Navigating the cyber frontier: trends and challenges
Brian Kot, an MPhil in International Relations, highlights four broad themes critical for policymakers as they navigate the rapidly evolving digital landscape.
The Blavatnik School of Government recently hosted a closed-door roundtable discussing the complex risks and opportunities presented by advances in cyber and artificial intelligence (AI).
The roundtable was followed by a public discussion on securing cyberspace between Ciaran Martin, Professor of Practice in the Management of Public Organisations at the School, and Bobby Chesney, Dean of the University of Texas School of Law. The following key themes critical for policymakers emerged from the discussions.
Geopolitics is dominating cyberspace
Cyberspace has become the new arena for interstate competition. Traditional concepts of war and peace are being redefined as cyber operations become more pervasive and severe, a trend that is likely to continue due to advances in AI. Ciaran Martin set the stage by noting the transition from a relatively calmer period post-Snowden to a more volatile era where technology plays a central role in geopolitical strategy. Processes of ‘multipolarisation’, he added, have elevated the role of rising and middle powers who have become confident in asserting their national interests, further complicating the landscape of geopolitics and technology governance.
Key points discussed at the roundtable included the complexities of cybersecurity, the inevitability of vulnerabilities, and the need for building resilience at every level. As technologies like quantum computing and machine learning advance, risks and opportunities increase. The dual-use nature of these technologies necessitates a flexible and robust approach to cybersecurity. It is not just about preventing attacks but building systems resilient enough to recover from them.
The panel emphasised that geopolitical competition is now deeply intertwined with technological innovation. Nations are increasingly turning to cyber operations as a means of strategic competition. This has led to a state of ‘unpeace’, where hostile activities occur below the threshold of armed conflict but may still cause significant harm requiring a response.
The need to reassert cyber deterrence
Western countries face significant challenges in responding to cyberattacks. The digital domain is shaped by two concurrent transformations: the resurgence of major powers like Russia and China, and the technological revolution. While the prospect of direct military conflict among superpowers remains low, strategic competition in cyberspace is intensifying. This competition involves causing harm short of traditional armed conflict. The potential for escalatory conflicts arising from attacks on critical infrastructure, such as water systems and hospitals, underscores the need for effective interventions. A ransomware attack in the United Kingdom this month on Synnovis, a pathology service that resulted in disruptions at major London hospitals, highlights the real and immediate threat to critical infrastructure.
Deterrence strategies have been only partially effective. For instance, deterrence has prevented attacks that cross well-defined red lines, such as those involving the use of force under international law. However, there has been a failure to prevent cyberattacks that fall below this threshold, leading to a state of ‘un-peace’ where low-level cyber conflicts persist. Western countries have struggled to effectively deter state-sponsored cyberattacks.
One panelist highlighted a ‘spectacular failure’ in preventing these attacks, with existing deterrence approaches proving inadequate. Some participants argued for pursuing more robust deterrence strategies, including by imposing higher costs on adversaries for engaging in cyber operations and investing in capabilities to protect critical infrastructure. Other participants criticised the concept of ‘cyber-legalism’, where international laws and norms are relied upon to constrain malicious actors, for being ineffective against nations that do not adhere to the same rules and values. Rather than compete on an unlevel playing field, they argued, states should seek to strengthen deterrence by shifting towards a more proactive approach, imposing steeper costs on adversaries waging cyber operations, and investing in more robust defensive capabilities.
Several countries are already adopting this approach. A project led by Roxana Radu, Associate Professor of Digital Technologies and Public Policy at the School, explores the recent shift from a strictly defensive cybersecurity posture to a more proactive stance. Governments increasingly deploy offensive capabilities to neutralise and disrupt the networks of attackers within and outside a given jurisdiction, expanding the spectrum of lawful responses to cybersecurity threats under international law.
At the same time, participants recognised that cyber legalism remains crucial for building consensus around cyber norms. The Oxford Process on International Law Protections in Cyberspace, initiated by the School in 2020, brought together over 150 international legal experts from across the globe to articulate how international law applies to cyber operations across a variety of contexts. The resulting Statements hold promise in promoting shared norms about state behaviour in cyberspace and have become reference points in the United Nations Open Ended Working Group discussions.
The role of non-state actors
Beyond government, industry and civil society groups are playing a key role in identifying and responding to cyber risks. Non-profit organisations such as Bellingcat and Citizen Lab, for example, have taken on crucial roles in identifying vulnerabilities and analysing state-sponsored cyber operations. A wide array of tools and data (eg, satellite imagery) are now accessible to Open Source Intelligence (OSINT) researchers of varying levels of experience and expertise. These researchers are becoming the ‘first responders’ in times of crisis in shaping public perceptions.
As the providers of digital infrastructure, private companies are the de facto guardians of a country’s most critical infrastructure and sensitive personal data. For instance, the Ukrainian government has awarded Microsoft Azure and Amazon Web Services peace prizes for providing critical cloud and digital services since Russia’s invasion. However, misaligned incentives between private and public sectors can produce severe consequences. A whole industry of cyber mercenaries has emerged to harvest and sell human data—often to autocratic governments for repression. Moreover, the tech industry’s ‘ask for forgiveness, not permission’ ethos often leads companies to marketise innovative products before adequately addressing potential societal risks. The expanding influence of tech companies in academia, philanthropy, and government continues to hinder the push for stricter regulation of the industry. Enhancing multistakeholderism in policy processes could help mitigate the dominance of business interests, although challenges, such as unequal resources among stakeholders, persist.
Internet governance and regulatory fragmentation
The roundtable discussions also underscored the problem of regulatory fragmentation for cybersecurity and digital governance. The fragmentation of the global internet, often referred to as the ‘splinternet’, is a growing concern as different countries—including close allies such as the United States and United Kingdom—pursue divergent approaches to regulation, complicating international cooperation and undermining collective security efforts. Geopolitical and ideological realignment, as well as concerns about digital sovereignty, are partly driving this trend, as countries increasingly seek to control their technological ecosystems.
Trade-offs persist between maintaining an open, free internet and addressing security concerns posed by unfettered connectivity with adversarial states. Regional and international arenas are witnessing a shift towards infrastructure control, with states focusing on what can be physically regulated. The European Union, but also the BRICS nations (Brazil, Russia, India, China, and South Africa), are increasingly asserting digital sovereignty. While some regional blocs have stated their preference for a global network, others have started to challenge the traditional notion of a single, unified internet.
Panelists also touched on the role of international organisations and the challenges they face in advancing cyber norms and law. While there has been progress in areas such as the interpretation and application of international law to cyberspace, broader international consensus remains elusive. Efforts such as the Oxford Process represent a step in the right direction towards achieving that important goal.
***
The discussions at the School underscored the complexity and urgency of navigating the cyber frontier. Policymakers must adopt a multifaceted approach that combines technological innovation with robust governance frameworks. Resilience, strategic deterrence, and international cooperation are key to addressing complex challenges posed by cyber, AI, and emerging technologies. As policymakers continue to grapple with these issues, a collaborative, interdisciplinary approach will be essential to ensuring a secure and stable digital future.