The Summit
← All publications

Rethinking Cyber Risk in an Age of Geopolitical Instability

Most organisations are not the target of state cyber operations. They are the medium, the supply-chain casualty, or the spillover, and that reframes how digital risk should be governed.

Samuel Kudláč

On 24 February 2022, as Russia launched its invasion of Ukraine, Viasat suffered a large-scale outage on its satellite network that affected tens of thousands of broadband customers across Europe. The disruption was first publicly reported as a wind power story after over 5,800 German wind turbines lost remote access and monitoring as their satellite link went down.

Shortly after, the Viasat incident was attributed to operation AcidRain, conducted by Sandworm, a cyber unit linked to Russian military intelligence. Despite the wide-ranging impact across Germany, France, Hungary, Greece, Italy, and Poland, none of these countries were the primary target. Instead, AcidRain was designed to disrupt Ukrainian military command and control by sabotaging satellite connectivity. Timed to support the ground invasion, the operation produced a wide commercial spillover across Europe, which was unintended, but likely to be welcomed in Moscow. The wind farm operators were therefore only collateral damage on a satellite network the Kremlin wanted dark.

Aimed at Kyiv, landed everywhereA choropleth of Europe shading the third-party impact of the Viasat KA-SAT attack of 24 February 2022, darkest for the intended target. Ukraine is the target. Germany (Enercon, 5,800 wind turbines) and France (Nordnet/Orange, about 9,000 subscribers) are confirmed third-party hits. Italy — the attack's entry point — together with Poland, Hungary and Greece sits inside the bigblu/Eutelsat footprint of roughly a third of 40,000 European subscribers. The United Kingdom, the Czech Republic and Morocco also reported disruption.Aimed at Kyiv, landed everywhereThird-party impact of the Viasat KA-SAT attack, 24 February 2022. Darker shading marks greater impact — hover over a country for detail.Ashcairn · The Summit

The dominant frame for this kind of activity, be it hybrid warfare or cyber war, assumes that nation-state operations are rare, driven by patterns of geopolitical escalation and aimed at a narrow set of high-value targets like governments, militaries and critical national infrastructure. Such targets would include large-scale power plants, transport hubs and hospitals, as opposed to cybercriminal activity which is much more widespread and much less targeted.

As a result, geopolitical cyber risk gets framed the wrong way. Much of this stems from how cyber was written into national strategies and military doctrines through the so-called “fifth domain” language. Separating cyber from other domains was a deliberate choice to ease procurement and prioritisation, but it hardened into a habit that fundamentally misunderstands and misprices risk for most organisations. On the geopolitical side, the useful question is never “are we at cyber war” but “where do we sit in someone else’s chain.”

States increasingly use cyber operations to complement other domains rather than as a separate, non-kinetic way of projecting power. Strictly speaking, three operational patterns recur. First, cyber can prepare the ground for a future campaign. The China-linked “Typhoon” activity is the clearest example of this, with a series of campaigns targeting the US government, telecommunications, and other critical infrastructure with no apparent intent to act immediately. Notably, a group tracked as Volt Typhoon has spent years building persistent access to American critical national infrastructure in a way explicitly framed by US agencies as preparation for disruption in a future crisis or conflict with China.

Second, cyber can supplement ongoing kinetic operations. Operation Absolute Resolve in January 2026, in which US forces captured Nicolás Maduro, was a rare public display of US cyber capability working alongside conventional force. US Cyber Command and Space Command used operational technology exploits to shut down the power grid in Caracas and interfere with Venezuelan air defences, allowing helicopters and drones to land undetected. Distributed Denial of Service (DDoS) attacks were then used to overwhelm government servers, and signal jamming disrupted digital communications, preventing the Venezuelan administration from coordinating a response in time.

Iranian retaliation following US Operation Midnight Hammer in June 2025, and the follow-on Operation Epic Fury in spring 2026, fits the same mode of operation. After the US airstrikes on Fordow, Natanz and Isfahan, Iran-aligned cyber groups including CyberAv3ngers and Handala ran disruptive campaigns against US water utilities and a range of US and Israeli vendors supplying critical infrastructure organisations worldwide. These campaigns acted as the digital arm of a kinetic retaliation, designed to expand the psychological reach of the Iranian response into Western civilian life. Around the same time, as Israel was conducting airstrikes on Iran, Predatory Sparrow, an Israel-linked group, hit Iranian financial infrastructure including Bank Sepah and Nobitex crypto exchange, destroying around 90 million USD by sending it to vanity burn addresses.

Third, cyber can substitute for kinetic action altogether. The benchmark case is NotPetya. In 2017, Sandworm, the same Russian military intelligence unit behind the Viasat operation, pushed a wiper masquerading as ransomware through compromised Ukrainian tax accounting software. Total losses of this breach exceeded ten billion US dollars. The brunt of the damages affected Ukraine, but major transnational corporations such as Maersk, Merck, Mondelez and TNT Express absorbed hundreds of millions in damages without being the targets in any meaningful sense. NotPetya is now recognised as the most damaging cyber operation on record and is the reason the industry is obsessed with backups, segmentation and supply chain security.

The visible fractionDisclosed corporate losses from the 2017 NotPetya attack, drawn as circles with area proportional to loss: Beiersdorf $35M, Nuance $98M, Reckitt Benckiser $129M, Mondelez $188M, Maersk about $300M, Saint-Gobain $384M, FedEx/TNT $400M and Merck $870M. A ninth dashed circle, roughly 3.4 times the diameter of Merck's, marks the White House estimate of total damages at over $10bn — most of which was never itemised.The visible fractionDisclosed corporate losses (direct costs and lost revenue) from NotPetya, 2017 (USD)$10bn+White House assessmentof total damagesBeiersdorf$35MNuance$98MReckitt Benckiser$129MMondelez$188MMaersk$300MSaint-Gobain$384MFedEx / TNT$400MMerck$870M · claim $1.4bnAshcairn · The Summit

Therefore, “cyber” as a risk category, framed conventionally, is too narrow to be useful. The real category is digital risk under conditions of geopolitical competition and coercion, and the operating reality for most organisations is that they are not the targets of these state-sponsored campaigns. They are the medium, the supply chain casualty, or the spillover. The German wind farms lost their links because their satellite was useful in somebody else’s war. Spillover from conflict across Asia, the Middle East and Eastern Europe is emerging as the dominant risk pattern for mid-market firms across the United Kingdom, the European Union and the United States, and the question that matters is not whether you are at cyber war, but where you sit relative to wider geopolitical dynamics.

Someone else’s attack chain might run through you, whether you realise it or not, and the only difference is whether you see it before somebody else does.

Cyber should not be understood as a separate conflict. Cyber operations are how modern conflict and competition are conducted and the organisations caught up in them are often not the ones being aimed at. Understanding your risk exposure therefore starts with knowing yourself — who you supply, who supplies you, who shares your infrastructure and who operates in your sector. Answers to these questions should shape the risk decisions taken at the board level and the scenarios tested in exercises. The reality is that someone else’s attack chain might run through you, whether you realise it or not, and the only difference is whether you see it before somebody else does.