In London on business, I finally made time for three places I had been wishing to see for a long time. I went carrying a story I thought I already understood. My grandfather, Archibald MacLean Hastie, served in the Second World War with the 2nd New Zealand Divisional Cavalry Regiment. His service number was 1139. He fought in Greece and Crete. He was wounded on Crete in 1941. He survived, returned to the war, and eventually came home to New Zealand.

Archibald MacLean Hastie WWII 1139

That is the outline. Families inherit outlines; the rest comes in fragments. In our family, the story was that he was badly wounded, crawled away somewhere, and was found by a mate who refused to leave him behind. Whether every detail is exact, I do not yet know. Military records have a brutal talent for compression. They turn a man’s screaming world into a few dry lines of ink: evacuation, hospital, returned to duty.

But I know enough. He was wounded. He survived. Someone brought him back.

For most of my life, that was family history, important but held at the distance of childhood, wrapped in family shorthand and the gravity of old photographs. I knew him only as Poppy. I was six when he died in 1980. To me, he was not a soldier in the machinery of empire. He was medals, quiet strength, toy soldiers, and the kind of presence some old men carry without explanation.

Only later do you begin to understand that silence has weight.

Last year, I went to Chania, in Crete. I stood at Suda Bay and looked across the water and the graves, trying to imagine a young New Zealander, an armoured reconnaissance soldier fighting largely on foot in terrain he had never known, against an enemy descending from the sky.

It was not battlefield tourism, it was family archaeology.

I went with my wife and daughters, and that mattered. Memory becomes sterile when it is held alone. Standing there with the next generation gave the place a different force. My grandfather’s war was no longer just something behind me. It was something moving through us.

Around that time, I had three service numbers tattooed on my arm. One for my great-grandfather, who fought in the First World War. One for my grandfather, wounded on Crete, and one for my own service, modest by comparison, but part of the same thread.

I have spent much of my adult life in the world of intelligence, security and risk, where the temptation is always the same: to believe that more data will give us more control. I got the tattoo as a private roll call, a physical anchor for a career spent in abstractions.

At Suda Bay, those numbers felt like remembrance, in London, they began to feel like a question.

Cross of Sacrifice at Suda Bay, sword inverted, sea and mountains beyond

Rows of New Zealand headstones

Bletchley Park is a quiet place to encounter the scale of war. It does not overwhelm you with grand architecture. It works on you slowly, through huts, desks and the patient weight of disciplined work. By the end of the war, roughly three quarters of Bletchley Park’s workforce were women. They worked in shifts that ran around the clock, processing, analysing, indexing, translating and helping break German encrypted military communications, most famously Enigma.

The intelligence product of this work was given the codename Ultra. The name was deliberate: the material was treated as more sensitive even than the existing classification of Most Secret. The popular version of the story is comforting: codebreakers broke the codes, the war was shortened, lives were saved.

All of it true, none of it the whole story.

Intelligence is never that clean. If the Germans realised their codes had been broken, the advantage would vanish. The secret had to be protected, even from those whose lives were shaped by it. Knowledge had to be disguised, laundered or delayed. Leaders could know more than they could say. Commanders could be warned without being told the source. Men in the field could be moved, reinforced or left exposed without ever knowing the picture that placed them there.

Bletchley Park mansion, spring light, lake in foreground

The Churchill War Rooms sit underground near Westminster, and there is something unsettling about standing where war was turned into maps, pins and files. Strategy always looks cleaner when the map is flat. I went on Anzac Day, a coincidence of scheduling that stopped feeling like a coincidence the moment I stepped below street level.

It was there that Crete shifted for me. One exhibit framed the question bluntly: did Churchill know that Hitler planned to capture Crete? The answer was not simple, but it was enough to disturb the neatness of the story I had carried.

Churchill War Rooms: image of the question on did Churchill know about Hitlers plans to capture Crete?

British leaders had Ultra-derived warning that Crete was in German sights. Freyberg, commanding Creforce, had intelligence warning of the attack. Yet warning did not become clarity, and clarity did not become safety. The intelligence picture was powerful, but constrained. It could be misread. It could show danger without solving the practical problem of defending an exposed island with tired men, few aircraft and too many assumptions.

Somewhere at the far end of that system was my grandfather.

A map of Operation Merkur, the German airborne invasion of Crete in May 1941.

He did not know about Ultra, but he knew dust, confusion and what it was to fight in a collapsing situation. He knew pain.

This is the moment the story changed shape. Not into an accusation. That would be too easy. Britain was fighting an existential war, and the people in the War Rooms were trying to keep a country alive. But the fact that a decision is necessary does not make it painless. Intelligence can save lives in aggregate while still failing to save the individual man standing in the wrong place at the wrong time.

Strategy can be right and still be paid for by people who never knew the calculation.

The Imperial War Museum brought the story back down from decision to consequence. Honest war museums refuse to let you remain safely at the level of policy. They remind you that every strategic decision eventually arrives somewhere smaller: a hillside, a hospital ship, a telegram, a kitchen table.

War is remembered in speeches, but it is absorbed by families.

My great-grandfather carried one war home; my grandfather carried another. Neither man turned his suffering into speeches. Mid-century New Zealand did not offer men much vocabulary for what they had carried back. You did not unpack your inner life; you swallowed it. You carried it in your habits, your silences and your distance.

That, too, is inheritance.

And the women carried something else. My grandmother lived with what my grandfather could not say. A service file may one day tell me the nature of the wound he suffered; it cannot tell me the tone of voice she used to navigate the silences he brought home. There is no service number for the woman who held the household steady while he held the rest of it inside. That is its own kind of service. It is the part of the story carried forward in what people do not ask each other across kitchen tables.

Italian minefield warning sign, “Chi tocca muore”, whoever touches it dies

One object at the Imperial War Museum stayed with me: an Italian minefield warning sign reading Chi tocca muore, whoever touches it dies. It was meant for a battlefield, but it felt uncomfortably close to family memory too. Some silences are dangerous because they are still live.

In my professional life, the assumption is seductive: if we know more, we can control more. We look for more telemetry, more threat intelligence, more visibility. Bletchley and the War Rooms tell a harder story.

Knowing is not the same as saving.

Sometimes knowledge only reveals the cruelty of the available choices.

Every intelligence system has an edge where abstraction ends. On one side are probabilities and risk assessments. On the other are people who experience the outcome without ever seeing the briefing.

My grandfather lived on that edge. He was not a data point or an entry in a ledger of necessary sacrifice. He was a young man who went to war, was saved by a mate, and came home carrying things he did not explain.

I do not know what he would have made of any of it. Perhaps he would have shrugged; perhaps he would have been angry; perhaps he would have said nothing at all. The dead rarely give us the courtesy of clean answers.

So we make do with fragments. A service number, a wound, a cemetery beside a Cretan bay. A secret kept for strategic advantage and a tattoo on a grandson’s arm.

