Debunking NotPetya’s cyber catastrophe myth
In 2017, a cyber team from Russia’s military intelligence service (GRU), ‘Sandworm’, launched a cyberattack targeting the Ukrainian business software company MeDoc. The attack, ‘NotPetya’, was designed as a wiper to destroy data in an adversary’s commercial environment. However, the malware ended up infecting thousands of computers not only in Ukraine, but also in France, Germany, Italy, Poland, Russia, the United Kingdom, the United States, and Australia.
NotPetya is often called the most expensive cyber catastrophe in history, having caused as much as $10 billion in economic losses at the time ($11.9 billion in 2024 at an annual inflation rate of 3%). That may seem monumental—-and by cyberattack standards it is—-but as catastrophes go, that’s a pretty small price tag.
Cyber (and other) catastrophes
The economic effect of Hurricane Ian in Florida in 2002 was nearly ten times the reported size of NotPetya. Hurricane Katrina in Louisiana in 2005 was roughly twice that of Hurricane Ian, according to the International Disaster Database EM-DAT. Smaller natural disasters, such as Hurricanes Sandy and Ida, cost more than $60 billion and $70 billion, respectively (not adjusted for inflation). These are much larger than “the most destructive and costly cyberattack in history”, as the Trump administration described it.
Even if NotPetya was the biggest and baddest cyber catastrophe, it was neither all that big nor all that bad with regard to other causes of catastrophic economic loss.
With the effects of NotPetya contextualised with regard to impact, we can now compare it to other cyber ‘catastrophe’ events. Contrary to some thinking, there have been many. I have found twenty-one since 1998, not to mention a few from the earliest days of the internet (like the Morris Worm).
NotPetya wasn’t the largest cyber catastrophe—-MyDoom was. MyDoom was a computer virus that led to $38 billion in economic losses when it hit in 2004. This adjusts up to $66.6 billion in 2024.
The second largest cyber catastrophe by estimated economic loss was SoBig. It was right behind MyDoom, causing $36.1 billion in damage in 2003, which adjusts to $65.2 billion today.
SoBig was certainly big compared to other cyber catastrophe events, but it was not so big compared to other forms of economic loss, from the $600 billion in Ukraine from the ongoing conflict to the likes of Hurricanes Ian and Katrina above.
As you can see, SoBig was not so big and not so bad, and NotPetya certainly was neither SoBig nor so bad.
NotPetya in Ukraine
One could argue that viewing NotPetya on a global scale dilutes its impact, so let’s dig a little deeper and consider the attack more narrowly. NotPetya’s intended target was Ukraine. Sandworm just lost control of the attack, as evidenced by the fact that nearly 95% of the economic loss occurred outside Ukraine. This is based on cybersecurity researcher Lennart Maschmeyer’s claim that NotPetya impacted 0.5% of Ukraine’s GDP, which was $112.09 billion at the time. That comes out to $560 million, which is 5.6% of NotPetya’s overall $10 billion economic impact.
This does fit a hypothetical measure of severity for cyber attacks. Researchers Eling, Elvedi, and Falco claim that an impact of 0.2-2.0% of GDP could be construed as severe, but they apply that test on a global level, and it isn’t clear that it can scale downward. Further, there is no suggestion of what that severity translates to in economic or societal impact. We’re again left with the impression that NotPetya was not so big, this time with regard to its intended effect.
What of the future then?
It’s going to be OK
Plenty of doomsayers claim that the ‘Big One’ is “yet to occur”, although they provide scant evidence to support that claim. Yes, there’s a lot more internet than there was even twenty years ago, and even our refrigerators are connected to it. The ‘attack surface’, as it is called, has grown orthogonally. That doesn’t inherently mean that economic impacts will grow proportionately.
On an absolute basis, they’ve fallen over the past fifteen years, which means that, on a proportional basis, they’ve downright plummeted. Since 1998, 93% of aggregate economic loss from cyber catastrophes came before 2009.
Potential reasons for the sharp reduction in cyber catastrophe activity can vary. It can be attributed to the incorporation of security measures in product design and user behaviour, as well as the overall maturation of the online environment. As we’ve grown more reliant on the cyber domain, we’ve become better at making it more resilient.
This resilience at least contributes to the fact that the only above-average year for economic losses from cyber catastrophes was 2017. WannaCry and NotPetya, both attacks from state actors, caused combined damage of only $16.7 billion. That’s less than 15% of the aggregate loss of the worst year in history. Economic losses from cyber catastrophes in 2003 almost reached an inflation-adjusted $120 billion.
Perhaps the ‘Big One’ that many worry about won’t be so big after all. And if that’s true, then the future itself is very probably looking pretty good.