Caught between two hammers — worldwide legislation and technological dependence on the non-public sector — fashionable state sovereignty is in disaster. When a state makes an attempt to behave decisively in opposition to an adversary working beneath the edge of armed assault, it dangers not solely diplomatic sanctions and worldwide condemnation however the lack of entry to crucial digital infrastructure owned by non-public companies. In wartime, that loss is catastrophic, as we each skilled firsthand throughout Russia’s brutal invasion of Ukraine.
The classical understanding of state sovereignty is being challenged. States now should actively ask for permission to make use of non-public capabilities for defensive functions. Two structural vulnerabilities emerge from this actuality.
First, exploiting the calculated ambiguity of worldwide legislation, aggressor states can weaken and even paralyze a goal’s capacity to decisively reply to harmful cyber operations that fall beneath the edge of an armed assault. This grants carte blanche to low-level operations in our on-line world — a technique institutionalized by the Russians, broadly known as the “Gerasimov Doctrine,” since 2013. This time period, whereas contested, precisely describes a sample of Russian strategic conduct. This strategy has successfully eroded the boundary between peace and warfare, establishing a grey zone as a main theater of operations that’s more and more manifested within the methods of different revisionist powers globally. However the marginalization of worldwide legislation is simply a part of the equation. The second facet is the erosion of state sovereignty pushed by crucial technological dependence on international companies like Google, Microsoft, Meta, Amazon, and SpaceX. A call from a CEO’s boardroom can impose a de facto veto on the navy operations of a sovereign state, pushed by the corporate’s personal industrial or moral calculations. Not each state, and never each disaster, has the safeguards to forestall it. Management over crucial infrastructure, cloud computing, and communications transforms a worldwide company into an autonomous geopolitical actor. The capability to train the correct to self-defense is more and more rented from non-public tech giants.
However sovereignty isn’t just borders. It’s a nation’s capability to make selections free from exterior cognitive manipulation.
The First Hammer: Worldwide Regulation
The present authorized doctrine — particularly, the prevailing strategy to when a cyber operation qualifies as a use of drive below Article 2, Part 4 of the U.N. Constitution, as Lukasz Olejnik noticed at an worldwide protection discussion board in Warsaw in January 2026 — relies on the precept of kinetic equivalence. A cyber incident is acknowledged as a cyberattack provided that its penalties functionally resemble these of a kinetic strike. This creates an asymmetry during which worldwide legislation could also be used to justify stopping escalation, whereas the aggressor state weaponizes this restraint as a protect, intentionally conducting harmful cyber operations beneath the edge of recognition — operations that, in mixture, can threaten a state’s survival. This produces a scenario during which allied states — constrained by political commitments and institutional obligations — successfully use worldwide legislation as self-restraint, whereas revisionist powers can afford to ignore these frameworks with acceptable penalties.
Political stress and sanctions in response to cyber incidents don’t operate as deterrents, or no less than there’s no clear proof of that. They’re collateral prices — ones the aggressor is keen to soak up for the outcome it seeks.
This diplomatic silence — the so-called grey zone — turned the right camouflage for a quiet warfare. Exploiting the authorized vacuum, Russia transitioned from info operations to constructing a fully-fledged cyber military. From 2014 onward, the aggressor state started embedding backdoors — hidden entry factors permitting an attacker to reenter a compromised system at will — in Ukrainian programs, strategically masked as espionage relatively than an energetic assault. The inadequacy of present frameworks allowed Russia to plant hundreds of backdoors throughout Ukrainian programs, which it activated in the meanwhile of full-scale invasion in 2022 — severely undermining the state’s protection functionality. This demonstrates a direct hyperlink between such preparatory efforts and kinetic motion.
Primarily based on one of many authors’ — Demediuk — direct operational expertise as deputy secretary of the Nationwide Safety and Protection Council of Ukraine, as much as 2,500 backdoors should stay prepositioned in Ukrainian programs as of early 2026. This reality demolishes the phantasm of a grey zone, revealing it to be nothing greater than a canopy for cowardice on the a part of states that select to protect an ambiguity exploited by extra highly effective states, relatively than confront them. For some states, inaction is the lesser of two evils.
But the best strategic failure was not merely the neglect of cyberattack preparation. It was the failure to understand how deeply cyber operations have been built-in into the kinetic strike cycle.
Drawing on his position coordinating Ukraine’s cyber protection, Demediuk identifies a kinetic-cyber cycle that Russia has efficiently employed since 2014, consisting of 4 core phases.
The cycle begins with an info pretext: making a media narrative and designating the goal as hostile to legitimize the forthcoming strike within the eyes of the home inhabitants. That is adopted by digital focusing on: cyber reconnaissance and the set up of digital beacons by compromising and amplifying routers and different radio-controlled units, enabling precision steering for the kinetic strike. The third part is the kinetic strike itself: bodily destruction of the goal. Lastly, the cycle concludes with info rationalization: an info marketing campaign asserting the need of the strike, no matter its precise consequence.