The questions have not settled. For me, it means being more careful with the word strategy. It means respecting those who carry burdens they cannot disclose, while never forgetting those who carry consequences they did not choose. History is not only made in rooms where decisions are taken; it is also made in the lives of those who absorb them.

Bletchley showed me the secret. The War Rooms showed me the decision. The Imperial War Museum showed me the cost. Crete had already shown me the wound.

And somewhere between them all, my grandfather stopped being only a family story.

He became a man at the far end of the intelligence picture.

A reminder, carried now on his grandson’s arm, that knowing matters, but knowing is never enough.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

There is a kind of strategic failure that produces no visible signal until it is too late. It looks like progress. It reports well. It generates clean audit findings and improving metrics. And it leaves the organisation materially no safer than when the investment began.

This is not the failure of neglect. Neglect is obvious and correctable. This is the failure of continuous, well-funded effort directed at only half of the problem. Most security programmes are doing the necessary work. Very few are doing sufficient work. The difference between the two is rarely visible in how investment is presented to boards, and almost never made explicit in how risk position is reported to them. The World Economic Forum, whose 2021 Principles for Board Governance of Cyber Risk has become a benchmark for how organisations think about executive accountability, explicitly frames cyber security as a matter of enterprise risk management rather than technical compliance.¹ That framing is right. The problem is that it has not resolved a deeper confusion about what risk, exactly, is being governed.

Cyber risk is not a stable variable. It moves continuously, driven by forces that rarely hold steady simultaneously: adversaries who adapt and scale what works; controls that erode as exceptions accumulate and architecture grows more tangled; and businesses whose own risk profiles shift as they restructure, concentrate value, and deepen dependencies. Even a programme performing well against its own measures can be losing ground to this dynamic. A posture appropriate last year is, by default, slightly less adequate this year. The environment moves. Risk drifts upward. Standing still is not available as a strategic option.

Biologists have a name for this. Leigh Van Valen, writing in 1973, described what became known as the Red Queen hypothesis: the observation that species must keep evolving simply to maintain their relative fitness against co-evolving competitors and parasites.² The name comes from Lewis Carroll’s Through the Looking-Glass, where the Red Queen tells Alice that it takes all the running you can do just to keep in the same place. Van Valen was describing evolutionary arms races, but the logic applies with uncomfortable precision to adversarial environments. Defenders and attackers co-evolve. The effort required to hold a given position grows continuously, because the threat is not static. A security programme that runs at a constant pace in a Red Queen environment fails to hold its position. It is losing ground at the rate the threat is advancing.

This is not a metaphor. It’s a description of observed behaviour. Threat capability has been compressing the average interval between technique development and widespread adversarial adoption for at least a decade. The move from exploit development to commodity tooling, the industrialisation of ransomware as a service, and the acceleration of vulnerability weaponisation, each of these shortens the window in which defenders can respond before a technique becomes standard practice. An organisation investing the same in risk management this year as last is almost certainly losing ground, not holding it. Yet investment proposals rarely account for this. The implicit assumption underpinning most security programme governance, that current effort, properly maintained, will produce stable outcomes over time, is one the evidence does not support.

The core problem, though, lies beneath the arms race dynamic. Governance frameworks rarely distinguish between two categorically different kinds of work.

The first is risk management: the continuous activity required to maintain a position against a moving system. Vulnerability remediation, detection tuning, review of findings, and control maintenance. Necessary and non-negotiable, but conservative in its effect. It holds the line. The second is risk reduction: interventions that change the system itself. Removing an attack path rather than managing around it. Redesigning to reduce blast radius. Breaking a critical dependency before it becomes a point of failure. Designing out a class of vulnerability rather than continuously processing its instances. This is structural change. It alters the terms of the adversary’s problem, not merely the speed of the defender’s response.

These two kinds of work are not simply different in degree. They are different in kind. The boundary between them is not always crisp, some risk management activity, pursued with sustained intent and the right organisational authority, does produce structural change over time. But the distinction matters because these two categories carry different strategic weight, warrant different investment logic, and tell different stories about actual trajectories. An organisation that separates them has a coherent basis for allocating capital. One that does not is likely funding risk management at scale while understating how little structural ground it is actually gaining.

It is also worth noting that structural improvement is not a permanent condition. Architectural change accumulates its own exceptions and complexity over time. A consolidation that genuinely reduces attack surface in year one can generate new dependencies and coverage gaps by year three. A simplification that removes one class of failure can create another form of concentration. Risk reduction is better understood as a time-bound intervention than a durable achievement. This is one reason governance frameworks need to track structural posture as a live indicator rather than as a completed item on a programme list. The WEF principles and the subsequent NACD partner report that elaborated them both emphasise the importance of the board understanding the organisation’s cyber posture in terms of business risk impact.³ That understanding is not possible without a framework that can distinguish between these two categories of work.

Why does the confusion persist? The answer is partly a measurement failure and partly an incentive problem, and the two reinforce each other in ways worth examining.

Activity is visible and auditable; progress is an inference from it. Boards can track programmes, count closures, and review dashboards. The alternative interpretation, that the programme is running to stand still, is uncomfortable and hard to surface through standard governance mechanisms. But the incentive problem runs deeper. The full ecosystem of board, executive, security leadership, and vendor rewards delivery: clear milestones, improving metrics, programmes that are well-governed and on schedule. It does not reward the harder and more disruptive work of removing dependency, simplifying architecture, or absorbing near-term operational pain for long-term structural improvement.

This is not a failure of competence. It is a rational response to how performance is measured and rewarded. Hans Jonas, whose moral philosophy of technology remains one of the more demanding frameworks for contemplating responsibility under uncertainty, argued that the scale and complexity of modern technological systems creates an obligation to attend to long-range consequences that are inherently difficult to perceive in the immediate term. His concept of the “imperative of responsibility” is directed at actors whose decisions shape systems in ways that outlast their tenure. The board member approving a security programme measured entirely by near-term delivery metrics is doing exactly what Jonas warned against: optimising for what is visible and tractable while discounting what is diffuse and structural. This is not malice. It is the predictable result of governance frameworks calibrated to motion rather than to direction.

Vendors operate within the same logic. Structural change that reduces the need for ongoing intervention is, in purely commercial terms, less attractive than managed, recurring activity. Capital flows toward what can be shown, and what can be shown is motion. The security industry’s business model has a structural preference for risk management over risk reduction, because the former creates durable revenue streams and the latter threatens them.

This produces a pattern that is consistently visible in incident post-mortems. Organisations that have lived through a serious breach frequently saw their programme metrics improving beforehand. Backlogs were shrinking. Detection had been uplifted. Governance was functioning. The post-mortem accounts of major incidents, whether the sustained intrusions at organisations with mature security programmes or the ransomware events that have paralysed health systems and infrastructure operators with security investments, reveal the same structural signature: well-managed programmes that nonetheless failed to address the architectural conditions that made catastrophic impact possible.⁴ The metrics were not lying, exactly. They were measuring the wrong thing: how well the organisation was managing its position, not how well that position would hold under real adversarial pressure.

