No longer are geopolitical standoffs settled on the traditional battlefields of diplomacy and arms; now, the digital realm has emerged as the arena for these conflicts.
In this article, we bring together industry experts to discuss the dynamics of the development of cyber threats during unstable international circumstances, the role of automation and AI in the realm of cyber war, and the key issues that organisations, regardless of their level of proximity to the current geopolitical hotspot, need to be focusing on to ensure their survival in this increasingly hostile digital arena.
Know thy enemy and know yourself
Carl von Clausewitz famously described war as “the continuation of politics by other means,” says Anastasios Arampatzis, Account Manager, Bora. “Today, that continuation increasingly runs through fibre-optic cables and databases. Yet despite the dazzling novelty of AI-powered cyber operations, the fundamental grammar of conflict remains unchanged. What has changed dramatically are the means.”
He says Sun Tzu counselled that war is the art of deception, and that victory belongs to those who know both themselves and their enemy. “Every major cyber campaign of the past decade, from the attacks on Ukraine’s power grid to intrusions into financial SWIFT systems, is a masterclass in exactly that. Adversaries probe patiently, map their target’s ignorance of its own attack surface, and strike where self-knowledge is weakest. The tools are new; the logic is ancient.”
Woven into the fabric of warfare
Technology has always been woven into the fabric of warfare, Arampatzis adds. “The Spartan scytale, Caesar’s cipher, Byzantine Greek fire, and the Enigma machine each represented a leap in offensive capability that forced defenders to adapt or perish. AI is simply the latest in this unbroken lineage. Its arrival on the battlefield was not a surprise.”
What is alarming, he says, is that it has arrived ahead of the legal frameworks meant to govern it. “The recent moves by US agencies to deploy large language model capabilities for surveillance and the public objections raised by AI developers themselves, including Anthropic, lay bare a troubling governance vacuum. Offensive AI capabilities are racing far ahead of the norms, treaties, and accountability mechanisms that might constrain them.”
Attacks are a near-certainty
For critical infrastructure operators — energy grids, financial systems, healthcare networks, telecommunications — the implications are sobering but clear. “Attacks are not a possibility to be managed. In periods of heightened geopolitical tension, they are a near-certainty. This is, bluntly, the nature of modern warfare. State-aligned actors do not distinguish between military and civilian targets when the objective is disruption, economic damage, or the erosion of public confidence.”
Arampatzis says this is why resilience must be reconceived. “It is no longer a purely technical discipline. Modern conflicts blend the physical and digital so thoroughly that resilience means backup power generation, redundant supply chains, and trained staff who can operate manually, alongside patched systems, zero-trust architectures, and tested incident response plans.”
He believes that organisations must know themselves deeply: their dependencies, their single points of failure, the gaps between their assumed and actual security posture. That self-knowledge is, as Sun Tzu understood, the precondition of survival.
Human judgment determines outcomes
“The defensive priorities are not exotic: asset visibility, supply chain scrutiny, cross-sector threat intelligence sharing, and above all, the organisational will to rehearse failure before it arrives uninvited. AI-accelerated attacks compress the time available to respond and reward those who have already done the hard, unglamorous work of preparation.”
Yet for all the necessity of resilience, Arampatzis says the deeper wish must be stated plainly. “The leaders and diplomats of our world choose negotiation over escalation, and the ingenuity we pour into offensive cyber capability is redirected, one day, toward the problems that actually threaten us all. Technology does not determine outcomes; human judgment does. May it prove wiser than the weapons it has built.”
Changing intent and impact
Periods of geopolitical tension don’t just increase cyber activity; they fundamentally change its intent and impact, comments Jane Frankland MBE, CEO, KnewStart. “We see a shift from opportunistic crime to coordinated, strategic disruption – not only targeting critical industries like energy, healthcare, and finance, but the complex supply chains and manufacturers that underpin them.”
