Cyber Command supports strikes on Iran’s nuclear facilities, but officials keep details under wraps

U.S. Cyber Command played a role in American military’s operation against Iranian nuclear facilities over the weekend, according to top Pentagon officials.

“The strike package was supported by U.S. Strategic Command, U.S. Transportation Command, U.S. Cyber Command, U.S. Space Command, U.S. Space Force and U.S. European command,” Gen. Dan Caine, chairman of the Joint Chiefs of Staff, told reporters in a briefing at the Pentagon Sunday morning, later thanking the cyber operators, among others, who made the mission possible.

However, no further details about Cybercom’s efforts were disclosed. The command referred DefenseScoop to the Pentagon for comment, where a spokesperson said they had nothing further to provide at this time beyond the transcript from Sunday’s press conference.

Although details about Cybercom’s assistance for Operation Midnight Hammer, the code name for the strikes, remain murky, experts — most of whom spoke to DefenseScoop on condition of anonymity — outlined a number of possibilities for how the organization may have contributed to the effort.

Outside experts noted that there probably aren’t any U.S. military ops nowadays, regardless of how rudimentary, where a cyber component isn’t involved.

“We really don’t do military operations without cyber support anymore,” Gary Brown, Cybercom’s first senior legal counsel and now a professor at Texas A&M’s Bush School of Government and Public Service, told DefenseScoop. “There is a cyber component for everything we do, even if it seems really unsophisticated, even if the cyber component is just on the intelligence collection side. It’s always there.”

Moreover, others pointed out that with such a high-profile operation, many Defense Department components will want involvement in order to prove their value.

A former military cyber official noted that a sophisticated operation like Midnight Hammer points to the maturation of Cybercom, which was created just 15 years ago and now is “is a fully integrated mechanism,” supporting air superiority and global transportation.

While details regarding Cybercom’s involvement in the strike were limited, experts provided a few examples for how the command could have supported such an attack. These sources noted that they had no inside knowledge of the recent operation and were largely speaking in hypothetical terms to offer vignettes for how digital forces would likely be involved in that type of mission.

The operation involved seven B-2 Spirit stealth bombers that dropped 14 “massive ordnance penetrators” — 30,000-pound so-called bunker-busting bombs — as well as Tomahawk missiles launched from a submarine and 125 aircraft that included refuelers and fighter jets, some of which were used as decoys to draw Iranian air defenses away from the B-2s. The strikes targeted the Iranian nuclear facilities at Fordow, Natanz and Esfahan.

Sources noted that this would probably be a broad effort from Cybercom across several of its elements spanning the defensive side, offensive side — through teams that support combatant commands — and possibly its elite Cyber National Mission Force that protects the nation from nation-state cyber activity.

The former official said one of the most likely ways Cybercom would have aided the operation is through something akin to a cyber escort package. With air assets coming from all over the world and various commands — such as Transportation Command, European Command, Central Command and the Air Force’s Global Strike Command — it is important to ensure those aircraft and enabling functions execute missions smoothly.

That includes backups and failsafes as well as ensuring the Department of Defense’s Information Network is up and running to enable communication. Defensive cyber protection teams would likely ensure infrastructure was up and running and protected from any adversary intrusions or disruptions. That could include teams supporting several combatant commands as well as those protecting the DOD Information Network and Transportation Command, headed by the DOD Cyber Defense Command.

One of the classic examples always cited throughout Cybecom’s history as a key capability for enabling military operations is the monitoring and disabling of enemy integrated air defense systems to allow friendly aircraft to penetrate and strike. If access is gained into those systems, cyber operators could turn them off or make them malfunction, preventing the enemy from shooting down friendly aircraft looking to engage targets.

Experts that spoke to DefenseScoop noted they had no direct knowledge if this was part of the strike package or capability over the weekend, but cited it as a potential example for how Cybercom could support a kinetic strike operation.

B-2 bombers rely on stealth and thus don’t have many defensives. Given that and the fact they’re not very maneuverable under fire, monitoring and possibly disabling an adversary’s IADS would be desirable to minimize the risk of the aircraft being shot down.

Others noted that any support Cybercom can offer often requires access ahead of time, a key caveat that is often overlooked. Unlike in Hollywood, cyberspace operations aren’t as easy as just pushing a button on a keyboard. Forces must be forward and present to gain the necessary access for intelligence collection to map and understand systems, and eventually affect systems if the go-ahead is given. Moreover, that access can be eliminated if forces are discovered by the target or if a patch is implemented.

Thus, cyber forces require constant persistence in order to gain and maintain those accesses, even during times outside of conflict. In 2018, Congress paved the way to enable the command to conduct this activity, referred to as intelligence preparation of the battlefield, without tipping the covert action statute that requires presidential authority to do so, clarifying cyber is a traditional military activity.

Given this access is difficult to gain and maintain, each operation requires an important calculus on whether to act on those implants and create effects because once used, that access is burned.

For example, if it wasn’t needed, the U.S. might not have acted on Iranian IADS if they weren’t poised to shoot down the B-2 bombers, provided this was part of the op.

Axios reported that the U.S. government asked Israel to eliminate Iranian air defense systems to clear a path for American aircraft.

Others pointed to how cyber operators could have been standing by to cause effects elsewhere to divert Iranian attention away from the targets. This could include brownouts or disrupting communications, though, again, those effects would likely be weighed against the downsides of giving up those accesses if those actions weren’t needed.

Cyber-enabled intelligence, surveillance and reconnaissance could have also been provided prior to the attack, producing targeting data, intelligence on Tehran’s likely immediate response, Iran’s force posture and ability to target U.S. forces during or right after the operation, according to sources.

Similarly, cyber forces could provide indications and warning during the attack to alert U.S. units with near real-time information on Iran’s military forces or counterattacks.

Support could also have taken the shape of offensive cyber action during the airstrikes, disabling Iranian military or civilian communications or their ability to respond, which likely would have been undertaken by combat mission teams that conduct cyber ops on behalf of combatant commands, mostly in the offensive sphere.

This activity could have disabled or disrupted enemy early warning systems or spoofed them in a way to show no activity incoming or many more assets moving in.

Sources also indicated cyber means could help with battle damage assessments after the strike, however, that would most likely fall within the purview of the NSA and its signals intelligence role, monitoring Iranian chatter and channels.

Some noted that it’s possible U.S. defense leaders were also lumping in NSA when they referred to the support of Cyber Command, both of which are co-located and share a leader despite having different missions — foreign intelligence, in the case of NSA.

In that vein, cyber forces, either from NSA or Cybercom, could’ve been monitoring for chatter among Iranian sources to see if they bit on the diversion the U.S. sought at the outset of the strikes against the nuclear facilities.

Defense officials reported that they sent some bombers initially west toward Guam as a ruse to distract from a potential strike in Iran, which was ultimately carried out by B-2s that flew east from the United States across the Atlantic to reach their targets.

There is also a defensive role Cybercom could be playing after the attack. Many experts are bracing for potential blowback in the digital domain and Iranian retaliation. While Tehran’s military has faced setbacks from Israeli attacks in recent days, it does pose a threat in cyberspace, which levels the playing field some as opposed to matching traditional forms of military might against the U.S. and Israel after having been significantly weakened.

Cybercom could be posturing and bolstering its capabilities to defend against threatening attempts against networks originating from Iran. This could take the form of a preemptive digital action against Iranian cyber capabilities to limit their capacity to conduct offensive retaliatory action. Forces standing by to support that role could be either combat mission teams focused on the Middle East region or Cyber National Mission Force teams assigned to specific Iranian threat actors poised to target the U.S. homeland in cyberspace.