Editor’s Note: Tom Johansmeyer is working on his Ph.D. in international conflict analysis with the University of Kent, Canterbury, with a focus on the role of cyber insurance in economic security. He’s also head of PCS, a Verisk business, where he leads a team that estimates the insurance industry impact of major natural and man-made events. A long time ago, Tom had the most hardcore job the U.S. Army has to offer: He cut reassignment orders for soldiers leaving South Korea. In the mid-1990s, that was a dicey job to have. Tom ETS’ed in 1999 and will forever in his heart be an E-4 hiding from extra duty.

Activity in the cyber domain has failed to materialize as expected in the conflict in Ukraine. Some say it never really got off the ground, while others claim it was prevented through pre-conflict hardening and or that the cyber domain has in fact been active and effective. Opinions are all over the place, but the reality on the ground suggests that – at a minimum – kinetic operations have been far more impactful than those in the cyber domain. 

Frankly, that shouldn’t come as a surprise. 

Cyber operations have proved themselves a potentially effective tool in broader strategy – along with information and economic measures – but it has failed to become much more than a small part of the toolkit. Among the many reasons for this is an inherent constraint in the impact of cyber operations: Reversibility. Quite simply, except in certain extreme and potentially exotic cases, the effects of cyber events have failed to stick. Locking up systems doesn’t have the same impact as a missile strike. And over the past nine months, the conflict in Ukraine has demonstrated this. In particular, we’ll take a look at two examples of attacks on critical national infrastructure to show the importance of reversibility and how cyber operations are generally destined to come up short. 

 

U.S. Army soldier proudly wears the United States Cyber Command patch during exercise “Cyber Guard 2015”. The two-week “Cyber Guard 2015” exercise was held at Suffolk, Virginia and was attended by partners from across government, academia, international coalition, and industry. The purpose of the exercise was to perform operational and interagency coordination as well as tactical level operations to protect, prevent, mitigate, and recover from a cyberspace incident during “Cyber Guard 2015”. (Department of Defense Photo by Marvin Lynchard)

 

You Can’t Go Back, Except When You Can

The effects of kinetic warfare are pretty straightforward. The footage coming out of the conflict in Ukraine is illustrative, and the ongoing quantification by the Kyiv School of Economics is instructive. Estimated economic losses from physical damage have reached $127 billion, and they are still accumulating. Further, the physical damage from kinetic attacks tends to be enduring. It takes time to get access to sites that need to be repaired, and when there is damage on a sufficient scale, sometimes repairs are neglected entirely. The “war ruins” of Mostar and Sarajevo demonstrate this thirty years after the damage was done.