Beyond Breaches: The Spectrum of Costs from Espionage and Pre-Positioning

By: Melissa K. Griffith, Alexander Leslie, and Taylor Grossman | Spring 2026

This paper addresses a core question for policymakers and practitioners: "What are the costs of cyber espionage operations?"

Cyber espionage operations impose a wide-ranging and dynamic set of costs on targeted states, corporations, and individuals. This research introduces a comprehensive new framework to capture the full range of costs borne by the targets of and defenders against such operations, distinguishing between realized costs—those that manifest immediately and, as such, are more readily quantifiable—and potential costs, which are forward-looking, uncertain, and highly contingent on future actions and geopolitical context. This framework also accounts for the inherent difficulty defenders face in determining whether an intrusion is solely about information gathering, i.e., Computer Network Exploitation (CNE), versus an intended pre-positioning for future disruption, i.e., Operational Pre-Positioning or Operational Preparation of the Environment (OPE). The challenge of distinguishing between these objectives, and the possibility that an adversary could flexibly shift between them, itself represents a significant and often underestimated cost center.

Current approaches to measuring the cost of cyber operations often collapse espionage, pre-positioning, and disruption into a single category, one that overemphasizes immediate, easily quantifiable metrics and fails to account for the evolving cost dynamics from detections, interpretations, and counteractions. This practice obscures key differences in how and when costs actually accrue, offering little insight into the broader strategic and economic consequences that flow from discovery, uncertainty, and misinterpretation.

Typically, realized costs stem from direct mitigation and fallout, including expenses for forensic investigation, system recovery, legal obligations, reputational damage, and, in severe cases, losses in market value. Their impact often extends far beyond the initial breach, encompassing ongoing remediation, regulatory settlements, and potential strategic repositioning for governments and critical operators.

Potential costs, on the other hand, center on risks should adversaries leverage the exfiltrated data or persistent network access for a competitive advantage, strategic manipulation, or even as a foundation for future cyberattacks. These costs are highly contextual and depend on the adversary’s objectives, technical capabilities, and evolving geopolitical realities.

The difficulty for defenders in identifying adversary intent also generates its own layer of risk, forcing organizations to undertake costly precautionary measures in the face of uncertainty. In short, the CNE-versus-OPE dilemma is a measurable cost center itself. The operational realities of "distinguishability" (the challenge of inferring adversary intent) and "adaptability" (a foe’s ability to repurpose network access) drive both realized and potential costs higher, forcing defenders into costly precautionary actions and investments that may or may not prove necessary.

Discovery of an intrusion, therefore, marks a costly inflection point: every act of detection launches a cycle of strategic interpretation and defensive hardening, incurring costs not only for immediate response but also for future-proofing against possible conversion to generate effects.

The magnitude and composition of these costs are not fixed; they vary sharply depending on the geopolitical context. The full spectrum of realized and potential costs peaks during periods of heightened tension—the “messy middle” between peace and war and during the initial onset of armed conflict—when every intrusion rouses deeper suspicion and magnifies the consequences of miscalculation. During these periods, ambiguity about adversary intent is highest, and organizations are most likely to incur both immediate and long-term costs as they prepare for worst-case scenarios.

This paper challenges the conventional wisdom that cyber espionage is a “low-cost” form of statecraft. It highlights the profound and often unmeasured costs imposed by uncertainty, ambiguity, and the dynamic interaction between technical indicators, adversary intent, and geopolitical context. This framework offers practical implications for policy, risk management, incident response, and cyber insurance—arguing for models and strategies that acknowledge and seek to measure the full spectrum of costs defenders face in the wake of an intrusion.

For decision-makers, recognizing and measuring both realized and potential costs as context-dependent and dynamic, rather than static and incident-specific, is essential for more effective, resilient, and adaptive responses to the realities of modern cyber competition.

Click here to read more.