There have been at least seven major “wake-up calls” in cyber conflict, attacks or other events that shocked and surprised defenders and decisionmakers, then were promptly forgotten until a similar shock “awakened” a new cohort of cyber leaders. This pattern will repeat itself until policymakers and practitioners pay attention to history.

A study of the past 25 years reveals three main lessons. The first and most important: There is, in fact, history to be learned. Contrary to received wisdom, cyber conflict, as distinct from the fast-changing technologies through which it is fought, has changed only gradually.

A second lesson is that the probability and consequences of disruptive cyber conflict have been overhyped for decades, while the impacts of intrusions have been underappreciated. How often have you heard about a “cyber Pearl Harbor,” as opposed to the data theft that is actually occurring?

Lastly, the more strategically significant a cyber conflict is, the more similar it is to conflicts on the land, in the air and on the sea. For example, when cyber warriors talk about attacks “at the speed of light,” that is only true at the tactical and technical level — tactical engagements often happen quickly in any domain of warfare. The broader cyber conflicts of which they are part unfold over weeks, months and years. As in any domain, it is the job of senior decisionmakers to abstract these smaller tactical truths into a larger strategic whole.

It's frightening in part because it's so hard to fathom the havoc that could be wrought.