Cyber Warfare Hasn’t Made Sense in Ukraine – and Likely Won’t Anywhere Else

Editor’s Note: Tom Johansmeyer is working on his Ph.D. in international conflict analysis with the University of Kent, Canterbury, with a focus on the role of cyber insurance in economic security. He’s also head of PCS, a Verisk business, where he leads a team that estimates the insurance industry impact of major natural and man-made events. A long time ago, Tom had the most hardcore job the U.S. Army has to offer: He cut reassignment orders for soldiers leaving South Korea. In the mid-1990s, that was a dicey job to have. Tom ETS’ed in 1999 and will forever in his heart be an E-4 hiding from extra duty.

Activity in the cyber domain has failed to materialize as expected in the conflict in Ukraine. Some say it never really got off the ground, while others claim it was prevented through pre-conflict hardening and or that the cyber domain has in fact been active and effective. Opinions are all over the place, but the reality on the ground suggests that – at a minimum – kinetic operations have been far more impactful than those in the cyber domain.

Frankly, that shouldn’t come as a surprise.

Cyber operations have proved themselves a potentially effective tool in broader strategy – along with information and economic measures – but it has failed to become much more than a small part of the toolkit. Among the many reasons for this is an inherent constraint in the impact of cyber operations: Reversibility. Quite simply, except in certain extreme and potentially exotic cases, the effects of cyber events have failed to stick. Locking up systems doesn’t have the same impact as a missile strike. And over the past nine months, the conflict in Ukraine has demonstrated this. In particular, we’ll take a look at two examples of attacks on critical national infrastructure to show the importance of reversibility and how cyber operations are generally destined to come up short.

U.S. Army soldier proudly wears the United States Cyber Command patch during exercise “Cyber Guard 2015”. The two-week “Cyber Guard 2015” exercise was held at Suffolk, Virginia and was attended by partners from across government, academia, international coalition, and industry. The purpose of the exercise was to perform operational and interagency coordination as well as tactical level operations to protect, prevent, mitigate, and recover from a cyberspace incident during “Cyber Guard 2015”. (Department of Defense Photo by Marvin Lynchard)

You Can’t Go Back, Except When You Can

The effects of kinetic warfare are pretty straightforward. The footage coming out of the conflict in Ukraine is illustrative, and the ongoing quantification by the Kyiv School of Economics is instructive. Estimated economic losses from physical damage have reached $127 billion, and they are still accumulating. Further, the physical damage from kinetic attacks tends to be enduring. It takes time to get access to sites that need to be repaired, and when there is damage on a sufficient scale, sometimes repairs are neglected entirely. The “war ruins” of Mostar and Sarajevo demonstrate this thirty years after the damage was done.

Cyber is a bit different. Of course, left unrepaired, technological infrastructure will not function, and the impact on its user (be it an individual or organization) will be evident. However, cyber operations are generally perceived to be transitory in nature and short-lived. Reversibility has been called out specifically as a characteristic of cyber attacks. That’s not to say cyber attacks are without impact – they can contribute to a broader set of objectives. The impact, though, is likely to be profound within the scope of a broader conflict or campaign.

The argument over the usefulness and impact of cyber as a domain of operations is well-trodden. The academic literature on the subject, including the dialogue between Thomas Rid and John Stone in 2012 and 2013, respectively, has been no match for popular perception. We’d rather reimagine Matthew Broderick’s battles with WOPR back in 1983 than prepare for a day-to-day threat that’s much more mundane. While it’s still possible to conjure some extreme WOPR-esque scenarios, the manifestation of the cyber threat specifically shows the opposite.

And this is where it helps to trade Hollywood for reality. A look at the cyber attack on Colonial Pipeline [LINK] in 2021 compared to the physical attack on Syvash windfarm in the Kherson region in 2022 shows that cyber is likely more manageable than originally believed.

Syvash wind farm, Ukraine. Photo: Emergy Inc.

