Skip to content

Cyber Operations as Statecraft with a Former US Diplomat

A state can now signal resolve, coerce a rival, or degrade an adversary's military capability without firing a physical weapon. Cybersecurity and diplomacy used to run in separate lanes, and that separation no longer holds.

Cyber Operations as Statecraft with a Former US Diplomat

Armand Cucciniello III has spent his career at exactly that intersection. He is Director of Strategic Communications & AI at Blue Force Communications. He served as a US diplomat to the Middle East, a region where cyber operations and active conflict have run side by side for over a decade. As a senior official at the US Department of Defense, he supported cybersecurity, enterprise technology, cloud, and digital modernization work for the Joint Staff and the Defense Information Systems Agency. He is a graduate of the National War College. In this conversation he examines how states use cyber operations as instruments of power, grounding it in one of the most discussed and least understood cases.

Watch the full conversation below or read the full interview.
The transcript below has been lightly edited for clarity.

Please introduce yourself.

Cucciniello: Thank you. I'm really happy to be here, and quite frankly honored that you're having me on the show. This is a topic that I enjoy speaking about given my background. I'm doing some different work these days in the private sector. However, I really appreciate you mentioning my background in diplomacy, as a senior defense department official, and my work in the Middle East, and also with IT, AI, and cybersecurity, because this is one of those topics where everything I've really done in my career kind of comes together. My background is really at the intersection of communications, technology, and national security. And these days I'm focused fully on the private sector. But there are really a lot of lessons here now, especially with Iran, that fuse the two, because some things that may seem geopolitical and political in nature, or diplomatic in nature, do actually have business risks. And hopefully that's something I can add value on, for private sector entities and companies to understand that geopolitics is not really exclusive to business, at least not these days, and especially in the cyber area. For me, the real value of understanding Iran's cyber playbook is not academic. The threat model directly determines what a CIO or CISO these days should be prioritizing, whether from patching VPN appliances to screening ransomware payments against the US Treasury's Office of Foreign Assets Control sanctions list. And that's really the translation work I've been focusing on lately, turning geopolitical intelligence into operational guidance in the private sector, for businesses to stay ahead of the game and not fall victim to what Iran and other cyber actors are doing. So I like to tell people, what I care about most isn't really the history lesson, although it's fascinating. It's what I like to call the news you can use, in the private and commercial sector.

Having worked in both Defense and diplomacy, how do you distinguish offensive operations, defensive operations, and defend forward? And is defend forward really defensive, or a mask for offense?

Cucciniello: That's really an interesting point, because in the US government's architecture, cyber operations are seen more as the domain of the military side, not the diplomatic side. That's not to say the State Department doesn't have a cyber apparatus. It does. But really the Department of Defense, now the Department of War, I should say, kind of owns that portfolio, alongside the Department of Homeland Security's CISA. Now, in terms of how we classify cyber operations, there's offensive and there's defensive. Offensive operations are actions that are really intended to project power. Normally that's done through force, but now it's also done through cyberspace. And the intent is to degrade, disrupt, deny, deceive, a lot of Ds in there, adversary information systems and networks and their capabilities. To do that, for the US, it typically requires explicit presidential authorization under national security presidential memoranda in the chain of command. So offensive cyber operations, for the US's purposes, are military operations. On the defensive side, those are really more passive, as well as active, measures, but taken to preserve the ability to use cyberspace and cyberspace capabilities, and to protect data and networks and systems, and just the overall infrastructure. So if you think about it in this framework, defense operations are like the shield and offense the sword. Now, you got right at the heart of something that's a little bit of a gray area, the whole defend forward concept. Since, I think it was, 2018, and it was codified more recently in 2023 in the Department of Defense's cyber strategy, the US has pursued what's considered a policy of defending forward, where we actively disrupt malicious cyber activity at the source before it reaches US systems or networks. So some might argue, and not inaccurately, that these really are offensive activities. But because they're conducted in a manner to get at the problem before the problem becomes a problem, in a lot of ways they are also defensive. So some people call this offensive defense, but it is legally distinct from an outright offensive cyber attack.

How does an attack earn a label like Iranian, Russian, or Chinese? Who makes that call, on what evidence, and why is it so politically hard to get right?