And this isn’t new, she adds. “We’ve seen it repeatedly, from criminal groups, hacktivists, and state-sponsored actors who are increasingly operating in blurred, sometimes collaborative ways. The lines between them are no longer clear.
“Critical infrastructure is rarely attacked directly at first. It’s accessed through suppliers, service providers, and third parties, the weakest link in a highly interconnected system. That’s what makes these attacks so effective because the objective isn’t just disruption. It’s destabilisation.”
Frankland says disrupt a supply chain, and you don’t just affect one organisation. You create cascading impact. Payments fail, services degrade, and trust erodes. And that’s the real target.
A permanent feature of war
Cyber conflict is no longer an extension of war – it is becoming a permanent feature of it, she says. “AI is expanding the threat surface and accelerating everything: reconnaissance, targeting, exploitation. It allows attackers to identify weak points, often deep within supply chains, faster than defenders can respond, and to do so at scale.”
AI is lowering the barrier to entry while increasing the scale and precision of attacks, but the bigger shift is structural. Machine identities now outnumber human ones in most organisations, many of them unmanaged or unmonitored, while AI agents are beginning to operate with increasing autonomy across systems. At the same time, Frankland says traditional boundaries between internal and external are dissolving, making identity the new attack surface.
“This creates a fundamentally different risk environment. What’s changed is not just the speed of attack, but the speed of consequence – where disruption cascades across systems, partners and customers in minutes, not days. Organisations are no longer just defending against breaches; they are trying to maintain control in environments where visibility is fragmented and signals can’t always be trusted, because the real risk isn’t just systems going down. It’s decision-making being compromised when clarity disappears.”
The issue isn’t awareness, it’s execution
When it comes to priorities, Frankland says we’ve been talking about moving beyond prevention for years. “The issue isn’t awareness — it’s execution. Resilience today is about operating through disruption, not simply preparing for it. That means organisations must be able to make decisions quickly, with imperfect information, and maintain control even when systems are degraded.”
The priority is clarity – clarity of roles and decision authority under pressure. Clarity of visibility across complex, interconnected environments. And clarity in communication, so that the right signals surface early and action can be taken without delay.
“Because in a highly automated, interconnected environment, incidents don’t unfold in isolation. They cascade across systems, suppliers and customers, often faster than organisations are structured to respond.”
Technology matters, Frankland adds, but leadership matters more. “Organisations that perform well in disruption are those where people are empowered to act, challenge assumptions, and escalate early, without friction or hesitation. Resilience isn’t proven before the incident. It’s proven in the moments where clarity is limited, time is compressed, and decisions still have to be made.”
Uncertainty is the operating environment
Information Researcher Ross Moore cites a quote by Levi Gundert, Recorded Future’s Chief Security & Intelligence Officer: “Uncertainty is no longer episodic – it’s the operating environment.”
Moore says cyber operations have become a core instrument of state power, and critical industries are among the most effective fulcrums of leverage. “These blended threats, when realized, can have similar effects to kinetic action by delaying, degrading, disrupting, or even destroying foundational services. These actions of escalation make it difficult to de-escalate the rising tensions and properly address the difficulties, creating even greater tension for authorities to bring assurance to the people in their care and stabilize the situation. Not properly managed, initial ICS cyberattacks can be reciprocated with similar or even increased hacktivism.”
Moore says the expanded attack surface increases tension in at least two areas:
Firstly, the need for augmented resources to provide a detailed and in-depth defensive posture for those providing a particular service. Next, the greater sense of vulnerability in those who don’t have any form of influence over the operations of those critical services. This includes those who protect the food supply need to invest in more and more technology for the expanding areas where attacks will occur, while those who are completely dependent on the food suppliers will have no recourse if their food suppliers are negatively affected.
Attacking from a position of comfort and safety
Due to the rapid expansion of required interconnectedness of systems, it’s easier than ever for someone in another country to stay in the comfort and safety of their own borders while intruding into another country, Moore adds.
