I've been communicating a couple themes concerning cyberwarfare that we've seen. They don't exactly line up with what some of my expert peers are stating (and that is OK!).
Russia fully has the capability to conduct cyberattacks against NATO member country criticalinfrastructure, in a manner which causes hollywood-style loss of life, explosions, fire, dead babies - all the stuff of our nightmares.
Russia will not, and will instead focus on frustrating and confusing attacks which will cause extreme economic hardship to businesscontinuity and qualityoflife.
An oil refinery exploding, versus an oil refinery unable to operate in a business sense, but otherwise no explosive fires. (hint hint - Colonial Pipeline may be foreshadowing)
Let's back this up with a bit of wargaming...
First, attackers have demonstrated they can get to where they want to go. There is simply no room for hubris here - just look at the non-stop news articles involving attacks against well-established companies with mature cybersecurity programs. So, we know access is not an issue for these folks. It is good to note that the initial access criminals sell access to anyone with the cash to make use of the backdoor - something we've seen with increasing (criminal) market maturity.
Second, the cybersecurity industry (arguably like most industries) is much better at reactive, than proactive, response. We have a taste of that with the cyberattacks against Ukraine. Destructive malware A is replaced by hermeticwiper, then caddywiper. Attackers at this level of maturity have additional tools ready, to continue evading defenders. What are we supposed to say to a business which is utterly destroyed by attackers first destroying their supposedly-untouchable offlinebackups, then taking out the business with whatevernextwipermalware? "Sorry, we only protect against last month's cyber attacks!" Yes, that's why we focus so heavily on proactive defense at my company, but let's not get distracted by the technology fix...
Thirdly, we as a society have not yet crossed the threshold where we have experienced and know how to respond to a "cyber war" attack of the likes of dramatic explosions, water shut off or poisoned, electrical disasters, etc. across several cities. It is the stuff of movies. I think we can be certain, though, given the rhetoric we already see from more hawkish pundits, that there will be "digital Pearl Harbor" and "digital 9/11 (or 7/7 for UK, etc.)" references, and that could quickly escalate to a call for kinetic (missile) response.
Fourth, we know that Russia's operational model is to sow confusion and disorder. They do not want an obvious response, of which 10 cities on fire with no water pressure would necessitate. Russia wants a delayed, unsure response. Politicians and the public will align behind a cohesive, fast military response to Russia with dramatic destruction, but will the West have the same reaction to finding out the credit card companies are offline, because their ability to charge fees is destroyed? Maybe grocery store wholesalers can't suddenly track inventory shipments for their businesses, so they freeze all of the food coming and going? How about if the wallstreet hedgefund records are all digitally destroyed? Who will cry for the investors, even though that attack will likely have massive repercussions across our entire economy, including a lot of our pensions?
My thoughts - even if Vladimir Putin wants to move NATO to a kinetic war for whatever reason, the escalation is going to be against business operations, and not some explosion-riddled attack against city infrastructure and military bases. That would be too easy, and it just isn't Russia's style.