World News AboutContactNewsletter
Times of Pol
Independent · International · Unflinching
Conflict

The Invisible War: How Cyber Operations Became State Policy

From power grids to elections, digital intrusions are now a routine instrument of statecraft. What that means for the rules of conflict.

A data centre corridor with a world map display

Much of modern conflict now unfolds where no one can see it.

The most consequential conflicts of our time are increasingly fought in a domain that almost no one can see. There are no front lines, no columns of troops, no explosions to be filmed and broadcast. Instead there is code — quietly probing networks, mapping vulnerabilities, and occasionally striking with effects that ripple out into the physical world. Cyber operations have moved from the fringes of statecraft to its centre, becoming a routine instrument of national policy. The result is a form of conflict that is constant, deniable and largely invisible to the publics who are, ultimately, its targets.

What makes this shift so significant is not the novelty of the technology but the normalisation of its use. A decade ago, a major cyber operation against another state's infrastructure was a rare and alarming event. Today it is a background condition of international life. States maintain standing capabilities to penetrate rivals' systems, and they use them continuously — for espionage, for sabotage, for coercion and for the pre-positioning of access that could be exploited in a future crisis. The invisible war is not coming. It is already here, and it never stops.

Why states embraced the tool

The appeal of cyber operations to a state is easy to understand. They are relatively cheap, they can be highly effective, and above all they are deniable. A missile strike announces its author; a cyber intrusion can be disguised, routed through third parties, and plausibly denied even when everyone suspects who is responsible. This deniability lowers the political cost of acting, which in turn lowers the threshold for action. A state that would never risk an overt attack may feel free to conduct a covert one, calculating that it can inflict damage without triggering the response that an open assault would provoke.

Cyber operations also occupy a convenient grey zone below the threshold of war. They allow a state to apply pressure, gather intelligence, or degrade a rival's capabilities without crossing the line that would justify a military response. This makes them ideal instruments for the kind of persistent, low-level competition that characterises the current era — a way to compete continuously without tipping into open conflict. But the same feature that makes them attractive also makes them destabilising, because it blurs the very distinction between war and peace on which international order depends.

Deniability lowers the cost of acting, and lower costs mean more action. The invisible war is fought precisely because no one has to admit to fighting it.

The blurring of civilian and military

One of the most troubling features of cyber conflict is how thoroughly it erases the line between military and civilian targets. The networks that run a country's power grid, its financial system, its hospitals and its communications are the same networks that a hostile state might seek to penetrate. An operation aimed at strategic advantage can, deliberately or accidentally, disable the systems on which ordinary life depends. The battlefield is not a distant frontier; it runs through the infrastructure of everyday existence.

This blurring has profound implications. In conventional conflict, elaborate rules exist to protect civilians and civilian infrastructure. In the cyber domain, those rules are contested, poorly defined and inconsistently observed. Is an attack on a power grid an act of war? What about the theft of citizens' data, or the manipulation of information to influence an election? The absence of clear, agreed answers means that states probe the boundaries constantly, and each probe that goes unpunished pushes the boundary a little further.

Advertisement

The problem of attribution

At the core of cyber conflict lies a stubborn problem: it is genuinely hard to know, with certainty and speed, who is responsible for an attack. Sophisticated operators disguise their tracks, mimic others, and route their activities through compromised systems in third countries. Attribution is possible, but it is slow, technical and often uncertain — and by the time it is achieved, the moment for a proportionate response may have passed.

This ambiguity is corrosive. Deterrence depends on the credible threat of retaliation, but it is difficult to deter an adversary you cannot confidently identify. Uncertainty about who did what also raises the risk of miscalculation: a state might retaliate against the wrong party, or fail to respond to a genuine threat, or misread a criminal act as a state-sponsored one. In a domain where the fog of war is thicker than anywhere else, the potential for dangerous errors is correspondingly high.

Toward rules of the road

There have been repeated efforts to establish norms for behaviour in cyberspace — agreements on what should be off-limits, such as attacks on critical civilian infrastructure during peacetime. Progress has been slow and fragile. States that benefit from the current ambiguity have little incentive to constrain themselves, and the deniability that makes cyber operations attractive also makes agreements hard to verify and enforce. A norm that cannot be monitored is easily violated.

Yet the effort matters, because the alternative is a domain governed by no rules at all — a permanent, escalating contest with no agreed limits and no shared understanding of what might trigger a wider conflict. Even modest norms, imperfectly observed, can reduce the risk of catastrophic miscalculation. Building them requires the kind of patient, technical diplomacy that is in short supply, but the stakes are high enough to justify the effort. The most dangerous outcome would be to allow the invisible war to expand unchecked simply because it is invisible.

Living with the invisible war

For the foreseeable future, cyber conflict will remain a permanent feature of international life. States will continue to build capabilities, probe rivals, and use the digital domain to compete below the threshold of open war. The task is not to eliminate this competition — that is unrealistic — but to manage it, to reduce its most dangerous forms, and to build resilience against its effects.

The goal is not to end the invisible war, which is impossible, but to keep it from becoming a visible one.

Resilience is, in the end, the most reliable defence. A society whose critical systems are hardened, whose institutions can withstand disruption, and whose citizens are aware of the manipulation they may face is far harder to coerce through cyber means. The invisible war rewards the vulnerable and punishes the unprepared. Understanding that it is being fought — quietly, constantly, and largely out of sight — is the first step toward not losing it.

Advertisement

Follow the stories that shape the world

Times of Pol brings you independent reporting and clear-eyed analysis of international affairs — free to read, no paywall.