Cucciniello: This is one of these areas of warfare, if we call it that, because again, in the US framework, cyber attacks are seen as warfare. The attribution process is actually quite complicated. Unlike if there's a submarine that shoots a torpedo at a US ship, which is pretty quick to identify, relatively speaking, and a lot less complicated on a technical level of where it emanated from and who was behind it, simply because hard artillery, munitions, ships, torpedoes, submarines are not something that exists in the commercial marketplace. But because cyber and IT and computers do, there's a lot more complexity to attribution. So attributing a cyber attack to a nation state is really one of the most technically and politically complex challenges in national security, because it involves multiple layers of analysis. And it's never done by one single entity or actor alone. So the way to think about it is that there are really two tracks of attribution. There's technical attribution, and then there's political attribution. The first track is really conducted by cybersecurity firms in the private sector. Microsoft is a great example. They bought Mandiant, and now Google also. CrowdStrike, Palo Alto Networks, Trellix, those are just some examples, as well as government agencies like the National Security Agency, CISA, the FBI. And the technical attribution involves malware analysis, reverse engineering, command-and-control infrastructure analysis, IP addresses and domain registration patterns, and also language artifacts embedded in code. But then there's the political attribution, which is a government decision about whether to publicly attribute an attack to a specific country, to a specific nation state. And this does involve weighing intelligence equities, diplomatic consequences, and different legal thresholds, and also coordination with allies, in order to determine whether or not we're going to attribute a particular attack to a particular country, because the actors doing the attack aren't always government-sponsored entities directly. They may be sponsored indirectly.

When a company is hit and the government holds attribution it can't share publicly, how should the company bridge that gap?

Cucciniello: To get back to that first track of attribution, the attribution often begins with the private sector, quite honestly. Like I said, major cybersecurity companies identify and name the threat actors. Government agencies usually then corroborate these assessments using classified intelligence. So there's definitely a nexus between the two, and they have to work together. A company could go out there, let's say if a company was attacked, and say, hey, we believe it was Iran, or Russia, or whomever. But if they don't have the US government's backing, they may not want to be so forward about their attribution, unless they've actually worked behind the scenes with the appropriate authorities in the United States government in order to attribute that particular attack. It may not work in their favor. And then they're kind of just floating out there in the public space, blaming Russia or Iran or North Korea.

Many operations attributed to states actually come from non-state actors. Why does that distinction matter, and how should it change the way we read attribution claims?

Cucciniello: This is the issue with cyber attacks. Again, it's not like a missile being launched from a ship that has a particular country's flag plastered on it. Kinetic operations are much more visible, both the impact and the source and origin. Whereas with cyber attacks, they're not. Why would any country in its right mind, or any government, want to say, hey, that was us, we attacked you? They do these things covertly. This is really one of the more nuanced questions, especially in Iranian cyber analysis. The simple answer is, it's complicated, and it's deliberately complicated. Iran has constructed really a layered cyber ecosystem that blends state actors, front companies, proxy hacktivists, as they're called, and moonlighting criminal operators, to maintain some sort of strategic deniability while still achieving its objectives. So this complicates the forensic analysis, because cyber attacks are like a crime scene. There really has to be a piecing together of digital evidence to see who is behind it. And with the layers of state actors and front companies conducting them, that just complicates the forensic analysis, because again, it's not like firing a weapon from a particular flag carrier, which would make attribution much, much easier, much quicker.

What is Iran actually trying to achieve through cyber operations? What does Iran want?

