Society relies upon the internet, a globally interconnected collection of networked information systems. These systems are imperfectly designed and implemented with critical flaws and vulnerabilities. Criminal hackers attack these shortcomings for financial gains, but there are also compelling reasons for states and state-sponsored groups to act in and through cyberspace. While state-sponsored cyberattacks can be both permissible and effective, they commonly have unintended effects: cyber collateral damage. 

Most offensive cyber operations are conducted below the threshold of force recognized in international law and do not qualify for a military response. This means that they can be used both for clandestine sabotage, for intelligence gathering, and to implant vulnerabilities in preparation for larger-scale attacks in the future. These activities have caused considerable harm beyond their intended targets. Such collateral effects have been seen in some of the most infamous and costly cyberattacks, such as the 2010 Stuxnet attack, the 2017 NotPetya attack, and the 2022 attack on ViaSat as part of the invasion of Ukraine.

An under-investigated metric when analyzing the impact of cyber op-erations is their economic cost, both in terms of production and (es-pecially) in their collateral cost to society. The economic cost is also subject to considerable externalization in the planning of cyber operations. This thesis thus investigates the balance between the op-erational effects of cyber operations and their collateral costs; the cost/benefit dilemma of offensive cyber operations. It does so by con-sidering the potential benefit of high-impact cyberattacks, e.g. supply chain vulnerability implantation against hardened targets, and by us-ing econometric methods to calculate the cost of collateral damage engendered when cyberspace is used as a domain of warfare. In doing so, it provides the first quantitative comparison of military utility to civilian harm in a cyber context. Although cyberattacks have long been considered a central component in asymmetric warfare, the the-sis presents a bottom-up analysis which shows that the economic damage caused by cyberattacks in the Russo-Ukrainian conflict 2014-2021 is an insignificant part of the Ukrainian GDP.

Finally, the thesis argues that the full cost of attacks should be meas-ured and included in models for collateral damage estimation. Such estimates should be included into national cyber doctrines to mini-mize unintended effects and ensure efficient and appropriate use of cyber capabilities.

Society relies upon the internet, a globally interconnected collection of networked information systems. These systems often contain critical vulnerabilities, giving states and state-sponsored groups compelling reasons to act in and through cyberspace. While state-sponsored cyberattacks can be both permissible and effective, they commonly have unintended effects: cyber collateral damage.  This thesis investigates the balance between the operational effects of cyber operations and their collateral costs; the cost/benefit dilemma of offensive cyber operations. It does so by considering the potential benefit of high-impact cyberattacks, e.g. supply chain vulnerability implantation, and by using econometric methods to calculate the cost of collateral damage engendered when cyberspace is used as a domain of warfare. The thesis further presents a bottom-up analysis which shows that the economic damage caused by cyberattacks in the Russo-Ukrainian conflict 2014-2021 to be an insignificant part of the Ukrainian GDP. Finally, the thesis argues that the full cost of attacks should be measured and included in models for collateral damage estimation. Such estimates should be included into national cyber doctrines to minimize unintended effects and ensure efficient and appropriate use of cyber capabilities.