Strikes on Iran will test US cyber strategy abroad, and defenses at home

Coordinated U.S. and Israeli strikes on Iranian targets are putting renewed focus on how the United States integrates offensive cyber capabilities into the battlespace — and how prepared federal agencies are for retaliation at home.

Iran has shown a tendency to respond to overseas threats with cyber means, from defacing websites to spying on U.S. and allied targets. Tracking such actions and alerting the U.S. government and public is a job of the Cybersecurity and Infrastructure Security Agency, which has been operating with sharply reduced staffing due to a funding lapse for its parent agency, the Department of Homeland Security.

“This is a bad time for Washington’s cyber agency to be operating with limited staff,” said Annie Fixler, director of the Center on Cyber and Technology Innovation at the Foundation for Defense of Democracies, a national security think tank.

That funding lapse comes after Trump-administration moves shrank CISA’s workforce by about one-third last year and degraded public-private collaboration mechanisms. This “limits the ability of the federal government to provide timely cyber threat information to the private sector,” Fixler said.

In the wake of the U.S. and Israeli airstrikes, American companies could see a “barrage” of low-level attacks like website defacements and distributed denial-of-service attacks, said Fixler. “Iran might also see some limited success against targets that do not have proper cyber hygiene — exposed edge devices with default passwords, for example.”

Other cyber experts said the U.S. should prepare for a mix of distributed denial-of-service campaigns, ransomware and hack-and-leak operations meant to send a message.

“While it’s not operating at the same technical level as China or Russia, Iranian-linked groups have carried out disruptive attacks against U.S. financial institutions, infrastructure providers and private sector companies,” said Tom Pace, a former Marine intelligence specialist and CEO of NetRise, a cybersecurity supply chain firm.

The conflict will likely see a surge in state-sponsored hacking activity, “specifically targeting operational technology and critical infrastructure through the exploitation of internet-facing industrial control systems and vulnerable [programmable logic controller] hardware,” said Brian Harrell, a former CISA official. 

“Threat hunters should be working overtime right now. By combining disruptive attacks with psychological operations, Iran will seek to erode public trust in government institutions and project domestic strength during periods of heightened conflict,” he said.

Elisity CEO James Winebrenner echoed that advice. “We should be vigilant in protecting exposed [industrial controls systems] and expect heightened retaliatory activity in the coming days and weeks,” he said. In late 2023, Iran-linked hackers digitally defaced U.S. water treatment equipment.

Tehran may play up the effectiveness and scope of their cyberattacks, said Cynthia Kaiser, a former FBI cybersecurity deputy director who leads the Ransomware Research Center at Halcyon. Industry research has documented these theatrics.

“They’ll turn [an intrusion] into an information operation, and say, ‘Look, we compromised this entire facility,’ even though they compromised just a machine,” Kaiser said. 

Asked about the diminished DHS and CISA workforce, Kaiser said other national security elements across the government like the FBI and NSA are still able to track and respond to cyber threats in full. “People marshal themselves together to focus on a big threat” even if there are resource shortages, she said. 

Matt Hayden, a former DHS infrastructure security official, said CISA would continue its standard threat-hunting procedures as if the government was fully operating. “While there are operators that are working without pay, they are still working,” he said. Hayden is now vice president of cyber and emerging threats at GDIT.

Defense One has asked CISA and DHS for comment.

The U.S. has likely deployed a powerful toolset of cyber and electronic operations against Iranian targets, said Charles Moore, a retired three-star general and former U.S. Cyber Command official who is now a distinguished visiting professor at Vanderbilt University’s Institute of National Security.

“I would suspect that anything that Iran is using to communicate, anything they’re using to keep situational awareness or visibility on the battle space, and any systems they’re using to try to defend themselves, all those types of things — would be targets that would be of interest from a cyber perspective,” Moore said.

The U.S. and Israel are also likely intercepting communications to aid in its operations. “In general, signals intelligence of any type, is something the United States is very interested in and is very adept at gathering. And so I have no doubt that those types of efforts will continue,” he said.

Internet connectivity in Iran has also been heavily reduced. The exact cause of this decline is uncertain. While the U.S. or Israel may have played a role, Iran frequently restricts internet access during periods of unrest, such as anti-regime protests.

In coming days, there may be public indications that Cyber Command played a role in U.S. components of the operation, said FDD’s Fixler.

Influence operations have played a role in the efforts. Israel notably hacked a major Iranian prayer app, aiming to fuel uprising against the regime. But its effectiveness may be limited, said Maggie Feldman-Piltch, CEO of Iceberg Holdings, a firm that helps private-sector entities prevent IP theft. 

The infiltration of a prayer app with those messages is “a wonderful example of not knowing your audience or understanding what happens when you don’t,” said Feldman-Piltch, who formerly led the digital and electronic portfolio at the Wilson Center. 

A simple message finally calling for uprising ignores years of already documented protests against Iran that have resulted in civilian killings, she said.

The U.S. and its allies will have to stay vigilant. The operation “has destroyed Iran’s conventional military options, making cyber operations the regime’s sole remaining instrument of asymmetric retaliation,” says a threat intelligence report sent to Defense One produced by cybersecurity firm Anomali. Iran-linked cyber units were “activated and retooling before the kinetic trigger,” it adds.

“Geography provides no protection against a cyber-enabled adversary,” said Tatyana Bolton, principal and head of Monument Advocacy’s cybersecurity practice. “Iran possesses some of the most creative and dangerous cyber operators in the world, and with the current escalation, their incentive for restraint is significantly reduced.”

“They don’t need to win a naval battle in the Gulf to hurt the U.S. — they can simply hold our power grids, water systems, and hospitals hostage from halfway around the world to force our hand at the negotiating table,” Bolton said. “We must recognize that in 2026, the front line isn’t just in the Middle East — it’s in our own backyard.”