One question makes the situation legible. For any material security investment, does this reduce risk, or does it stop risk from getting worse? Both categories of work are necessary. But they carry different strategic weight, speak differently to a board’s risk appetite, and require different governance. Blurring them produces a narrative calibrated to motion rather than to direction. It also produces portfolios heavily weighted toward running, and lightly weighted toward changing the terrain.

The UK government’s 2025 mapping of its cyber governance code to the WEF principles is instructive here.⁵ The mapping is careful and technically competent. But it reproduces the same gap: it tells organisations how to govern what they are already doing rather than how to interrogate whether what they are doing is sufficient against the threat they actually face. Governance sophistication is not the same as strategic clarity about the nature of the problem being governed.

The required move is not to stop managing risk. That is the floor, not the ambition. The discipline of being explicit in investment decisions and programme reporting changes how organisations understand which kind of work is being funded. How much holds the line? How much actually shifts exposure? Where are structural bets placed consciously, and where is effort being absorbed into programme delivery and labelled as progress?

A board that cannot answer these questions does not have a clear picture of its risk position. It has a picture of its programme performance, which is different and considerably less useful. A security function that cannot articulate the distinction lacks the ability to make the case for structural investment, because it has no language that separates the work that changes the game from the work that merely keeps it going.

Running hard is not the same as moving forward. The Red Queen dynamic means that standing still requires effort, but effort does not guarantee standing still. Most organisations are not failing because of neglect. They are working, spending, and delivering against a system that is advancing at roughly the same pace. The question governance rarely forces is whether all that effort is actually changing anything, or merely sustaining a position that everyone has agreed, for understandable reasons, to describe as progress. Boards that cannot distinguish between these two things are not governing cyber risk. They are governing the appearance of it.

Notes

1. World Economic Forum, Principles for Board Governance of Cyber Risk (Geneva: WEF, 2021). See also Chris Krebs et al., “Principles for Board Governance of Cyber Risk,” Harvard Law School Forum on Corporate Governance, 9 June 2021

2. Leigh Van Valen, “A New Evolutionary Law,” Evolutionary Theory 1 (1973): 1-30. For an accessible account of the Red Queen hypothesis and its extension beyond biology, see Wikipedia, “Red Queen hypothesis,” accessed 2026.

3. National Association of Corporate Directors (NACD), Principles for Board Governance of Cyber Risk (NACD/WEF partner research report, 2023). The report elaborates the WEF principles with particular attention to how boards should receive and interrogate risk reporting from management.

4. Hans Jonas, The Imperative of Responsibility: In Search of an Ethics for the Technological Age (Chicago: University of Chicago Press, 1984). Jonas’s central argument, that technological power creates an obligation to anticipate and prevent harm at scales and timescales previously beyond individual moral consideration, is summarised in the secondary literature; see “Hans Jonas: Ethics, Technology, and the Responsibility of the Future,” Philosophy World Democracy (2025), and the Philosophia overview of Jonas’s framework (2017).

5. UK Government, “Mapping cyber governance code to WEF Principles for Board Governance of Cyber Risk” (2025). The document is a useful reference for organisations seeking to align their governance frameworks to the WEF principles, but it addresses procedural alignment rather than the substantive question of whether the underlying investment logic is adequate.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

In July 2025, Singapore’s Coordinating Minister for National Security, K. Shanmugam, stood up at the Cyber Security Agency’s tenth anniversary dinner and did something Singapore had never done before. He named a threat actor - UNC3886, a China-nexus APT tracked by Mandiant, and said it was going after the country’s critical infrastructure. He didn’t say “China”. But he didn’t need to. Anyone literate in threat intelligence knew exactly what he was saying.

By February 2026, Singapore confirmed UNC3886 had compromised all four of its major telecommunications providers using zero-day exploits, rootkits, and persistent access mechanisms designed to survive detection. Operation Cyber Guardian was deployed to contain it. No customer data was exfiltrated. No services were disrupted. But the access was real, and it had been there for a long time.

That disclosure is worth studying, not because of what Singapore said, but because of what it reveals about how cyber statecraft actually works once the rhetoric is stripped away. We talk about “cyberwar” as if it’s a thing you can win, or deter, or end, but it isn’t.

Instead, what we are dealing with is something far more mundane and exhausting: industrialised state cyber operations. Persistent access, long dwell times and human operators grinding away quietly in the background. No climactic battles, just attrition.

That matters, because it changes what strategy even means.

Here, strategy is not about demonstrating resolve or setting boundaries. It’s about deciding what you’re willing to live with, and what you’re prepared to make expensive for the other side, knowing full well you’ll pay a price too.

For years, public attribution was largely a practice-driven by the US and its vendors, and adopted within the Five Eyes. Beyond that perimeter, most states avoided it entirely. A values exercise and something you did if you could afford the politics. Safer to stay quiet. That logic is breaking. Not because anyone suddenly got braver, but because silence stopped being cheap.

A quick note on lens

I don’t approach this from the perspective of a single country. I lived in Singapore for fourteen years, I’m married to a Chinese woman, and I’ve worked inside American and British companies; now I sit in Australia in a global role. That doesn’t make me neutral. It makes me allergic to single-lens explanations.

Cyber posture looks very different depending on where you sit — politically, economically, and culturally. So this isn’t a Western argument or an Eastern one. It’s a practical one.

When the grey zone stops being permissive

The “grey zone” once sounded attractive. Low cost. High deniability. Plenty of room to manoeuvre. That worked when operations were smaller and slower. At scale, silence becomes a subsidy.

If an actor sits quietly in your network today, they’re not just stealing information. They’re banking advantage. Mapping dependencies. Improving tradecraft. Preserving options. All without friction. UNC3886 had been active since at least 2021, quietly exploiting zero-days in firewalls and hypervisors using living‑off‑the‑land techniques designed to blend into normal operations, that is, repurposing legitimate admin tools so malicious activity looks like normal system behaviour. Volt Typhoon followed a similar pattern across US critical infrastructure, energy, water, transport, and telecoms, with dwell times stretching into years.

These are not smash-and-grab operations. They are slow, deliberate programmes of strategic pre-positioning. That’s the part people still underplay.

So when you hear terms like “active defence” or “defend forward”, don’t picture cyber punch-ups. What’s actually happening is terrain shaping, making persistence less comfortable, less clean, and less predictable.

The goal is still to make intrusion hard, reducing probability matters, not least because every breach, even one that never becomes operationally disruptive, imposes its own response tax. Teams spin up. Regulators expect notification. Resources shift from forward work to forensic work. And upon discovery, you rarely know how big is big, scoping a compromise can take weeks or months, during which the organisation is burning capacity on a question it can’t yet answer. So prevention earns its keep. But the strategic point is different: for actors operating at this level, some access will be achieved. The goal is to make that access unrewarding, to deny the conditions under which persistence compounds into strategic advantage.

