Nation-state cyber programs have undergone profound changes over the past three years, driven by the integration of artificial intelligence and automation. In a recent interview, Kaja Ciglic, Senior Director of Cybersecurity Policy and Diplomacy at Microsoft, outlined how these developments are reshaping the threat landscape and why traditional response mechanisms are no longer sufficient.
Cyber as a core instrument of state power
According to Ciglic, cyber has moved from being a specialist tool to a core instrument of state power, now treated alongside military, economic, and diplomatic capabilities. Analysis of recent conflicts shows that cyber operations are embedded into broader national security strategies, particularly around critical infrastructure and societal resilience. This evolution reflects a strategic shift: states no longer view cyber as a niche domain for espionage or disruption but as an integral component of their power projection toolkit.
Furthermore, the integration of cyber with other instruments of power has deepened. In conflicts such as those in Ukraine and the Middle East, cyber operations are coordinated with kinetic actions, information operations, and economic pressure. Cyber is used to prepare the environment, shape perceptions, disrupt logistics, and test resilience rather than to deliver stand-alone effects.
AI and automation accelerating tempo
Automation and AI-enabled tooling have significantly accelerated the operational tempo of state and state-aligned actors. Multiple assessments indicate that these actors are using machine-assisted techniques to scale reconnaissance, exploit vulnerabilities, and conduct influence operations more persistently than before. This evolution has lowered the barrier to sustained activity while increasing pressure on defenders. Ciglic emphasized that defenders must now coordinate at machine speed to keep pace.
Blurring lines: North Korea's criminal enterprise
North Korea's cyber program presents a unique challenge, functioning as a sanctions-evasion mechanism. Ciglic noted that the line between espionage, warfare, and organized crime is now structurally blurred. North Korean operations, including cryptocurrency theft, supply-chain compromise, and illicit IT worker schemes, are state-directed criminal enterprises aimed at revenue generation. Existing legal frameworks struggle because they assume clean distinctions between these domains. Ciglic called for closer coordination between financial regulators, cyber defenders, and national security authorities.
Rethinking response architectures
Policymakers often rely on sanctions and indictments after major incidents like SolarWinds, Colonial Pipeline, and Exchange. However, Ciglic argued that more consequential responses are needed. She proposed a framework of conditional and reversible consequences: sustained economic or diplomatic measures that can be dialed up or down depending on adversary behavior. For example, pressure could remain until malicious actors verifiably exit compromised networks.
When it comes to ransomware and other criminal activities enabled by state safe havens, Ciglic advocated for state accountability. Designations such as “state sponsors of cybercrime,” similar to state sponsors of terror, could open new avenues for accountability and force states to exercise due diligence. She stressed that deterrence will not come from louder condemnations but from consistent, adaptive, behavior-based responses.
NATO's Article 5 ambiguity
On NATO's ambiguous stance regarding Article 5 and cyber operations, Ciglic described some ambiguity as inevitable and even useful for deterrence. However, ambiguity without credible thresholds and response pathways becomes a liability. Adversaries are adept at operating below ill-defined red lines. The most stabilizing approach, she said, is to strengthen collective resilience, attribution, and response coordination so that sustained cyber campaigns reliably produce consequences—diplomatic, economic, or legal.
Structural coordination for democracies
Finally, Ciglic identified a critical structural flaw in how democracies coordinate cyber policy: the lack of standing, operational coordination mechanisms connecting governments and trusted private-sector operators before crises occur. Currently, ad hoc task forces are assembled after the fact, relying on informal relationships. The biggest obstacle is trust—legal, cultural, and political hesitation to share sensitive information across borders and sectors. Without building that trust, democracies will continue to face asymmetry, where defenders coordinate slowly while adversaries move at machine speed.
Ciglic's insights underscore a rapidly evolving threat landscape where AI and automation are not just tools for attackers but also amplifiers of state power. The challenge for defenders is to build systems and relationships that can match the speed and scale of modern adversaries.
Source: Help Net Security News