Editor’s Note: Tom Johansmeyer is working on his Ph.D. in international conflict analysis with the University of Kent, Canterbury, with a focus on the role of cyber insurance in economic security. He’s also head of PCS, a Verisk business, where he leads a team that estimates the insurance industry impact of major natural and man-made events. A long time ago, Tom had the most hardcore job the U.S. Army has to offer: He cut reassignment orders for soldiers leaving South Korea. In the mid-1990s, that was a dicey job to have. Tom ETS’ed in 1999 and will forever in his heart be an E-4 hiding from extra duty.

Activity in the cyber domain has failed to materialize as expected in the conflict in Ukraine. Some say it never really got off the ground, while others claim it was prevented through pre-conflict hardening and or that the cyber domain has in fact been active and effective. Opinions are all over the place, but the reality on the ground suggests that – at a minimum – kinetic operations have been far more impactful than those in the cyber domain. 

Frankly, that shouldn’t come as a surprise. 

Cyber operations have proved themselves a potentially effective tool in broader strategy – along with information and economic measures – but it has failed to become much more than a small part of the toolkit. Among the many reasons for this is an inherent constraint in the impact of cyber operations: Reversibility. Quite simply, except in certain extreme and potentially exotic cases, the effects of cyber events have failed to stick. Locking up systems doesn’t have the same impact as a missile strike. And over the past nine months, the conflict in Ukraine has demonstrated this. In particular, we’ll take a look at two examples of attacks on critical national infrastructure to show the importance of reversibility and how cyber operations are generally destined to come up short.