This is one of the ways digital bifurcation becomes self-reinforcing, what I’ve previously described as one of the Five Forces reshaping the geopolitical cyber order. Each exposure hardens the boundary between trusted and untrusted infrastructure. Every burned operation widens the gap between allied and adversarial digital ecosystems. The retooling tax doesn’t just impose cost, it accelerates structural separation in the digital order.

The retooling tax (and why it’s misunderstood)

Public exposure is still dismissed as “naming and shaming”. That’s a lazy read. In a persistence model, attribution isn’t about morality. It’s about forcing work.

Once an operation becomes legible, infrastructure gets burned. Tooling is shelved. Access paths collapse. People have to rebuild things they thought were settled. Oversight tightens, tempo drops and mistakes creep in and that’s the retooling tax.

The point isn’t to end persistence. It’s to break the conditions that let persistence compound unchecked.

Inside the adversary’s system, exposure triggers internal review. Resources shift from expansion to damage assessment. The incentives temporarily shift from risk-taking to caution. For programmes built on patience, that friction matters.

But here’s the uncomfortable part: capable adversaries plan for this. At scale, they amortise the cost. Modular tooling. Redundant infrastructure. Parallel accesses. Burning one campaign becomes maintenance, not defeat. The i-Soon leaks in February 2024 confirmed what many suspected — industrial depth matters.

The retooling tax falls unevenly. It genuinely disrupts mid-tier operators. For top-tier actors, it can prune the field and concentrate persistent access among those best equipped to sustain it, so no, this doesn’t stop them.

What it does is change the economics. Persistence still exists, but it becomes slower, noisier, and less reliable. Over time, that compounds.

Transparency is not free — it’s finite

This is where many defenders get sloppy. Disclosure isn’t binary. It’s not silence versus exposure and it’s a finite resource.

Every time you go public, you teach the other side something: what you can see, what you care about, where your telemetry is strong, and where it isn’t. A serious opponent studies your disclosures the same way you study their campaigns.

They don’t fear noise. They curate it. False flags. Proxies. Cheap tooling is combined with bespoke access. The aim is simple: raise attribution costs and weaken confidence.

What complicates this further is that states no longer fully control disclosure timing. Vendor reports now drive much of public attribution, sometimes aligned with government objectives, sometimes not. Commercial incentives often lack a clear alignment with operational discipline, potentially leading to premature disclosure of sensitive information.

Yes, noise can deny permissiveness, but unmanaged noise degrades the signal. Transparency without discipline isn’t bold. It’s counter‑productive.

The cost you pay at home

None of this comes for free. Once something goes public, it stops being a technical problem and becomes a political one. Attention spikes. Media flattens nuance. Ministers want certainty that doesn’t exist.

Security teams lose room to manoeuvre. Bureaucracies react to headlines rather than evidence. Over time, the public either panics or tunes out—and institutions themselves can habituate to noise, dulling response when it actually matters.

This friction isn’t a side effect; it’s the price of admission and only states with strong institutional discipline can absorb that pressure without turning disclosure into theatre. Many can’t. For them, visibility creates more risk than it removes.

Singapore, as an example – not a template

Singapore’s handling of UNC3886 is instructive precisely because of what it didn’t do.

Minister Shanmugam named the threat actor cluster—a Mandiant designation—without saying “China”. The exposure was technical, bounded, and calm. No chest-thumping. No moralising. There was no attempt to publicly corner anyone.

Beijing’s response was equally calibrated. The Chinese Embassy expressed “strong dissatisfaction” via local media while avoiding direct escalation. The unspoken rules of exchange were honoured.

Seen through a Sun Zi lens, the objective was never deterrence of China. It was preservation of operating space under constraint—denying permissive terrain without forcing escalation.

It works because Singapore understands its constraints: economic exposure, regional dynamics, and the need for institutional cohesion. It also quietly reassures investors, insurers, and critical service providers that persistent access is being managed competently rather than denied until failure forces the issue.

When attempted without those conditions, the same approach leads to noise, panic, and poor decisions.

Who this actually works for

This approach isn’t universal. It favours states with strong legal authority, high trust in institutions, and the ability to tolerate ambiguity. It disadvantages those with fragile politics, exposed economies, or a taste for moral theatre.

There’s a further complication. Most corporate risk frameworks are calibrated for criminal operators—ransomware, data theft, business interruption—because those threats produce quantifiable losses that fit neatly into a risk register. The state persistence model described here requires a fundamentally different posture: patience over speed, managed coexistence over rapid eviction, and strategic disclosure over reflexive transparency. Holding both models simultaneously is genuinely difficult, and the insurance and loss-quantification ecosystem keeps pulling boards towards the criminal lens at the expense of the strategic one. That tension doesn’t resolve. It has to be managed.

There are also real tail risks. Get attribution wrong and credibility evaporates, not just for the attributing state, but for the coalitions that rely on shared confidence. Push too hard and partners fracture. Make everything public and intrusion becomes background radiation.

This isn’t deterrence by punishment. It’s attrition by design and attrition always cuts both ways.

The realist corrective: endurance as strategy

We still look for decisive moments. Cyber doesn’t offer them.

As Cyber Persistence Theory makes clear, there is no final victory here, only a continuous contest for initiative. By choosing to make the silence noisy, states are acknowledging that the grey zone is no longer a place of comfort but a frontline of industrialised attrition.

The retooling tax isn’t a win. It’s a maintenance fee, the price paid to ensure that while adversaries remain persistent, they never remain comfortable.

Silence is no longer cheap. The question now is how deliberately we choose to spend it.

References & Further Reading

Singapore’s UNC3886 Attribution

• K. Shanmugam, “CSA 10th Anniversary Dinner — The Next 10 Years: Securing Our Cyberspace and Digital Future,” Ministry of Home Affairs Singapore, 18 July 2025. https://www.mha.gov.sg/mediaroom/speeches/csa-10th-anniversary-dinner-the-next-10-years-securing-our-cyberspace-and-digital-future

• Cyber Security Agency of Singapore, Singapore Cyber Landscape 2024/2025, September 2025. https://www.csa.gov.sg/resources/publications/singapore-cyber-landscape-2024-2025/

• BleepingComputer, “Chinese Cyberspies Breach Singapore’s Four Largest Telcos,” February 2026. https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breach-singapores-four-largest-telcos/

• Louise Marie Hurel, “What Singapore’s First Public Cyber Attribution Tells Us,” Royal United Services Institute, 30 July 2025. https://www.rusi.org/explore-our-research/publications/commentary/what-singapores-first-public-cyber-attribution-tells-us

Volt Typhoon & PRC Cyber Pre-Positioning

• CISA, NSA & FBI, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” Joint Cybersecurity Advisory AA24-038A, February 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

• Ciaran Martin, “Typhoons in Cyberspace,” Royal United Services Institute, 2025. https://www.rusi.org/explore-our-research/publications/commentary/typhoons-cyberspace

• Mandiant, “Cloaked and Covert: Uncovering UNC3886 Espionage Operations,” Google Threat Intelligence, 2023. https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations

i-Soon Leaks

• Associated Press, “Leaked Files from Chinese Firm Show Vast International Hacking Effort,” February 2024. https://apnews.com/article/china-cybersecurity-leak-isoon

Cyber Persistence Theory & Strategic Literature

• Michael P. Fischerkeller, Emily O. Goldman & Richard J. Harknett, Cyber Persistence Theory: Redefining National Security in Cyberspace, Oxford University Press, 2022.

