A series of high-profile cyberattacks on targets in the West have highlighted the vulnerability of companies and institutions, making the issue a higher public priority but with no easy solution.

The latest incident to underline the capacity of cybercriminals to disrupt daily life came in early May when Colonial Pipeline, a US-based operator of a key fuel pipeline, became a victim of ransomware.

The attack saw its computer systems encrypted, putting its operations offline and causing fuel shortages for American drivers.

At the end of 2020, US authorities also revealed that hackers had compromised SolarWinds software which was run by large parts of the US government and companies around the country. Russia was blamed.

Other attacks include the hacking of the Democratic Party ahead of the 2016 US election as well as the major global malware outbreaks called WannaCry and NotPetya which paralysed computers all over the world in 2017.

Beyond the major incidents that make the news, cybersecurity firms and experts have been warning for years about the rising tide of online attacks -- some state-orchestrated, some criminally motivated.

"It is hard to imagine that we haven't had enough significant cyber incidents for everyone to realise how important it is," said Suzanne Spaulding of the Center for Strategic and International Studies, a Washington-based think-tank. 

Despite all of them, the issue "has not been given sufficient priority," she said. 

- Complacency -
The best defences against cybercrime by individuals and small companies are simple and almost free: deleting suspect emails, updating software regularly, changing passwords, and keeping saved back-ups.

Larger organisations can afford specialised IT security teams and the best-equipped employ outside monitoring services to keep an eye on their networks and check for intrusions round-the-clock that foretell a major attack.

But many organisations are complacent, said Spaulding.

"There are two kinds of companies in the world, those who have been hacked and those who haven't detected it yet," she told AFP.

Another problem is that many countries are not producing enough trained IT technicians, which drives up wages for the most sought-after skills, putting them beyond the reach of many organisations, particularly in the public sector.

Adam Meyers from cybersecurity firm CrowdStrike says the key to safety is often simply being better protected than the weakest targets.

"There's an old adage that you don't have to run faster than the bear to get away. You have to run faster than the person next to you," he said.

- State capabilities - 
One area that has been prioritised by Western governments is building up their own cyber-military powers, which enable states to investigate and deflect attacks, as well as carry out their own spying and operations.

"For the last decade, it's been in the toolbox of armies and intelligence services as part of a conflict that is not necessarily open, but is latent," said Julien Nocetti, a researcher at the Geode institute at Paris 8 university.

The National Cyber Power Index by the Belfer Centre at Harvard University puts the United States at the top of 30 countries ranked on their ambitions and cyber-capabilities, with China second, and Britain third.

The reach and power of the US National Security Agency was laid bare in 2013 following leaks by fugitive contractor Edward Snowden.

"Europe and the United States are sometimes shown as being the victims and the nice guys in this domain ... but that's not how it is. There's a general blindness about our own operations," said Nocetti.

And the rules of engagement are still being defined, with a multilateral attempt to create some sort of framework for states failing to make progress.

Some experts worry that one day a state-backed cyberattack will trigger a spiral of reprisals and counter-reprisals that could trigger real-life hostilities.

Countries may have built up enough digital weapons to serve as a deterrent.

"One of the reasons why Russia, the US and China don't turn each other's lights off is because they are afraid of what the reaction would be," said Adam Segal, director of the Digital and Cyberspace Policy program at the Council on Foreign Relations, a US think-tank.

US Cyber Command
If the Pentagon's Cyber Command launches an online attack and nobody knows about it, does it deter anyone?

Many Americans are asking what the country's army of cyber warriors are doing after repeated attacks on US computer systems by Chinese, Russian and other hackers.

The answer may have been in the 780th Military Intelligence Brigade's subtle retweet on May 14 of a security firm's scoop that ransomware extortionist Darkside had been digitally shut down. 

No one knows who took control of Darkside's servers, a week after the shady Russia-based hackers forced the closure of a major US oil pipeline, causing gasoline shortages across the Eastern US.

But suspicions are that the 10-year-old CyberCom may have stepped in, to punish Darkside and to signal the small army of ransomware providers operating out of Eastern Europe that they too are vulnerable.

Even as it remains quiet, CyberCom's role is hotly debated: is it to undertake strategic attacks during war, or to constantly joust online with adversaries' military and intelligence hackers, or to go after non-military hackers like Darkside, normally the purview of law enforcement?

- Malware strike on Iran  - 
The first sign that the US Defense Department was playing offense in the online world was in 2010 when it became known that a destructive, US and Israel-created computer worm Stuxnet had infected and damaged Iran's nuclear enrichment facilities.

Cyberwarfare then was seen as a way of attacking or deterring enemies by wrecking their infrastructure with devastating malware strikes.

Since then, however,  the US government and private business have been hit time and time again, by Chinese stealing government databases and corporate secrets, Russia hacking US elections, North Koreans stealing bitcoins, and ransomware operators extorting hundreds of millions of dollars from companies, hospitals, and local authorities.

But without any news about their exploits, it didn't seem like the Pentagon was either punishing or deterring attackers.

They are, General Paul Nakasone, CyberCom commander, told a recent Congressional hearing.

"When we see elements that are that are operating out of US, we try to impose the largest cost possible," he said.

"Imposing costs" meant exposing the hackers, or counterattacking, he  said.

But he refused to give any examples of their work.

- 'Persistent engagement' -
Jon Lindsay, a University of Toronto assistant professor who researches online military conflict, said the cyberwar strategy had shifted since Stuxnet. 

At that time, "cyber was looked at as a digital weapon of mass destruction," something that could punish, or threaten to punish adversaries to deter their attacks.

"It was a very high level, presidentially controlled, covert action," to be used strategically and sparingly, Lindsay said.

Since then, it has become something else: an ongoing low-level fight that doesn't require top-level approval, called "persistent engagement," that does not focus on deterrence.

"It's very, very difficult, if not impossible, to deter adversarial activities in cyberspace. So what CyberCom needs to be able to do is be constantly engaged, constantly operating forward in the adversaries' networks," said Lindsay.

- Intelligence contest -
That makes CyberCom more like ongoing intelligence operations, collecting information, blocking adversaries, and slightly escalating when the other side is seen to have gone too far. 

Revealing what the Pentagon does could have deterrence value, according to Elizabeth Bodine-Baron, a senior information scientist at RAND Corp. 

Some people, she said, believe that "if we never give concrete examples of, we went in, we did that, then no one's ever going to believe us."

But there is also a challenge of definitively attributing the source of an attack,  especially when a state actor is suspected of being behind it.

But, she added, if there is certainty about an attacker's identity, going public with attribution "could potentially reveal something about our own capabilities."

In addition, boasting about CyberCom's exploits risks escalation -- forcing adversaries to retaliate to satisfy their own public.

"So I think you see people kind of erring on the side of caution," not announcing what they do, said Bodine-Baron.

Lindsay said the US and its main adversaries now treat cyber conflict as a way of avoiding escalation.

"There's something about cyber that makes people unwilling to escalate," he told AFP.

"What we're looking at is not military warfare, it's an intelligence contest."

"Intelligence contests go on in peacetime. They shape the possibilities for war, but they try to make war less likely," he said.

"Actually, there is there is no good example of cyber escalating something to a kinetic conflict," he said.