The prevailing wisdom before the Russia-Ukraine war was that Russia held a trump card that could end the hostilities without firing a shot–cyber power. After all, Russia had long exhibited tantalizing glimpses of its cyber capabilities. Resigned western officials anticipated a swift Ukrainian capitulation following the disruption of its critical infrastructure and command and control structure. Nevertheless, Russian cyber operations turned out to be more of a fizzle than a bang. A ragtag group of Ukrainian cyber specialists kept critical systems online or rapidly shifted to new systems, as happened in the case of the Viasat cyberattack. There is little evidence to suggest that Russian cyber capabilities altered realities on the ground, reinforcing a common refrain from scholars who have long questioned the ability of cyber weapons to shape the balance of power between states. This episode should once and for all mark the end of alarmist proclamations of cyberwar.
However, at the risk of resuscitating a notion best left forgotten, we acknowledge that the consequences of cyber operations are not easily measured. We should not be gauging the effects of a cyber onslaught by weighing rubble, counting bodies, or tallying degraded hardware. Indeed, by these metrics, cyberattacks have underwhelmed. However, their insidious societal effects remain unaccounted–their ability to instill fear, undermine trust in government, chip away at societal cohesion, and reshape policy preferences. We argue that these hidden, and at times unintended, consequences could facilitate political crises and re-frame cyber power as a strategic asset.
From Revolutionary to Insidious
In what can only be described as a fit of enthusiasm, early commentators argued that the cyber era would re-align the world order. Two decades later, such hyperbolic statements remain unsubstantiated, with little to no evidence supporting these revolutionary claims. In its place, scholars such as Jacquelyn Schneider and Lennart Maschmeyer assert that cyber operations function less as tools of coercion and more as instruments of subversion.
Advocates of the subversive cyberspace paradigm assert that the most potent digital effects are not derived by disrupting critical infrastructure but through the erosion of public trust. As Maschmeyer notes in a recent article, aggressors achieve their aims by exploiting pillars of structural power that would otherwise provide adversaries an advantage in the conventional space. Schneider provides an apt analogy for this process by comparing cyberattacks to a termite infestation. While individual operations may be strategically inconsequential, the cumulative effect of myriad cyberattacks eats away at the societal foundations at the heart of a democratic state.
That cyberattacks can undermine the structural edifices of a state is a bold claim; seeing as we scorned the tendency to engage in excessive speculation surrounding cyber threats, we are obliged to offer the following evidence.
Quantifying the Societal Impact of Cyberattacks
The immediate operational objectives of cyberattacks tend to focus on manipulating data, degrading networks, or stealing funds. However, cyberattacks often have a more insidious effect: they undermine citizens’ trust. Trust is a fundamental prerequisite of modern digital societies. Citizens trust in the integrity of digital encryption to know that their data is secure. They trust in the complex algorithms underlying financial and healthcare services. And they trust that the news they receive from digital news platforms is an accurate picture of reality. All of these trust vectors are threatened by cyber conflict. Malicious behavior in cyberspace erodes public confidence by amplifying pre-existing fears about the robustness of the underlying technology. If cyberspace is perceived as vulnerable and digital data is easily manipulated, people will naturally re-evaluate their confidence in the government and national institutions.
To empirically test how trust is undermined, we took advantage of a ransomware incident involving Russian hackers against a hospital in Dusseldorf. The incident was quickly resolved, and the hospital resumed its regular services after a few days. Yet in the following weeks, we surveyed seven hundred local residents who were exposed to the attack. We observed a sharp and enduring reduction in the public's trust in the government and security agencies. As many as 83 percent of respondents reported some level of reduced trust, with 32 percent indicating a near total loss of confidence–a fact that should strike fear into the hearts of elected officials. While the authorities were preoccupied with the potential physical consequences of the incident, the public suffered observable spikes in dread and anger and exhibited significantly reduced belief in the nation's security. These are the hidden effects of cyber power.
Underlying this effect are the strong psychological reactions that shape public opinion in the wake of cybersecurity incidents. Among the exposed residents, we measured extreme emotional volatility. The most common reaction was dread–an expectation of impending cyber catastrophe that the hapless authorities (in the eyes of our respondents) were incapable of preventing. Heightened dread suppressed confidence in the government's ability to provide security. Another subset of participants experienced anger, which caused them to rally around the government in the face of a common enemy. In other words, people's political reactions are highly dependent on their emotional state, with greater anger encouraging support for the government, while dread suppresses support. This dynamic between anger and dread adds important nuance to the subversive effects of cyber threats.
Cyberattacks spawn a sense of helplessness in the government's ability to mitigate the adverse effects of malicious behavior in cyberspace. Yet our data offers a tentative solution. We find that intense emotional reactions to cyber threats revert to baseline once respondents learn more about the incident. Presumably, having acquired more details about the facts of the attack, people come to understand that cyberattacks are limited in scope and do not pose as cataclysmic a threat as they expected. The future is no longer so bleak, and trust in government is restored.
This process offers an opportunity for political leaders to provide a salve for the subversive effects of cyber operations. Once an attack takes place, leaders should increase the flow of information, since a greater understanding of the attack’s limited scope soothes the dread-inducing sensation that otherwise occurs. Officials may not like this option since uncertainty is rife in cyber investigations, and "naming and shaming" has political consequences. Nevertheless, as transparency can blunt the pernicious effects of cyber incidents on public trust, this is a price worth paying.
The full research article is available here.
Miguel Alberto Gomez is a Senior Researcher at the Center for Security Studies (CSS) at ETH Zurich.
Ryan Shandler is a Postdoctoral Fellow at the Blavatnik School of Government and Nuffield College at the University of Oxford.