• Jon R. Lindsay, Age of Deception: Intelligence Warfare in the 21st Century, Oxford University Press, 2025.

Attribution as Statecraft

• Florian Egloff & Max Smeets, “Publicly Attributing Cyber Attacks: A Framework,” Journal of Strategic Studies, 2022.

• Herb Lin, “Attribution of Malicious Cyber Incidents: From Soup to Nuts,” Journal of International Affairs, Columbia University, 2016.

Sun Zi & Calculated Restraint

• Sun Tzu, The Art of War, translated by Roger Ames, Ballantine Books, 1993. (Ames translation recommended for its emphasis on strategic context over aphorism.)

For more on the distinction between strategy and activity in cyber, see Cyber Strategy Is Not Activity.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

Cybersecurity is routinely performed under the guise of strategy, yet it is almost universally practised as a form of high-stakes reactivity. This is not for a lack of intelligence or intent among leadership; rather, it is the predictable outcome of a discipline that matured in the frantic crucible of technical virtuosity and immediate crisis. In an environment that rewards the visible heroics of incident response and the quantifiable progress of audit evidence, the quiet, analytical demands of strategy can feel dangerously like hesitation.

True strategy, however, demands precisely that: a form of disciplined restraint. It is the uncomfortable realisation that the most effective leaders are defined not by the fires they extinguish, but by the fires they choose to let burn. The classical strategists understood this tension as a fundamental law of conflict. Sun Tzu’s observation that victory is decided before the first banner is raised was not a mystical claim but a pragmatic one: it is an acknowledgement that conditions, not effort, dictate outcomes. Centuries later, Richard Rumelt would sharpen this into a modern axiom: strategy is a clear diagnosis of the real problem, followed by a coherent set of actions designed to overcome it. In the cyber realm, we have greedily absorbed the language of these thinkers while largely ignoring their required discipline.

When Security Becomes the Objective

The most consequential mistake currently sitting at the heart of the corporate cyber programme is the belief that “security” is the goal. It is not. Security is merely a means to an end—the end being the organisation’s continued ability to pursue growth, reliability, and innovation within a digital environment that remains stubbornly hostile. A cyber strategy that cannot articulate what it is protecting, and more importantly why, is not a strategy at all; it is an aspiration dressed up in the expensive livery of technical intent.

Sun Tzu’s relevance here is not in the “art of war”, but in the “art of the asymmetric”. His focus was on shaping conditions so that conflict, should it arrive, was cheap and manageable. When applied to the modern enterprise, this means deciding—explicitly and unapologetically—where resilience matters most, where friction is an acceptable cost of doing business, and where loss is simply a tolerable reality of operating in the 21st century. These decisions are inherently uncomfortable because they necessitate trade-offs, and trade-offs require the one thing most cyber functions lack: the organisational permission to say “no”.

The Three Layers of Perception

Cyber conversations often collapse into a circular, exhausted logic because we fail to distinguish between strategy, operations, and tactics. Strategy in this context lives at the friction point between business intent and digital risk. It is rarely a technical discussion. Instead, it asks the questions that make people shift in their chairs: Which business processes are existential? Where does the speed of the market outweigh the necessity of control? A serious strategy might conclude that the rapid recovery of a customer-facing platform is more vital than preventing the intrusion itself. These are not “control” decisions; they are orientation decisions, and they dictate the entire trajectory of the firm’s defence.

Operations is the layer where this intent either becomes reality or dissolves into noise. It is the discipline of sequencing and endurance. It recognises that Clausewitz’s “friction”—the inevitable fog and fatigue of execution—destroys more plans than any adversary ever will. A cyber function that pivots weekly between new initiatives based on the latest headline isn’t being “agile”; it is simply drifting.

Tactics, meanwhile, are the most seductive part of the craft. Incident response, red teaming, and vulnerability triage are visible, skill-intensive, and feel decisively productive. They are also entirely local and transient. Tactical excellence can, and often does, coexist with strategic failure. Many organisations respond with surgical precision to incidents while remaining fundamentally exposed to the same underlying forms of loss, year after year. To borrow from the Stoics, it is the difference between being a skilled rower and actually knowing which way the current is moving.

A Lived Example: The Courage of Bounded Risk

A few years ago (in a prior role), following a high-quality red team exercise, we were presented with findings that were as well-evidenced as they were uncomfortable. The natural institutional instinct was to close every gap and uplift every control immediately. On a dashboard, this would have looked like responsible management. In reality, it would have cannibalised the engineering capacity of a revenue-critical platform that had nothing to do with the exercise but everything to do with a vitally important business unit’s market strategy.

The strategic question was not whether the findings were valid—they were. The question was: What loss actually matters most to the business over the next eighteen months? The answer was not “improving a maturity score” but ensuring the continuity of the revenue engine. We made the counterintuitive decision to accept certain risks as “bounded” and redirected our limited capital towards recovery capability and identity controls that reduced the blast radius across the entire estate. There was nothing heroic about the decision, and it made for a particularly dull board report, but it aligned our effort with reality. That is what strategy looks like in practice: it is quiet, often misunderstood, and profoundly boring to those who crave tactical drama.

There is a further, often unspoken force shaping cyber strategy: regulation itself. Regardless of whether a particular standard, circular, or supervisory focus reflects an organisation’s internal risk assessment, the moment a regulator asks a question, it reshapes the terrain. Attention must be paid. Resources must be allocated. Sequencing must change. This is not necessarily misalignment; it is a fact of operating in a regulated space, where fear, reputation, and institutional self-preservation exert their own quiet gravity. Sun Tzu would recognise this immediately. Terrain does not need to be fair to be decisive. The strategic failure is not acknowledging its impact but allowing externally imposed obligations to crowd out deliberate choice about what actually matters most.

Thucydides, writing of Athens and Sparta, reminds us that even the most rational actors are ultimately driven by fear, honour, and interest—a triad that still governs how boards, regulators, and executives respond to cyber risk under pressure.

The Board-Level Postscript

For those at the executive level, the distinction between these layers is the difference between governance and interference. A mature cyber function should not be judged by the absence of issues but by the presence of clear, calm, and coherent decision-making under constraint.