It’s exactly due to the cyclical and predictable nature of those actions that Ukrainian authorities developed an automatic predictive system. By analyzing detected cyber incidents in phases 1 and a pair of, the system can forecast the approximate time and site of a kinetic strike. Its present accuracy, in line with Demediuk, is roughly 60–65 p.c. The primary check was performed shortly earlier than a significant Russian missile strike on a civilian goal in Kyiv. Primarily based on recognized cyber incidents, the system detected the likelihood of a kinetic assault, and the goal’s administration was notified prematurely.
This synchronization just isn’t a brand new phenomenon — it was embedded within the structure of the warfare from its very inception. The warfare didn’t start with the crossing of borders however with a cyberattack on the Viasat satellite tv for pc communications community utilized by the Armed Forces of Ukraine and state establishments. The preliminary intrusion started hours earlier than the bottom invasion, with the harmful part disabling communications roughly one hour previous to incursion. This operation gave Russia a decisive benefit in the meanwhile of assault.
In fashionable warfare, the primary weapon deployed is code, not a tank. The grey zone is usually nothing greater than a handy justification for one’s personal inaction. But, the persistence of this idea in 2026 is, actually, a strategic political alternative by states. They intentionally maintain harmful operations on this area, the place the principles of warfare stay conveniently blurred.
The Second Hammer: Huge Tech
States usually are not defenseless in opposition to non-public sector overreach. The USA, particularly, maintains a sturdy structure of contractual obligations, service-level agreements, and authorized authorities — together with the Protection Manufacturing Act — designed to make sure non-public compliance with nationwide safety necessities. However these mechanisms usually are not absolute. The 2026 confrontation between the U.S. Division of Protection and Anthropic demonstrated it: Regardless of a $200 million contract, the corporate refused to raise restrictions on the usage of its AI for absolutely autonomous deadly programs and mass home surveillance, and was met with an unprecedented designation as a provide chain danger — a measure beforehand reserved for overseas adversaries. Even in peacetime, inside a structured contractual relationship, a state can’t assure full management over how a non-public firm deploys or restricts its know-how.
However that is solely a part of the issue. Within the actuality of recent battle, states might discover themselves ready the place the urgency of the second or cross-border dependencies go away no room for constructing such safeguards in any respect — forcing them to depend on the verbal commitments of personal sector leaders. The warfare in Ukraine proved precisely this.
At Ukraine’s most crucial second, Starlink supplied entry to its know-how for the Ukrainian navy. An goal actuality have to be acknowledged: Within the vacuum created by broken state communications programs, the deployment of Starlink turned an important aspect of the protection, saving Ukraine from informational paralysis — a lifeline that was crucial within the warfare’s opening weeks.
However it was exactly right here that Ukraine — and, by extension, all the democratic world — collided with a brand new actuality: Nationwide protection had turn into critically depending on the need and algorithms of a single non-public company. This dependency created new assault vectors and potential channels for the leakage of state secrets and techniques.
A paradoxical scenario had emerged: The navy was pressured to make use of non-public infrastructure as its main communications channel, absolutely conscious of the dangers. All that remained was the try and safe the info’s confidentiality.
However the gravest menace was the emergence of a strategic veto overstate motion by the non-public sector.
Starlink in Ukraine represents probably the most vivid instance of how a non-public sector particular person, endowed with energy, can single-handedly limit the navy operations of a sovereign state.
The starkest illustration of this drawback was noticed through the Ukrainian counteroffensive on the southern entrance in autumn 2022. In the mean time when assault forces crossed a sure line — advancing into occupied territory — they abruptly misplaced Starlink connectivity, plunging the battlefield into chaos. With out communications, commanders have been pressured to drive to the entrance line to enter radio vary, dropping valuable time and risking their lives for the sake of primary coordination. The reason for this chaos was not a technical failure. It was the deliberate use by the corporate of geofencing know-how, which reportedly restricts the connectivity zone.
A personal firm successfully drew a line the place its programs could also be used and for what objective. This choice created a technical boundary that redefined the operational limits of a sovereign state’s protection. The choice of 1 non-public sector particular person led to a big variety of Ukrainian navy casualties that might have been prevented.
This example uncovered a big operational asymmetry: The effectiveness of navy maneuvers turned depending on coordination with non-public entities relatively than purely on the nationwide chain of command.
Notably, this occurred within the absence of a proper protection procurement contract between Ukraine and SpaceX — the know-how was supplied as emergency help, not below binding service obligations. Within the chaos of the warfare’s opening hours, with state communications infrastructure destroyed, negotiating contractual phrases was not an possibility. Whereas states like america might have contractual safeguards with their suppliers, states depending on emergency entry to overseas non-public infrastructure have none.
