Pulling the Plug: Why Internet Shutdowns Fail as Cyber Defense

The recent U.S.-Iran conflict has proven that cyberspace is not always a supporting domain, but one that could be decisive for victory. Before kinetic strikes commenced, Iranian adversary networks had already been mapped, penetrated, and operationalized. Intelligence derived from compromised mobile networks, traffic cameras, and persistent surveillance informed targeting decisions, culminating in a decapitation strike against Iran’s Supreme Leader. Cyber operations have not merely enabled the battlefield; they have shaped it on a scale that’s nearly unprecedented in prior conflict scenarios.

Iran response was swift and familiar. Confronting a digital and kinetic “shock and awe,” the Tehran imposed a near-total nationwide blackout within hours, a tactic it has historically used to manage both internal dissent and external pressure. The move raises a critical strategic question: Can severing national connectivity meaningfully defend against cyber operations, or does it represent a costly illusion of control?

The evidence suggests the latter.

At first glance, the rationale for an internet shutdown seems like an intuitive reaction. Cyber operations, particularly those conducted remotely, depend on connectivity. The logic is simple: if one can disrupt that connectivity successfully, one ostensibly disrupts adversary access, command-and-control channels, and data exfiltration pathways. For those victims whose telecommunications infrastructure and real-time surveillance apparatus are deeply penetrated, a blackout could theoretically degrade intelligence flows going back to the attacker and even hinder his targeting cycles. Additionally, going dark offered a counterintelligence benefit to Tehran: obscuring internal conditions from external observation during a moment of acute vulnerability, perhaps one of the main reasons for pulling the plug.

However, while this may have temporarily stalled the attacks, modern cyber operations do not depend on live, external access to be successful or achieve objections.Contemporary state-driven cyber operations are rarely opportunistic. They are persistent, pre-positioned, and deeply embedded. Access to critical systems is often established well before conflict begins and are achieved via a variety of channels including supply chain compromises, credential theft, or long-term infiltration of networks. Once a foothold has been established, such access does not require continuous reliance on public internet connectivity. Operators can move laterally within networks, execute payloads, and exploit internal communications channels even in degraded or isolated environments.

The Iranian conflict underscores this reality. Cyber-enabled intelligence gathering that took place against compromised mobile networks and surveillance systems was instrumental in identifying “patterns of life” and determining the timing of high-value targeting. Moreover, cyber operations reportedly disrupted communications near the target site, preventing defensive coordination at a critical moment. Notably, these capabilities were most effective before kinetic operations began. As reported in in one prominent think tank’s assessment of cyber attacks during periods of kinetic conflict, such intelligence feeds degrade once active conflict disrupts established patterns and forces targets into more hardened positions. In other words, the decisive cyber effects in Iran had already been achieved prior to the blackout and underpinned the first part of U.S.-Israel joint strikes. Making things more difficult, connectivity itself is increasingly difficult to suppress. Satellite internet, alternative transmission methods, and decentralized communication tools continue to hinder a government’s ability to fully control information flows.

If cyber operations are increasingly precise, internet shutdowns are not. They are indiscriminate measures that impose systemic costs across society. Iran’s blackout disrupted economic activity, communications, and access to essential services for millions of citizens. Globally, this pattern is well documented. In 2024, governments imposed more than 300 internet shutdowns across 54 countries, primarily in response to protests, elections, or conflict. Unsurprisingly, the consequences are significant as shutdowns invariably impact delivering healthcare services, financial systems, and emergency services, something that the World Economic Forum

 characterized as “blunt instrument” that inflicts widespread civilian harm while providing limited security benefit. It’s not hard to understand how this could invariably affect the military, as modern command-and-control systems rely upon digital infrastructure that if degraded could impair operational effectiveness.

The fact that governments see this as a viable course of action may reflect their misconception that reducing connectivity reduces their vulnerabilities. While connectivity facilitates cyber-enabled attacks, it also aids defensive capabilities via real-time monitoring, threat intelligence sharing, incident response coordination, and system recovery. Reducing connectivity may cut down the number of attack vectors, but it also cuts off access to the broader cybersecurity ecosystem. What’s more, shutdowns are rarely comprehensive as there are always work-arounds, a “black market” to provide illegal connectivity, and satellite links that can bypass restrictions, and may not be monitored.

At best, shutdowns tend to have limited success, thwarting lower skilled threat actors and slowing the spread of information during the early phase of a crisis. Sophisticated adversaries adapt quickly, leveraging pre-existing access or alternative communication pathways. In high-end conflict, where cyber operations are integrated with intelligence and kinetic effects, such measures offer diminishing returns.

The most notable aspect of Internet shutdowns is that they are rarely driven by cybersecurity considerations alone but serve as a way to exert political control. States such as Russia have restricted access to major platforms and tested sovereign internet capabilities during periods of unrest. Other countries like Myanmar and Pakistan have employed similar tactics to manage domestic instability. In these situations, shutdowns function less as defensive measures against external threats and more as tools to control internal narratives and limit dissent.

As a sustainable cyber defense strategy, Internet shutdowns are ineffective – and costly. In 2025, the total economic cost of shutdowns reached USD 19.7 billion. They are reactive, indiscriminate, and poorly suited to countering sophisticated, persistent adversaries. While they may offer limited short-term disruption, they impose substantial economic, societal, and operational costs. Cyber defense success needs resilience, not disconnection. Zero-trust architectures, network segmentation, continuous monitoring, and rapid response capabilities provide a more effective framework for managing risk in a contested environment.

Looking ahead, the feasibility of large-scale shutdowns will continue to decline. Emerging technologies (e.g., low-earth orbit satellite networks, decentralized communication platforms, and resilient infrastructure) will obstruct any state’s ability to fully control connectivity. At the same time, cyber operations are becoming more deeply integrated with kinetic warfare, intelligence collection, and influence campaigns. Countries such as Iran may continue to employ digital blackouts, but the strategic value of this approach is diminishing. In an era of persistent cyber conflict, the network is no longer simply a vulnerability to be mitigated; it is the terrain on which modern warfare is fought.