Cucciniello: That's really important, because again, on the surface these look like purely geopolitical, government-state-to-state type activities. But they're not, and they're not purely technical activities either. They really do serve a range of strategic, geopolitical, and political objectives that are deeply intertwined with the Iranian regime's broader national security strategy. So you could really think about it as four intent categories, or buckets. There's intelligence, where Iran is just collecting data for information purposes. Espionage, and information collection for context and awareness. There's also what you might consider economic warfare and coercion, where Iran will use cyber operations to impose costs on its adversaries. Iran knows that the US dollar is still very powerful, and the US is still very powerful as a country. Iran can't achieve strategic objectives in traditional ways that more powerful countries can, because it doesn't have those resources. So it wants to impose costs on its adversaries, particularly the US, because it can't compete with the US dollar economically. So cyber becomes a very cost-effective way of achieving strategic and geopolitical aims that it otherwise wouldn't be able to through kinetic force and conventional military means. Some other things. Disruption, sabotage, and retaliation are really another category. I'm thinking of how Iran has used cyber operations to retaliate for perceived hostile acts against it. And it's done that not just toward the US or Israel, but against Saudi Arabia, the UK, Turkey, and some others that normally wouldn't be thought of when you think of Iranian attacks. Azerbaijan and Greece are all countries that have been victimized by Iran's cyber attacks. A good example of how Iran uses cyber in a retaliatory way is the Las Vegas Sands casino attack. I think that was over ten years ago, 2014 or 2015. And that came after the owner of the casino at the time, the Adelsons, made public anti-Iran statements. So Iran launched a cyber attack against the casino. That's a very covert and cost-effective way for them to do that. They otherwise weren't going to be able to hit back. I'm thinking also of Saudi Aramco. There was an attack called Shamoon, which Iran inflicted on Saudi Arabia, after what was a suspected cyber attack on Iranian oil infrastructure. And then there's one more category, which normally gets attributed to Russia, the real influence operations and narrative warfare. Unlike Russia, though, Iran's influence and operation model is not mass social media manipulation, which is kind of a signature and hallmark of Russia's troll farms. Iran's approach is much more targeted. Iran uses hack-and-leak type operations. Disinformation is directed at specific audiences versus a general population or electorate. And, again, the strategic release of stolen documents to undermine political figures. We saw that in the 2024 US presidential race, when attacks attributed to Iran targeted particular Trump campaign officials, I think it was before the presidential debates, in order to sway perception there. So those are really the four categories of Iran's intent. They're not always technical. They do fit into larger geopolitical aims. However, the point of contact oftentimes happens in private sector entities, which is why this is such an important topic for businesses, global businesses, not just US businesses, businesses all around the world, to really understand that a cyber attack emanating from Iran is not always a straight line between state and state, government to government. Iran will go through US-based companies, US-owned companies, in order to achieve its geopolitical aims.

Are these operations always directed from Tehran, or is there a layer of aligned but independent actors? How does that change the threat picture?

Cucciniello: That's a great question, because Iran is infamous for its proxies. Again, Iran doesn't have the financial and military means to exert power and influence across the globe the way larger countries do. So it uses proxies. And it's done this for decades, with Hezbollah and Hamas, and with different operations in South America. But now it's also incorporated that framework into its cyber ecosystem as well, to use proxies that are not necessarily directly state-related or state-sponsored. And they're not always necessarily in Iran, but they are sponsored, funded, and promoted on the covert level from Tehran, for sure.

From your time in diplomacy, you saw Iran use cyber for signaling, retaliation, and deterrence rather than pure disruption. What did you see?

Cucciniello: You have to understand that cyber activity for Iran is relatively new. If you think of when the Islamic Republic of Iran was founded, that was 1979. The turning point, the inflection point, the wake-up call, however you want to frame it, for Iran is largely considered, at least by Western analysts, to be Stuxnet, the attack that happened in, I think it was, 2010. So that's really considered the foundational moment when cyber attacks became a thing for Iran. And this is when I was leaving diplomacy, not completely, but moving more into the private sector. So I didn't see a lot of this firsthand at the time. I'm thinking of what Iran did relatively shortly after that. They tried to access control of the Bowman Avenue Dam in New York. They didn't cause any damage, the dam had been disconnected for maintenance anyway, but the message was clear. They were trying to send a signal, we can reach inside your critical infrastructure. So that's an effective way to scare people, at least on the populist level, but also to signal to the US government that, hey, we might be small, but in this area we're trying to be mighty. Iran has pre-positioned malware in US water and energy systems. That's not an immediate attack plan, but it's a strategic signal that, hey, we in Tehran have options to exercise if we want to. So in that way, Tehran really uses cyber as deterrence, or hopes to, rather. It hasn't quite worked, as we've seen since February 28th of 2026, because given the current administration's position and foreign policy toward Iran, Iran's signaling clearly has not been as successful as maybe they hoped it would.

For a skeptic, which Iranian operation is the most well-documented, where the evidence is there to check? Walk us through what happened and how targets responded.

