What everyone misses when it comes to cyber attacks

The conflict in Ukraine has, in many ways, defied expectations, especially for the cyber security community.

The “cyber war” that many expected failed to materialize as these operations failed to levy any strategic impact, and the cyber domain of Russia’s offensive has largely been relegated to the background.

Likewise, while the Ukrainian “IT Army” provided captivating headlines, the international and Ukrainian voluntary hackers that purport to help the national defence ministry to target Russian infrastructure and websites have shown to offer no more than marginal contributions. The conflict has remained predominantly kinetic, and that seems unlikely to change.

However, this outcome raises a simple but important question. Why hasn’t cyber played a greater role in the conflict in Ukraine? The answer could provide insight into future conflicts where there’s a concern about outsized cyber engagement or other forms of hybrid warfare.

The debate on the role of cyber in conflict is not new; but its “Pearl Harbour moment” is yet to occur. Political scientist Thomas Rid says “cyber war” hasn’t happened and isn’t likely, while another scholar in the space, Lorenzo Franchesci-Biccherai, says such a term is “used in the wrong situations” and likely to result in “hyperbole.”

There is little precedent to challenge Rid’s and Franchesci-Biccherai’s views. Only a handful of cyber operations have captured the public’s attention – e.g. Operation Olympic Games directed at Iranian nuclear facilities and Operation Glowing Symphony against terror outfit ISIS – but there is no clear instance of moving the needle as part of a hybrid warfare approach, let alone by themselves.

Frankly, cyber attacks don’t have much impact, as counterintuitive as that may feel, given oft-cited catastrophic-level scenarios such as the potential hacking of nuclear weapons or complete disruption of the financial system. Even if the latter were possible, the fundamental limitation of cyber operations would soon be realized – reversibility.

The major difference between cyber operations and their kinetic alternatives is that when kinetic attacks occur, what goes down is more likely to stay down for longer. To appreciate this point, it helps to look at reversibility – or permanence – of attacks along a spectrum.

At one end is the permanence of nuclear attacks. Physical or kinetic attacks can have varying degrees of permanence. For example, significant damage to buildings from artillery strikes can take years to remedy, particularly if a conflict persists for years and the number of structures to be repaired increases. Even small arms damage may last a while, as evident in the Bosnian cities of Mostar or Sarajevo. The scale of damage itself can impede repair (and reduce reversibility).

Cyber, on the other hand, has proven to be relatively reversible. For example, Colonial Pipeline, the largest US oil pipeline, which was subject to a ransomware attack in May 2021, was down for only five days, compared to several wind farms in Ukraine that experienced physical damage, affected for months so far and maybe longer yet as the conflict continues.

The argument could be made that cyber operations are an economic security threat rather than a military one, resulting in the opportunity for indirect warfare. However, data from the conflict in Ukraine casts doubt on this position.

As a reference point, the CEO of cleantech company IB Centre Inc., Vitaliy Daviy, suggests that the conflict has caused 60% of Ukraine’s industrial enterprises to be shut down or destroyed, with Kosatka Media estimating that 30-40% of renewable energy capacity has been damaged.

Further, PCS, the team I lead at data and analytics firm Verisk, estimates that cyber is likely to account for less than 1% of industry-wide insured losses from the conflict – with the bulk coming from such classes as marine, energy and industrial. Finally, economic losses from physical damage could be as high as $127 billion, according to the Kyiv School of Economics.

The reversibility of cyber attacks needs to become a fundamental consideration in cyber security. That applies whether we are talking about a cyber warfare campaign or an individual and independent attack against a commercial target.

Reliance on deterrence as a strategy is dated. While there is undoubtedly a need for preventive measures in cyber security, reversibility makes clear that investment in recovery is also crucial. Being able to accelerate recovery from a reversible attack contributes to a timely and cost-conscious return to normal. Security is as much post-event as it is pre-event in this context.

It has become clear that the threat posed by cyber operations is different from what was expected before the conflict in Ukraine. Of course, this doesn’t mean that cyber poses no threat or that cyber risks can be downplayed.

The potential for disruption, economic harm and other damage persists and it can evolve, particularly when mixed with other forms of engagement, from kinetic warfare to “information confrontation.”

However, the discussion of how cyber threats evolve must include thoughts on how the risk is limited by reversibility. It’s one of the reasons for the cyber domain’s lack of prominence in the current conflict and it may inform future conflicts, as well.

The views expressed are those of the author and may not necessarily represent the views of others, unless otherwise noted. PCS, a Verisk business, generally provides data and analytics to the global re/insurance and ILS markets. PCS captures reported loss information on certain events, which encompasses, on average, approximately 70% of the market. Any reference to industry-wide is based on this research and the author’s view of trends in the industry, and does not necessarily represent the view(s) of others in the industry.