When the board asks, “Are we secure?”, they are asking a tactical question that invites a defensive answer. The more sophisticated enquiry—the one that drives real value—is: “Are we managing digital risk in a way that supports our risk appetite and business objectives?” This requires clarity on three things:

1. Materiality: Which systems would cause genuine, material harm if lost? If everything is a priority, nothing is.

2. Explicit Trade-offs: Every control introduces friction. We must be honest about where we are choosing speed over security and why that choice is justified.

3. Trajectory over Activity: Metrics should indicate whether we are becoming more resilient to the losses that matter, not just how many “activities” we performed this quarter.

If cybersecurity is to mature as a business discipline, it must reclaim its classical lineage. We do not need louder dashboards or faster responses; we need clearer thinking about what matters and the discipline to leave the rest behind. This kind of thinking is slower; it does not reward short attention spans, and in an era of digital volatility, that is precisely why it is our only real competitive advantage.

Further Reading: Strategic Lineage, Not Cyber Canon

The argument in this piece does not originate in cybersecurity. It draws instead from a longer tradition of strategic thought concerned with power, constraint, uncertainty, and human behaviour under pressure. For readers who wish to explore that lineage more deeply, the following works are particularly instructive.

They are not recommended as military texts but as guides to judgement in complex, regulated, and adversarial environments.

The Art of War (孙子兵法 / Sun Zi Bing Fa)
Sun Zi’s enduring relevance lies not in tactics, but in orientation. His central insight is that outcomes are shaped less by effort than by conditions: terrain, timing, asymmetry, and perception. In modern organisational terms, this translates to understanding which constraints matter, which risks can be shaped rather than eliminated, and where indirect advantage is preferable to direct confrontation.
For accessibility and modern context, Anthony Cummins’ interpretation is particularly readable. For those interested in fidelity and nuance, bilingual editions with side-by-side Chinese and English text offer valuable insight into Sun Zi’s emphasis on judgement over prescription.

On War – Carl von Clausewitz
Clausewitz is often misunderstood as a theorist of violence rather than a philosopher of constraint. His concepts of friction, fog, and the subordination of action to political purpose are directly applicable to contemporary organisations operating under regulatory pressure, resource scarcity, and imperfect information. His work explains why well-intentioned plans fail in execution and why coherence matters more than precision. On War rewards slow reading and resists simplification, much like the environments it describes.

Good Strategy Bad Strategy – Richard Rumelt
Rumelt provides a modern, unsentimental articulation of strategy stripped of mystique. His framing of strategy as diagnosis, guiding policy, and coherent action is especially relevant to cyber and governance contexts, where activity often substitutes for thought. This work is invaluable for distinguishing genuine strategy from ambition, slogans, or accumulated effort. For boards and executives, it offers a practical language for challenging “busy” programmes that lack a clear theory of value.

The Prince – Niccolò Machiavelli
Machiavelli is best read not as a moral provocateur, but as a realist observer of power, legitimacy, and institutional survival. His insights into appearance, authority, and the gap between intent and outcome remain highly relevant to executives navigating stakeholder expectations, regulatory scrutiny, and reputational risk. Where Sun Zi focuses on terrain, Machiavelli reminds us that perception itself is terrain, and that leaders are often judged less by outcomes than by how their decisions are understood.

History of the Peloponnesian War – Thucydides
Thucydides offers perhaps the clearest account of how rational actors behave under pressure. His framing of decision-making as a tension between fear, honour, and interest explains why organisations frequently act against their own stated preferences during crises. For boards and regulators confronting cyber risk, this work is particularly illuminating. It should be read not as military history, but as a study of governance, escalation, and institutional behaviour in conditions of uncertainty.

Taken together, these texts converge on a single insight: strategy is not the accumulation of activity, but the disciplined management of power and constraint. They remind us that the hardest part of leadership is rarely execution itself, but deciding what is worth executing, in what order, and at what cost.

That challenge has not changed in two millennia. Only the terrain has.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

Author’s Note: Geography dictates perspective. Viewed from Washington, the Indo-Pacific is a priority theatre. Viewed from where I sit in Australia, it is simply the neighbourhood. I am writing this analysis from Melbourne – the southern anchor of the Indo-Pacific – looking north. This is not a critique of American strategy but an assessment of what that strategy means for those of us living in its new architecture.

Executive Summary

• The Shift: The 2025 National Security Strategy (NSS) signals a structural move from global policing to “Hemispheric Consolidation”.

• The Metric: Industrial capacity and digital sovereignty have replaced soft power as the primary measures of national interest.

• The Action: For Australian executives, “efficiency” (Just-in-Time) must be replaced by “survivability” (resilience) in supply chains and digital architecture.

Most commentary on the 2025 U.S. National Security Strategy repeats the same shallow refrains: “America First”, “protectionism”, and “isolationism”.

That’s theatre.

The real shift is structural: the United States has ended its post–Cold War role as global guardian and is reorganising its power for a world it no longer believes it can manage.

Washington is not withdrawing. It is reprioritising, and the order of priorities is now explicit:

1. Hemispheric Pre-eminence

2. Industrial and Digital Sovereignty

3. Selective Indo-Pacific Competition

4. Conditional Support to Europe

Everything else is optional.

For Australia and the broader Asia-Pacific, this isn’t a political debate. It’s the new strategic terrain.

The US National Security Strategy can be downloaded from the Whitehouse website: https://www.whitehouse.gov/wp-content/uploads/2025/12/2025-National-Security-Strategy.pdf

What the NSS Actually Says

The document is clearer than most analysts seem comfortable admitting.

1. The Western Hemisphere becomes non-negotiable

“After years of neglect, the United States will reassert and enforce the Monroe Doctrine to restore American preeminence in the Western Hemisphere... This ‘Trump Corollary’ to the Monroe Doctrine is a common-sense and potent restoration of American power and priorities, consistent with American security interests.” (p. 15)

Preeminence. The NSS uses this term for no other region. The Western Hemisphere gets “pre-eminence.” The Indo-Pacific gets “compete successfully”. Europe gets questioned on whether it will remain “reliable”.”

This is the one region where Washington insists on primacy rather than partnership.

2. Europe is downgraded from pillar to problem

“Should present trends continue, the continent will be unrecognizable in 20 years or less. As such, it is far from obvious whether certain European countries will have economies and militaries strong enough to remain reliable allies.” (p. 25)

The burden-shifting is equally direct:

“The days of the United States propping up the entire world order like Atlas are over. We count among our many allies and partners dozens of wealthy, sophisticated nations that must assume primary responsibility for their regions.” (p. 12)

This isn’t a Trump flourish. It’s a strategic judgement about declining European capability.

3. Industrial and digital sovereignty are the new foundations of power

“We want the world’s most robust industrial base. American national power depends on a strong industrial sector capable of meeting both peacetime and wartime production demands... Cultivating American industrial strength must become the highest priority of national economic policy.” (p. 4)

Not a priority. The highest priority.