Cucciniello: You're really pressure-testing me, so I'm looking at my notes right now. Let's talk about infrastructure. There was one against US banks. It was called Ababil. It happened in 2011 and 2013. These were distributed denial-of-service attacks on 46 US financial institutions. That was traced back to a group that was previously unknown. But they claimed responsibility outright, framing the attacks as a protest over a particular YouTube video that was considered offensive. So that one had a public claim attached to it. And then through intelligence and other means, we were able to trace back that particular group and who was backing them. But the group made a public claim, so they really exposed themselves in a lot of ways. And then, as a result of that, the Department of Justice clamped down on some Iranians who were working for Revolutionary Guard affiliate companies. So usually the cases that have Department of Justice indictments are pretty solid, because it becomes then not just a military and cyber warfare issue, it also becomes a judicial and legal issue, at least for the United States.

How does the US actually respond to attacks like these?

Cucciniello: It could be through a number of means. Using brute military force is extremely rare. There's asymmetric covert action, or it would be sanctioning, getting the legal and justice system underway. And some of that might seem very superficial, because if these are actors operating inside Iran, and they're not necessarily relying on distributed financial resources around the globe, they might feel protected and can still continue what they're doing. But if you're slapped with United States sanctions, sooner or later, if you're doing any type of international financial transactions, it's going to catch up with you, for sure. So again, there are state sanctions, which involve the US Treasury Department, there's the legal attribution, which has to do with the FBI and the Department of Justice, and then there's the more covert piece, responding in kind, and then there's the overt military means. But even when we think about what's going on now with Iran and the Trump administration, to say that we killed the previous Supreme Leader because of cyber attacks, I could be wrong, but I've never heard the Trump administration say that. That escalation of force would probably have to be something much more severe than a cyber attack at the scale we've seen thus far.

How do Iranian cyber capabilities compare with Russia and China? And where does that comparison mislead people?

Cucciniello: The four main cyber actors, if we look at it through the lens of a nation state, are China, then Russia, then Iran, and then North Korea. Those are the leading state-level cyber threats, and they're not equivalent. I'll walk through each one. China is considered top-level, what the US intelligence community calls the pacing challenge. You have APT groups like Volt Typhoon and Salt Typhoon that are really trying to pre-position Chinese access inside US critical infrastructure at a very large scale, and at a depth that really dwarfs Iranian capability. So it is important to talk about Iranian cyber attacks in the context of other state actors, not to downplay the Iranian threat, but just to get an idea of who really has the largest stick here. China does, for sure, at least right now. And China's objectives are much more long-term strategic espionage, and pre-positioning for a potentially much larger conflict, not near-term disruption. Russia is really the next layer down. And they're considered a more experienced wartime operator compared to even China. If we look at what they've done with cyber and military operations through their years of experience in cyber warfare in Ukraine, Russia has become very sophisticated. I know Ukraine has been in the headlines since the spring of 2022, or late winter of 2022, because of its more connected kinetic invasion of Ukraine. But Russia has been conducting cyber warfare in Ukraine for years, and it's become, unfortunately, very good at it. Russia is also willing and capable of targeting US critical infrastructure. And a more signature move that we've seen, most famously with the 2016 presidential election, is really mass disruption through social media. They do these types of things at scale, to affect the populace, to erode confidence in United States democracy. Iran is really another tier. You could say it's tier two, if you put Russia and China in tier one. It's considered much more aggressive and more significant, but it's still operating below China and Russia in terms of raw capability, for the reasons stated earlier. Iran just does not have the financial resources of these other countries. It is more willing than China to conduct aggressive, disruptive attacks. China tends to take a more cautious, long-term approach versus Iran. And Iran is also just less technically capable than Russia, but it's definitely been more active, at least lately, in targeting US political processes. And then last, to mention it because it is one of the top four, is North Korea. North Korea is mostly motivated by finance. It needs capital, it needs money. So if it can bring in money to Pyongyang through financially motivated cyber crimes, it'll do it.

For a CISO or CIO, in the US or abroad, what does this geopolitical context change about how they should read their threat landscape?

Cucciniello: This is probably the most important question and the most important topic, because this is where government, national security, IT, cybersecurity, media, journalism, it all comes together. When I thought about this in preparing for this discussion, I found seven different threads.

One is that geopolitics in a lot of ways really determines your threat level. Your company's risk level is directly correlated with your proximity to US government contracts, Israeli business ties, energy sector operations, financial services, or any industry that could be publicly perceived as hostile to Tehran's interests. So that's really important for people to know. And thinking about the most recent strikes on Iran by the US and Israel, any companies with ties to the Middle East, the defense sector, or the US government in other ways should really assume an elevated threat level, no matter their business. If they think they're distant, but they're somehow perceived by Tehran to be connected, they should assume an elevated threat level.