“An aspect of the risk is uncertainty: not everyone really knows exactly what might happen if a CI is taken down completely for their region; and that means there’s no true way to run any kind of realistic TTX for it. However, we should use the data from known CI attacks (the Ukrainian power grid attacks of 2015 and 2016, the Norwegian dam hijacking in 2025) to prepare as best as possible.”
While AI and automation have advanced, and more orgs depend on those, Moore says never forget to take people into account. “While on the negative side of adversities, people are adversely affected, on the positive side, properly trained and placed people will always come up with ways to overcome challenges. Risk management isn’t just about what’s scary – it includes the resources we have to mitigate potential risks and remediate realized risk, and the most powerful resource is people.”
Ask the relevant questions
When it comes to defensive policies, Moore says to ask industry- and company-relevant questions: “What will we do when our main tech stack goes down? How will we communicate if our primary comms channel goes down? How will we recover if our primary service provider is offline for an extended period of time?”
There are so many possible questions – all dependent on the real risks presented to an organisation – that it’s impossible to give a sample list or template. But these questions should drive investment in tested incident response (IR) plans, business continuity plans (BCP), out‑of‑band communications, and realistic exercises.
He says some considerations for areas of investment include identity‑centric defence, OT/ICS segmentation, incident response and resilience testing, secure‑by‑design and supply chain controls, and AI governance for both attacks and defences. “Organisations such as CISA and ENISA provide guidance for defending against APTs, protecting OT/ICS, managing ransomware risk, and governing AI in critical infrastructure contexts.”
Increasing volume and strategic intent
Gary Hibberd, Fellow of the CIISec, says periods of heightened geopolitical tension almost always increase both the volume and the strategic intent of cyber activity against critical industries. “From Energy, to finance, and healthcare, to telecommunications, they become even more attractive because the loss (or destabilisation) of any of them could have a significant impact upon the country.”
But what changes in tense periods is not just “more attacks,” but a shift toward attacks designed to create pressure on both national and local infrastructure, he adds. “Disrupting services, pre-positioning inside critical networks for future use, stealing sensitive data, and creating uncertainty at scale cause not only confusion and disruption within the organisation, but also across the nation. It’s this ‘uncertainty at scale’ that is perhaps most damaging of all, as it’s the person in the street who feels the impact.”
Our ability to plug gaps is diminishing
With cyber operations increasingly involving automation, AI, and advanced offensive techniques, Hibberd says the reality is that the ‘gaps in the system’ are widening, and our ability to plug them is diminishing as the solutions we’re implementing to protect ourselves become more complex. “While it may appear that cyber conflict is a new battleground (and in some ways it is), the true nature of cyber conflict is actually grounded in how wars have been fought since man could pick up a weapon. ’Shock and awe’, and ’scorched earth’ are techniques employed by cyber attackers and Vikings alike!”
What does this mean to us today? Hibberd says it means that we need to recognise that there is nothing new in the world, and rather than chasing shadows, we need to focus on understanding core principles of security and protection; risk management, vulnerability assessments, human behaviour, etc.
“The defensive priorities organisations must focus on today to strengthen resilience against state-aligned cyber activity and large-scale digital disruption are simply foundational principles; Leadership, risk management, and a recognition that we all have a part to play in protecting an organisation – this means focusing on developing a culture that respects (rather than relies on) security. To put it simply, we must stop focusing on technology to solve our problems, because as Bruce Schneier observed. “If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology.”
Don’t overlook the impact on employees
Christian Toon from the FCIIS notes a heightened focus from threat actors on both sides of the current conflict. Again, as has been seen before, critical sectors such as infrastructure, telecommunication, energy, financial services, and healthcare are all at risk.
A focus on what businesses need to do to protect against the attackers, as well as being well-informed through threat intelligence and adjusting priorities accordingly. However, he says one of the things that is often not talked about within a multicultural society is the impact upon employees. Of course, much of the dialogue centres on the threat of phishing, ransomware, and other threats coming from outside the organisation, but one of the things that is sometimes not talked about is the role of employees, both as a duty of care and as a potentially higher threat vector.