Digital infrastructure appears throughout the document not as a tech issue but as a geopolitical instrument:

“We should... harden existing and future cyber communications networks that take full advantage of American encryption and security potential.” (p. 18-19)

“The U.S. Government’s critical relationships with the American private sector help maintain surveillance of persistent threats to U.S. networks, including critical infrastructure. This in turn enables the U.S. Government’s ability to conduct real-time discovery, attribution, and response (i.e., network defense and offensive cyber operations) while protecting the competitiveness of the U.S. economy.” (p. 21-22)

Notice the framing: network defence enables economic competitiveness, which enables sustained deterrence.

The Intelligence Community is explicitly tasked to “monitor key supply chains and technological advances around the world to ensure we understand and mitigate vulnerabilities and threats to American security and prosperity.” (p. 13)

This is the core insight: geopolitical autonomy now depends on digital and industrial control.

You cannot deter if you cannot produce.

You cannot compete if your networks leak.

You cannot act if your supply chain is captured.

4. Cyber is not a domain — it is the glue

The NSS treats cyber operations as the connective tissue between economic competitiveness, industrial capacity, and strategic deterrence.

Conventional cybersecurity discourse treats these as separate concerns—industrial policy over here, network defence over there, supply chain risk as a third bucket. The NSS reveals they’re the same constraint operating at different scales.

Three Futures the NSS Actually Points To

Applying a structural realist lens—incentives, constraints, capability, bureaucracy, digital infrastructure—the document logically resolves into three plausible futures.

I. Fortress Hemisphere, Forward Asia

This is the NSS executed faithfully.

U.S. dominance in the Americas is secured through port control, telecom control, energy control, and digital-network hardening. The “Trump Corollary” becomes operational: non-hemispheric competitors are systematically denied the ability to “position forces or other threatening capabilities, or to own or control strategically vital assets, in our Hemisphere.” (p. 15)

Reindustrialisation is treated not as policy, but as strategy. In the Indo-Pacific, the American posture shifts from patrol to denial. The NSS frames this as building “a military capable of denying aggression anywhere in the First Island Chain” while pressing allies to “allow the U.S. military greater access to their ports and other facilities, to spend more on their own defense, and most importantly to invest in capabilities aimed at deterring aggression.” (p. 24)

The goal is not “stability”—it is to deny adversaries the strategic space to coerce.

Allies are explicitly told to spend more, carry more, and integrate more. The Hague Commitment—requiring NATO countries to spend 5% of GDP on defence—signals the expectation level. This is not abandonment—it’s burden reallocation.

• Implications for Australia: Alignment strengthens deterrence but raises cost: critical minerals pressure, cyber and intelligence integration, export-control alignment, increased operational expectations. The risk is volatility, not withdrawal. If U.S. politics fracture, the machinery of this strategy can stall.

II. The Splintered West

If Europe reads the NSS assessment—that the continent “will be unrecognizable in 20 years”—as abandonment rather than challenge, it accelerates toward uneven strategic autonomy.

The NSS acknowledges this possibility by noting that “many of these nations are currently doubling down on their present path” of regulatory suffocation and declining competitiveness.

Beijing fills the economic and infrastructure vacuum. Moscow expands grey-zone operations. Regulatory divergence fractures the coherence of the Western alliance. This isn’t ideological — it’s structural entropy.

• Implications for Australia: This is the most dangerous world for Canberra. U.S. dependence becomes absolute. Regulatory incoherence forces technical and architectural lock-ins. Fragmented threat models mean misaligned cyber thresholds and inconsistent crisis responses. This is how geopolitical constraints become technical constraints—you can’t fix cyber risk when the geopolitical layer determines which vendors, standards, and architectures are even available.

III. Transactional Balance

A tense, workable equilibrium.

The U.S. holds the hemisphere. China competes without risking war. Europe muddles through a semi-autonomous middle posture. The NSS envisions this when it states: “If America remains on a growth path... we should be headed from our present $30 trillion economy in 2025 to $40 trillion in the 2030s.” (p. 20)

Tech decoupling slows into “managed divergence.” Supply chains diversify rather than relocate entirely. The document’s call to “re-secure our own independent and reliable access” becomes operational through friendshoring, not full reshoring.

Cyber becomes the pressure valve: espionage as constant background radiation, coercive signalling when needed, but no state willing to trigger systemic escalation.

• Implications for Australia: This is the “permanent turbulence” scenario. Efficiency gives way to optionality. Boards must design for resilience, not optimisation: multi-cloud, multi-stack architectures; diversified supply chains; sovereign intelligence and cyber capability; and capital flexibility. Shocks aren’t anomalies in this future—they’re the operating climate. Planning assumes volatility, not stability returning.

The Australian Imperative: Trust Requires Resilience

Across all futures, the prescription is identical.

1. Capability over symbolism

Deterrence is missiles, sensors, cyber persistence, and industrial output. Not procurement theatre promising submarines in 2045. The NSS is explicit: “A strong, capable military cannot exist without a strong, capable defense industrial base.” (p. 14)

2. Digital and industrial sovereignty are national-security functions

You don’t control risk when adversaries control your infrastructure. You don’t have autonomy if your supply chain lives offshore.

When the U.S. demands that allies “align their export controls with ours,” it’s identifying the mechanism of constraint. Digital infrastructure that runs through adversary-controlled nodes isn’t a risk to be managed—it’s a structural dependency that limits sovereign action.

3. Hedging is discipline, not indecision

Middle powers survive by keeping options open, not by betting the country on a single technology stack or alliance assumption. As the U.S. reprioritises (hemisphere first, selective Indo-Pacific engagement), as China adapts its strategy, and as Europe drifts, locking into a single market, technology stack, or alliance narrative becomes dangerous.

The Realist Corrective

Whether one approves of Washington is irrelevant.

The NSS reflects the real American condition: the U.S. will still lead, but only where leading aligns with its hierarchy of interests.

The document is explicit about this shift, acknowledging that “American strategies since the end of the Cold War have fallen short” because elites “badly miscalculated America’s willingness to shoulder forever global burdens.” (p. 1)

For Australia, the consequence is decisive: we can no longer plan around what America promises—only around what America prioritises.

And what America prioritises, per the NSS, is in this order:

1. “Preeminence in the Western Hemisphere”

2. “Halt and reverse the ongoing damage... to the American economy”

3. “Support our allies”

This matters for security leaders because you cannot build digital trust on fragile geopolitical foundations. When the NSS positions the industrial base as “the highest priority of national economic policy” and network defence as a prerequisite for “protecting the competitiveness of the U.S. economy,” it reveals the causal chain:

Geopolitics → Industrial Capacity → Digital Infrastructure → Strategic Autonomy

When any link in this chain breaks—geopolitical fragmentation, industrial dependencies, compromised digital infrastructure—strategic autonomy collapses.

The NSS makes explicit what cyber discourse usually ignores: you cannot secure what you do not control, and you cannot control what you do not build.

