, the Persian army struggled against a determined defense, which the outnumbered Greeks established at a narrow mountain pass called the Hot Gates. Only after a local Greek disclosed a route around the pass to the Persians were they able to encircle and defeat the Greeks.
Iranian cyber actors often exploit digital terrain by going after “back doors” or soft targets. This includes operational technology, especially internet-exposed industrial control systems (ICS). The would-be attackers use system engineering and diagnostic tools to zero in on security and monitoring systems, target entities’ own service teams to circumvent typical access controls such as multifactor authentication, and use openly available tools such as the Shodan search engine to identify internet-connected devices vulnerable to known exploits.
The lesson: It is important to control the “digital terrain” by forcing attackers through hardened defensive positions.
At the same time, the United States also has terrain advantages. Malicious cyber operations often rely on US-controlled internet infrastructure and services, creating potential chokepoints. Washington also has power through partnerships with major technology firms as well as regulation of some critical infrastructure that can be leveraged to combat Iranian exploitation in both defense and disruption.
Tactical agility and resilience
Greek soldiers’ martial skill and tactical use of the phalanx formation enabled them to hold back the Persian forces long enough to retreat and regroup for a subsequent Greek victory at Plataea. To achieve this historic prowess in battle, the Spartans prioritized intensive training from a young age focused on stealth, tactics, and resourcefulness. The Greeks’ use of the phalanx also embodied collective and, critically, active defense. The phalanx was a complex interweaving of spears and shields that allowed soldiers to move and to strike at optimal openings.
US strategies for cyber workforce development and collective defense do not yet stand up to a Spartan level of rigor. Although agencies such as the National Security Agency and US Cyber Command have arguably the most elite cyber force in the world, these limited forces are not enough to defend the vast civilian-controlled US digital domain. While some programs have been launched to foster sustainable apprenticeship and trade programs for security experts in needed areas like ICS, the United States faces a flat growth rate in cyber workforce development. Significant progress is needed to improve workforce development, not just for agencies, but for the nation.
While the United States has previously adopted a “shields up” message with industry, this strategy could be seen as a reactive, defensive posture for institutions to focus on securing their individual perimeters. This strategy could benefit from an evolution into a more phalanx-oriented approach that integrates collective defense with coordinated disruption. Like the overlapping shields and protruding spears of a phalanx, interlocking defensive coverage demands synchronized, scaled, real-time coordination of defense and response with critical infrastructure nodes and cross-sector technology platforms as force multipliers. Better leveraging these centers of gravity as part of a cohesive defensive and disruptive posture to expel malicious actors will better scale intelligence sharing, defensive measure implementation, recovery, and disruption campaigns.
A digital phalanx
With critical infrastructure under threat from Iran (as well as Russia and China), the United States must implement a comprehensive strategy that unifies cybersecurity and resilience coordination, leverages and secures critical terrain, and maintains tactical agility for layered defensive and offensive postures. The United States should improve collective defense and build a “digital phalanx” posture, preventing adversaries such as Iran from exploiting the seams of coordination failures to disrupt critical services and operations. It can do this by:
- Leveraging digital terrain and hardening chokepoints, such as through improving cybersecurity measures (e.g., multifactor authentication and network segmentation), using tools to identify internet-exposed systems and address known vulnerabilities that are commonly exploited by Iran, and coordinating with US infrastructure operators for sustained disruption of malicious cyber activity.
- Elevating national coordination and durable coalitions, including by scaling the skill and adeptness of federal agencies’ coordination of readiness and response to both cyber and physical impacts, reinforcing international partnerships to enforce responsible behavior in cyberspace as outlined in the United Nations Convention against Cybercrime, and strengthening and improving the operationalization of public-private partnerships.
- Accelerating and scaling the development of a skilled cyber workforce by leveraging and restoring grants to states and educational institutions, as well as scaling training and outcome-oriented apprenticeship programs with clear pathways to employment in critical sectors, municipalities, and functions.
- Prioritizing resilience in the face of attack so that limited resources can be directed to the areas of highest impact. This can help ensure the ability to operate and recover from both cyber and physical impacts even once compromised.
By taking these steps, the United States can adopt a “digital phalanx” posture to deter, build resilience against, and respond to cyber threats from adversaries such as Iran. Though it occurred more than two-and-a-half millennia ago, several lessons from the Battle of Thermopylae can be applied to cyber warfare: Leveraging terrain, coordinating coalitions, training skilled personnel, and building resilience in the face of attack are just as essential for the United States’ cybersecurity posture as they were for the Ancient Greeks’ territorial defense.
Carole House is a nonresident senior fellow at the GeoEconomics Center. She was previously the White House National Security Council special advisor for cybersecurity and critical infrastructure policy, where she has also served as the director for cybersecurity and secure digital innovation.
Image: Men dressed as ancient Greek warriors stand in front of the parliament building during a performance in Athens, Greece, June 21, 2015. REUTERS/Marko Djurica
