A sliding scale of secrecy: toward a better understanding of the role of publicity in offensive cyber operations

ABSTRACT

In recent years, offensive cyber operations are becoming another tool among many in the diplomatic toolbox of states, with countries discussing cyberattacks more openly than before. This change in practice from covertness to openness warrants a closer look at the interests and motivations of countries in ‘going public’.

This paper offers a conceptual framework for understanding why attackers and defenders might choose publicity over secrecy, and analyzes the possible outcomes of choosing each. The framework is examined through a series of mutual cyberattacks and intrusions between Iran and Israel during 2020–2021 serving as an illustrative case study.

The research demonstrates that each strategy along the axis spanning from silence to full publicity and attribution is enabled by, or serves, a particular set of circumstances on both the defender and attacker’s sides. Each combination reflects a particular dynamic, demonstrating that the choice of strategy is more evolved than an outdated silence-or-publicity perception.

KEYWORDS:

• Secrecy
• going public
• Iran
• Israel
• Offensive cyber operations

Acknowledgements

The author would like to thank Noya Peer for the excellent research assistance, and to Dr. Herb Lin, Prof. Isaac Ben Israel, Prof. Udi Sommer and the members of the Social Science Reading Group at the Centre for International Security and Cooperation (CISAC) at Stanford University for their valuable comments on earlier versions of this work. The author would also like to thank the editor, the editorial team and two anonymous reviewers for their valuable feedback and comments.

Disclosure statement

No potential conflict of interest was reported by the author(s).

Correction Statement

This article has been corrected with minor changes. These changes do not impact the academic content of the article.

Notes

1 This paper deals only with public responses of states and not private ones. For the dynamic of non-denial denials and non-comments see Brown and Fazal (2021). Furthermore, there is always a possibility that the attack or intrusion were revealed by a third party – such as private cybersecurity companies, a hacktivist group or other non-state actor – before the state decided to address them. This goes beyond the scope of this paper which focuses on the calculations of states. For more details regarding the role of third parties and private cybersecurity companies see Romanosky and Boudreaux (2021).

2 There are other considerations for countries when deciding whether to reveal an attack, such as creating a false attribution for political reasons or faking non-existent capabilities; using the publicized attack for achieving political goals, such as increasing allied support; cases when there is a public leak and the defender is being forced to reveal the attack; internal political considerations, and more (Baram and Sommer 2019).

3 On the influence of the domestic public on decision-making regarding cyberattacks see Kreps and Das (2017) and Kreps and Schneider (2019).

4 It is important to mention that at first the explosion was considered to be a result of a cyberattack that caused physical damage. Later there were claims that it was a remote detonation of a smuggled explosive device, not involving cyber means.

Additional information

Notes on contributors

Gil Baram

Dr. Gil Baram is a post-doctoral researcher at the Cyber Escalation Lab, Center for Peace and Security Studies, University of California San Diego. Previously she was a Fulbright cybersecurity post-doctoral fellow at the Center for International Security and Cooperation, Stanford University.

She has held fellow positions with the Centre of Excellence for National Security at Nanyang Technological University in Singapore and the Blavatnik Interdisciplinary Cyber Research Center at Tel Aviv University, and served as Head of Research at the Israeli think tank Yuval Ne'eman workshop for Science, Technology and Security.