In contrast to conventional suppliers, the visibility afforded by real-time digital infrastructure permits a nonstate actor to impose a de facto veto on navy actions. As evidenced by high-level discussions between U.S. protection officers and personal management, this capability establishes the supplier not simply as a contractor, however as a main geopolitical actor.
Whereas non-public sector leverage in armed battle just isn’t new, digital infrastructure introduces a qualitatively completely different dynamic: the power to revoke entry to crucial capabilities in actual time, mid-operation — setting a precedent during which, as one Pentagon official put it, the state discovered itself “dwelling off his good graces.”
The Anthropic case confirmed a state searching for to limit the rights of a non-public firm. The Starlink case confirmed a non-public firm proscribing the sovereignty of a state. Collectively, these instances reveal that the absence or weak point of enforceable agreements between states and know-how suppliers creates dangers that run in each instructions.
However the issue extends far past particular person instances. The extreme focus of belongings — cloud storage and information facilities — within the palms of some key firms —Amazon, Google, Microsoft, SpaceX, and Meta — creates a situation the place a systemic technical failure may set off a domino impact in international safety.
Paradoxically, it was exactly decentralization on the bodily stage — the existence of hundreds of web service suppliers — that saved Ukraine firstly of the warfare. What is perhaps characterised as market chaos from one perspective was, within the crucial second, the factor that allowed the state to face.
Although Ukraine is as depending on Huge Tech as some other state, it’s saved by a novel community entry structure. It’s decentralization that makes it unattainable for the enemy to sever the community throughout all the nation by a single level — a attribute that essentially distinguishes Ukrainian structure from that of nations like america or Israel, and factors to the effectiveness of decentralized networks as a mannequin of wartime resilience.
Ukraine’s expertise makes it unequivocally clear: The world is altering, and the worldwide group can’t afford to delay adaptation on the worldwide authorized entrance or on the technological one. If we do, we might discover ourselves at a degree the place the implications are measured not in monetary prices however in human lives and the structural integrity of the democratic world.
First, we should always speed up the evolutionary recalibration of worldwide norms relating to cyberattack classification. The de facto existence of the grey zone is the first menace to our protection. Within the actuality of 2026, the worldwide group can now not afford the luxurious of sluggish normative shifts. Any state-sponsored cyber operation of a harmful nature have to be labeled as an armed assault — not by the present commonplace of kinetic equivalence, however by intent and cumulative impact. This reclassification ought to be superior by the newly established UN International Mechanism on ICT safety. Solely when the price of cyber aggression persistently exceeds its strategic acquire will deterrence turn into actual.
Ready for bodily penalties solely offers the adversary time to organize — and that may be deadly.
Second, states ought to reclaim management over crucial protection capabilities by structured partnerships with the non-public sector. A system during which the success of an operation relies on the choice of 1 non-public particular person is a system predestined for disaster.
This requires authorized frameworks for state–company cooperation that clearly outline the rights, obligations, and limitations of each events. Simply as conventional protection contractors are sure by continuity-of-service obligations below procurement legislation, digital infrastructure suppliers whose programs are designated as crucial to nationwide protection ought to be topic to comparable necessities — together with enforceable penalties for unilateral withdrawal of crucial companies throughout energetic operations — not as a restriction on company autonomy, however as the mandatory counterpart to the strategic energy these firms now wield. From protection procurement contracts to legislative frameworks such because the U.S. Protection Manufacturing Act, precedents exist already for compelling non-public sector cooperation when nationwide safety is at stake. These frameworks are imperfect, however they continue to be far preferable to the entire absence of safeguards that characterizes emergency cross-border dependencies.
Finally, the non-public sector should exist solely as an auxiliary aspect of the state’s protection structure. States ought to put money into their very own various capabilities to attain real technological sovereignty. Clearly, constructing such options requires huge funding and technological capability — which is exactly why this dependency persists. However solely this may assure that, within the crucial second, troops don’t pay with their lives for selections made in a company workplace throughout the ocean.
Mykhailo Andreichyn is an impartial safety researcher and the founding father of NoctuaSec, a cybersecurity analysis group. He conducts approved bodily and digital safety assessments and has organized worldwide protection boards that includes audio system from Ukraine’s Nationwide Safety and Protection Council, the Polish Institute of Worldwide Affairs, and King’s Faculty London. He’s mentored by Gynvael Coldwind, a former Google Info Safety Technical Lead.
Serhii Demediuk is the previous deputy secretary of Ukraine’s Nationwide Safety and Protection Council the place he coordinated the nation’s cyber protection through the full-scale Russian invasion. He’s a key architect of Ukraine’s Cyber Police. He presently serves as chairman of the Institute of Cyber Warfare Analysis, and as professor and chief analysis fellow on the Nationwide Academy of the Safety Service of Ukraine.
Picture: Midjourney