A Tale of Two Critical National Infrastructure Attacks

The cyber attack Colonial Pipeline in the United States and missile strike on Syvash in Ukraine offer a rare opportunity to examine the differences in reversibility between cyber and kinetic attacks.

For context, ransomware gang Darkside shut down Colonial Pipeline on May 7, 2021, which took five days to bring back up. During that period, fuel shortages led to panic buying up and down the east coast of the United States. The attack offered a frightening peek into both the fragility of critical national infrastructure and the societal implications of losing a single asset. Yet, it was just a peek. It was brief. And the questions that it raises remain hypothetical – such as what if it had lasted longer, could not be recovered by paying a ransom or had involved multiple assets. Close calls make you think for a while, but they’re notoriously easy to forget.

The attack on the Syvash wind farm, by contrast, was reported on March 3, 2022, to have been impacted by a missile strike. The facility was evacuated and shut down before being occupied by the adversary force. There are no reports that it has resumed operations, it has been identified as still damaged as of September 24, 2022. It seems as though the facility is unlikely to become operational anytime soon, particularly given that it is in area currently reported by the Institute for the Study of War as occupied. Even if the site were accessible and open to repairs immediately (which is of course unlikely), it could take months for parts and equipment even to become available, given recent reports from manufacturer Vestas.

Estimated direct economic impacts from the attacks on Colonial Pipeline and the Syvash Windfarm have not been revealed publicly, but it is possible to use insured losses as a proxy. According to internal research by PCS, the group I lead at data/analytics firm Verisk, the insured loss associated with the Colonial Pipeline cyber attack was $10 million. While data is still flowing into the re/insurance industry from Ukraine, the average insured loss from the strikes on four windfarm facilities has reached approximately €200 million ($211 million as of December 9, 2022). The direct comparison alone is stunning, and even if there is a narrower delta in economic impact due to under-penetration of insurance, the scale remains indicative of the impact.

The reason for the difference in economic effect between the two attacks is reversibility. Quite simply, the damage to Colonial Pipeline was more easily reversed. Syvash will take months or even years to become active again, while Colonial Pipeline was down for less than a week. This direct comparison makes clear the claims of analysts and scholars over the past decade. The potency of cyber attacks is constrained by their ability to be reversed.

NORFOLK, Va. Sailors on the watchfloor of the Navy Cyber Defense Operations Command monitor, analyze, detect and defensively respond to unauthorized activity within U.S. Navy information systems and computer networks. U.S. Navy Photo by Mass Communications Specialist 1st Class Corey Lewis

Cyber for the Right Reasons

Activity in the cyber domain during kinetic warfare is not worthless. And it would even be a mistake to relegate it to a rounding error in terms of overall impact. The cyber domain is a worthwhile and inherently useful area of operations. There’s a lot that can get done in cyber that can’t be accomplished easily in the mud. However, expectations have to be realistic, and the role of cyber operations needs to be appropriate to the nature of the domain.

Cyber attacks haven’t played a major role in the conflict in Ukraine for a number of reasons, but the transitory nature of cyber attacks is certainly among them. Because cyber attacks are reversible, particularly compared to the effects of kinetic warfare, the conflict is not the optimal place for their use. That doesn’t mean cyber warfare is unlikely to manifest in the region. If anything, the cyber domain could become more active after a cease-fire or other cessation of hostilities. Without having to compete with bullets and bombs for effect, cyber operations will offer the opportunity to continue the conflict despite its nominal conclusion.

The author is the head of PCS. The views expressed herein are those of the author, based on research conducted by the author, and may not necessarily represent the views of others unless otherwise noted. PCS, a Verisk business, generally provides data and analytics to the global re/insurance and ILS markets. PCS captures reported loss information on certain events, which encompasses, on average, approximately 70% of the market. Any reference to industry-wide is based on this research and the author’s view of trends in the industry and does not necessarily represent the view(s) of others in the industry.