Cyber weapons are easy to reload, right? There’s seemingly no shortage of ammunition, since they are fed with bits and bytes. If this is true, then cyber conflict would stand cyber weapons in stark contrast to the kinetic alternative, with ammunition shortages on the horizon due to the depletion of stores due to the conflict in Ukraine and its attendant supply chain strain. Taking the view that cyber ammunition is effectively infinite can make warfare in that domain look like an attractive – and potentially more menacing – alternative to its more conventional kinetic cousin.

Alas, none of it is true.

Cyber weapons do not inherently offer immediate access to infinite ammunition, despite how easy that may be to believe. In fact, the cost to develop and deploy cyber weapons can be quite high, limiting their usefulness. As a result, cyber weaponry may be suited to niche cases where offensive actions in the cyber domain are supplemental to kinetic engagement – “cyber fires” as opposed to standalone application.

A Fundamental Misperception

Cyber warfare is often characterized as a cheap alternative to kinetic warfare. In 2018, the American Consumer Institute explained that a single cruise missile costs $830,000, not including launch equipment and crew, while a cyber weapon “can be structured to leave no fingerprints” and “often be cloned at low cost.” In 2020, cyber warfare was forecasted to “explode” because it is “cheap, easy and effective.” Two years later, an article on cyber security encouraged to “[i]magine switching on the news in the morning to hear reports of a massive coordinated cyber attack against your country.” Right or wrong, such views seep into mainstream culture and affect day-to-day security strategy and execution.

In cyber security circles, though, the perception of cyber as a low-cost threat has begun to change. Those “in the know” point to the high cost of zero-day vulnerabilities, the nature of the talent required to turn those vulnerabilities into usable cyber weapons, and the operational risk associated with developing and using cyber weapons – particularly that a patched vulnerability can render the time, effort, and cost of weapon development worthless in the blink of an eye. The supply chain for cyber weapons can be long, complicated, and pricey, not unlike other forms of weaponry and ammunition, as discussed above. Such vulnerabilities can be difficult to find – akin to mining raw materials – and the process of turning them into finished goods is inherently uncertain.

Cyber Weapons Aren’t Free

It can be difficult to ascertain the cost of zero-day vulnerabilities, given the opacity of the marketplace and the fact that it operates in the digital shadows. In her book, This Is How They Tell Me the World Ends: The Cyberweapons Arms Race, author Nicole Perlroth puts the price for an iPhone zero day at $3 million. Zero-day vulnerability acquisition platform Zerodium publicizes a price of up to $2.5 million for Android, $2 million for iPhone, and $1 million for Windows desktop and server vulnerabilities. Potential bad actors may pay more – much more – as indicated by reports of an iPhone zero-day vulnerability potentially reaching €8.4 million. And that’s just for the raw material. Talent then needs to develop tools to exploit these vulnerabilities, which translates to further expense.

As with raw materials, it’s difficult to estimate the cost of labor in an opaque market. Discussions with cyber security sources suggest that a ratio of 1:1 for talent to raw material cost is not an unreasonable starting point, and that the ratio could be even higher. If the range is 1:1 to 3:1, then the labor cost could no mistake, $36 million is a considerable price to pay. Ransomware gang Conti, at its height, pulled in revenues of $180 million, and it had plenty of other overhead to cover. For a state actor, though, that cost could be manageable – but of questionable value. Again, as Smeets observes, the useful life of cyber weapons is short. Further, the damage from cyber weapons tends to be fairly reversible, which means the impact is limited.

The cost to develop cyber weaponry may be high for ransomware gangs, but for sophisticated state actors, the expense does not make such tools unattainable. The problems are impact and scalability. The short life of such tools is exacerbated by deployment risk. Once used, a signal has been sent to the affected targets (and their peers) about the need to patch and potentially about the nature of the vulnerability. Further, the long development cycle could mean that a cyber weapon is rendered ineffective before it’s even built, if the relevant vulnerabilities are identified early on. Further, a cyber strategy can be difficult to scale. While the largest and most sophisticated state actors (such as the United States) may be able to source raw material, develop tools, and test and deploy them on an ongoing basis, questionable vulnerability supply chains, talent shortages, and other operational barriers could force many states to keep cyber as a niche portion of an overall security strategy.

A Realistic Assessment of Cyber Threats

Cyber threats are real, significant, and of strategic importance. Yet, they remain profoundly misunderstood. Cyber attacks are not free, and the tools of cyber war are not easy to manufacture. As a result, cyber warfare is relatively inflexible and constrained by cost, material sourcing, and other forms of complexity. It just doesn’t deliver the bang for the buck afforded by the tools of kinetic warfare. As part of an integrated capability – like artillery and air power – cyber can be effective, and security strategy should take this into account. Defenses should contemplate “cyber fires” and other forms of integration, rather than the notion of an online-only barrage intended to fully supplant traditional means of war.

.