Taking the Middle East conflict as a case study, Toon argues that many organisations have a workforce that comprises individuals with affiliations with the areas that are experiencing geopolitical tensions. This poses a double risk for organisations. First off, individuals with certain nationalities may become a target in order to access the organisations, thereby making their accounts high-value targets. Second, these individuals may become targets for direct digital targeting in their personal capacity.
Toon cites the case of the Russian invasion of Ukraine, where Russian and Ukrainian individuals (despite being non-actors in the conflict) were subjected to online harassment and direct cyber activity. Organisations had to take measures to protect their accounts while being mindful of the geopolitical tensions.
A focus on data and operational sovereignty
According to Toon, over the last five years, geopolitical tensions have increasingly affected cyber threats. Therefore, organisations are strengthening their defences by putting more focus on threat intelligence related to geopolitical tensions. The notable development is the focus on data and operational sovereignty, which includes understanding the location of organisational data and its reliance on global infrastructure.
At the same time, automation and AI are becoming more common in both offensive and defensive cyber activities. Although not exclusively driven by geopolitical events, automation and AI are becoming ubiquitous in every aspect of offensive and defensive cyber activities, Toon writes. However, Toon emphasises that the fundamental objectives of defensive activities have not changed: vulnerability management, security awareness, patch management, and a good understanding of network vulnerabilities. Identity and access management is also a primary entry point for attackers, and needs more focus.
Focus on core cybersecurity fundamentals
He warns against overreacting to geopolitical events with overly bespoke security measures. Instead, organisations should refocus on core cybersecurity fundamentals, ensuring appropriate controls are in place. Where gaps exist, robust insurance and well-tested response plans are essential, so that when disruptions occur, organisations can respond effectively and recover with confidence.
The dissolving military/civilian boundary
Dimitris Georgiou, CSO, Alphabit Cybersecurity SA, says in 2026, the boundary between military objectives and civilian infrastructure has effectively dissolved. “During periods of heightened tension, critical industries are no longer secondary targets; they are instruments of national pressure used to erode social trust. For the energy and telecommunications sectors, this often manifests as “pre-positioning,” where state actors embed “sleeper” malware within grids to create a form of pre-emptive deterrence. The threat of a total grid failure or a communication blackout becomes a powerful bargaining chip in hardball international diplomacy. In finance and healthcare, the goal shifts to psychological attrition: disrupting markets or hospital services to overwhelm a nation’s domestic response capabilities and cause internal chaos without firing a single shot.”
Machine-speed attrition
The evolution of cyber conflict is now defined by machine-speed attrition, Georgiou adds. “The rise of Autonomous Cyber Capable Agents allows attackers to scan, exploit, and move laterally across networks without human intervention. This creates a massive “blast radius” for organisations entirely outside the political sphere. When a state-sponsored AI tool is released to target a specific government supply chain, it inevitably spills over into the global ecosystem. A manufacturing plant or a local retailer can become collateral damage simply because they share a software dependency with a high-value target. In this environment, “spillover” isn’t a glitch; it is an inevitable consequence of new-age autonomous warfare.”
Modern defence must shift from the illusion of total prevention to resilience through “Assume Breach” logic, he adds.
Organisations should prioritise three pillars:
- Immutable Identity: Moving beyond standard MFA to phishing-resistant hardware keys to neutralize AI-driven deepfakes and credential harvesting.
- Operational “Island Mode”: Developing the capability for critical systems (especially in OT) to operate autonomously if the primary network is severed or compromised.
- Algorithmic Defence: Deploying defensive AI that can hunt for autonomous threats in real-time, matching the speed of offensive AI.
“To put it simply, cybersecurity isn’t just a technical chore; it is a strategic necessity for global stability. Today, a single piece of malicious code can do as much damage as a missile. Being digitally resilient is the only thing that prevents a political argument from turning into a full-blown national disaster. And it requires constant awareness, investment, and vigilance,” Georgiou ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.