Another thread is that Iran exploits known vulnerabilities at scale. It definitely does. The prolific mass scanners. There are IRGC-linked groups that conducted mass scanning of Palo Alto Networks and GlobalProtect VPN devices. So if you have unpatched internet-facing systems, you probably want to take care of that, because those are a primary initial access vector for Iran. Organizations that don't apply their patches promptly are at risk. That's something for CISOs and CIOs to really pay attention to. I'm thinking of some other things Iran does, password spraying, multifactor authentication push bombing, brute force. These are all things Iran has been known to do.

Another thing companies really should be aware of is that they already may be compromised. Iran's been weaponizing pre-existing access inside US critical infrastructure for a few years now. So this is not just a government problem. Private sector organizations really should be conducting proactive threat hunting for indicators of compromise, auditing privileged access and unusual lateral movement, and engaging with sector-specific information sharing and analysis centers. These are all things that should be done under the assumption that an organization might already be compromised.

Another, a little more particular, is ransomware, because this is a big one with Iran. A significant portion of ransomware attacks against US organizations recently, going back one or two years, have been traced to IRGC, or Revolutionary Guard Corps, linked actors. There's Pioneer Kitten and Lemon Sandstorm, a couple that were linked to the IRGC. These actors broker network access to ransomware affiliates and then end up fusing and blending state intelligence operations with financially motivated cyber crime. And this creates a critical legal risk for companies, as well as a political risk. If you're paying ransomware to a company that might appear to be independent, but the company may unknowingly violate OFAC sanctions, now they're putting themselves in legal jeopardy as well as cybersecurity jeopardy. So really screen any ransomware group against the Specially Designated Nationals, the SDN lists that the US Treasury Department manages, before paying. And then report ransomware incidents to the FBI and CISA immediately, because this way the government can actually help advise companies on the sanctions risk.

A few more. Social engineering is really the frontline attack. Charming Kitten, which is sophisticated and Iranian, is probably among the most sophisticated, if not the most sophisticated, social engineering actors in the world, I would say. So it's really important that operators inside companies train their staff, executives, government-facing personnel especially, policy researchers, anybody involved in Middle East business, on the social engineering playbook of Iran. And they could do this a number of ways. Verify the identity of unexpected inbound contacts. Use enterprise password managers. Brief executives and board members on geopolitically targeted spear phishing, especially around government contract work. That's really important as well.

And then just two others. Operational technology really needs to be seen as a priority target, because Iran has explicitly targeted industrial control systems and programmable logic controllers across a whole variety of sectors, some of them critical infrastructure, like water and energy. Again, the Bowman Dam intrusion, and some water utility attacks more recently, prompted IRGC sanctions by the US, because they clearly demonstrate capability from Iran and Iranian-linked actors. So organizations with both IT and OT environments really want to maintain strict network segmentation between the two.

And then last, this one kind of wraps everything together, and ties into the first one. Assume that geopolitical escalation is going to affect your threat level. So if you're in a business and a sector of the economy that may not seem tied to Iran or the Middle East directly, but CNN and Fox News and all the global channels are reporting on strikes against Iran, it's safe to assume that Iran is going to try to fire back, and not just literally, but also in cyberspace. We've seen this time and time again, that Iranian cyber activity surges in direct response to geopolitical escalations. Historically, for the last ten years, if not slightly longer, every significant kinetic event in the US-Iran-Israel relationship has been followed by cyber activity from Iran, for sure. So again, that's very important for CISOs and CIOs to know.

One operating assumption about state-linked cyber operations to leave private sector leaders with. What is it?

Cucciniello: If you are in any way affiliated with the United States, and when I say affiliated, I don't just mean the US government, if you're US-based or US-owned, there is a potential for your company and your operations to be attacked. I think that's the most broad, bottom-line takeaway. Now, I'm saying that as an American, but I would also say that for Israelis, for Brits, anyone that's part of that alliance, formal or informal, it's important to know that the cyber threat is real. Iran is not just looking to go tit for tat at the state level or the kinetic level, but also targeting US companies, and US-based and US-owned companies.


This InfoSec Leadership interview was conducted by Shant Ebenezer Jena as a volunteer host for InfoSec Relations. Connect with Armand Cucciniello III on LinkedIn and learn more about Blue Force Communications.