The NSS lays out those priorities with unusual clarity. Ignoring them would be a strategic error we may not get to make twice.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

I have been travelling to China for more than twenty years and studied its cyber policy during my master’s degree. I am also married into a Chinese family, which means many of my geopolitical debates take place at the dinner table. None of this makes me an oracle, but it does mean I try to see China as it actually functions rather than as Western narratives prefer to imagine it. Our biggest analytical failure is not that we underestimate China or overestimate it. The real issue is that we rely on the wrong model entirely.

“Same reality. Different measurements. Wrong models.”

A Note on Analytical Stance

Explaining how China works is not the same as endorsing it. Understanding strategic logic is not agreement with policy outcomes. If the model is wrong, the strategy that flows from it will be wrong as well. What follows is an attempt to replace rhetoric with a clearer view of interests, incentives and capabilities. The West keeps misreading China for one reason: we treat a fragmented, adaptive system as if it were either omnipotent or terminally weak. It is neither.

The Capability and Perception Gap

Commentary in the West often swings between two equally misleading caricatures. In one direction China is cast as a master planner with perfect coordination and unlimited ambition. In the other it is described as a brittle autocracy that is one shock away from collapse. Neither view survives even basic scrutiny.

China’s system can deliver world-class capability while producing world-class blunders on the same day. Capacity is enormous. Competence is uneven. That distinction is the blind spot in most Western analysis. Anyone who has worked inside a complex institution will recognise the pattern. If we want more effective strategy in Australia, the United States or anywhere else navigating this landscape, we need a model that reflects how the system actually works. At the moment we are measuring the wrong thing.

Why This Matters for Cyber

Western threat modelling often exaggerates China’s internal coordination and underestimates the degree of fragmentation inside the system. This creates two predictable errors. We prepare for centralised campaigns that never appear and we underprepare for persistent and opportunistic activity that does.

Some intelligence teams have already adjusted to this reality, but it has not yet shaped the wider strategic conversation. If you imagine a perfectly unified adversary, you will misread both strengths and vulnerabilities. In cyberspace those misreads come with real consequences.

Western cyber frameworks still assume a level of central coordination that rarely exists. Much of China’s cyber activity looks less like a grand campaign and more like hundreds of operational units pursuing overlapping mandates with uneven skill and intermittent direction. Some act on strategic guidance, others on bureaucratic incentives or local opportunity. If you model this as a single adversary with perfect alignment, you’ll misread both tempo and intent — and your defences will be postured for the wrong fight.

1. China’s Stability and the Performance Mandate

China’s stability is not the product of fear alone. The Party has a performance mandate and for four decades it has delivered enough to maintain broad support. When performance falters the system feels it. The Great Leap Forward, the Cultural Revolution and the sudden reversal of Zero COVID remain reminders of what happens when the mandate breaks. The Party governs with these lessons in view.

Life expectancy has risen from the low forties in the early years of the People’s Republic to the high seventies today. Hundreds of millions have been lifted from absolute poverty. Investments in health, education and infrastructure have shaped the lived experience of several generations.

Survey data is imperfect but consistent. It shows a population that recognises material progress even if it is critical of local officials or specific policies.

This stability is real, but it is not absolute. Demographic decline, property market stress and debt accumulation have created a more complex outlook. A realistic model acknowledges both stability and strain. Assuming imminent collapse is comforting, but it is not analysis. Systems can be strained and stable at the same time.

Performance legitimacy also does not operate in isolation. It is reinforced by information controls that narrow the range of public narratives. Ignoring this creates a distorted picture, but so does pretending information control alone explains stability. Both matter.

2. The Myth of Strategic Omniscience

Western narratives often portray China as ruthlessly efficient and centrally guided. The evidence paints a more uneven picture.

The Belt and Road Initiative illustrates this clearly. It is sometimes described as a coherent geopolitical project and sometimes as a costly misadventure. In truth it is a mixture of strategic intent, bureaucratic friction and opportunistic adjustment.

Beijing wants influence. State owned enterprises often execute poorly. Local actors in partner countries exploit gaps for their own benefit. All of this can occur simultaneously.

This is not the behaviour of a perfectly coordinated adversary, but neither is it the behaviour of a failing one. It is the natural output of a large and uneven system where ministries, provinces, companies and political factions interact in unpredictable ways.

3. Innovation and the Strategic Trajectory

China is often underestimated in the one area that will matter most for long term competition. Innovation.

China now spends more on research and development than the European Union and is closing in on the United States. Patent filings have surged and while raw volume does not capture quality, the scale shows a system that is learning, building and becoming structurally harder to ignore.

Made in China Twenty Twenty Five produced mixed results, but the deeper trajectory is clear. China is shifting from efficiency toward autonomy and resilience. This is most visible in semiconductors, artificial intelligence, biotechnology and clean energy.

China’s innovation model is also hybrid. It combines legitimate investment and scale advantages with ongoing technology acquisition through non market channels. Focusing only on intellectual property theft misses the real capacity being built. Ignoring the hybrid nature of the system misses how China actually learns.

The real shift is not that China copies less but that it learns faster. Its innovation model compounds scale, investment and strategic intent. That acceleration matters more than any single policy document Beijing publishes.

4. The Sovereignty Bloc and Its Implications

China’s influence is often most visible not in military deployments but in voting patterns at the United Nations.

China anchors a broad coalition organised around a simple idea. Non interference. For many states in Africa, Southeast Asia, the Middle East, Central Asia and Latin America, this principle offers political insulation from external conditionality. Alignment inside this group is instrumental rather than ideological, but the incentive structure is durable.

This bloc is not uniform, but it is a structural feature of contemporary geopolitics and it shapes global governance in ways that Western analysts often underweight. For the West, this means the diplomatic operating environment is structurally less favourable than it was twenty years ago. Influence is no longer granted by default.

5. The Limits of the Democracy and Autocracy Frame

Western analysis frequently defaults to a moral binary. Democracies behave one way and autocracies behave another. It is emotionally satisfying but strategically unhelpful.

If regime type explained behaviour, democratic states would not conduct surveillance on allies and autocratic states would not pursue trade agreements or avoid conflict. States act according to interests, incentives and constraints. Constitutional labels explain far less than people assume.

This is not an argument against democratic values. It is an argument for analytical precision. The better questions are simple.

What does China want?
What can it realistically do?
What limits shape its decisions?

Those questions produce strategy. Ideological labels produce noise.

6. The Security Dilemma in Practice

From Beijing’s perspective its maritime posture is defensive. It wants to push United States forces further from its coastline, avoid encirclement and assert long standing claims.

From the perspective of its neighbours the same actions are coercive and destabilising.

Both views contain truth. Recognising this is not endorsement. It is analysis. Without that clarity every maritime dispute becomes a morality play instead of a strategic problem.

7. The Real Blind Spot

Western models misread China because they begin with assumptions that do not hold.

They assume coherence where fragmentation is common.
They assume fragility where performance and control create resilience.
They assume strategic brilliance where improvisation explains more.
They assume ideological ambition where sovereignty is the real organising principle.

When the assumptions are wrong the strategy that follows will be wrong as well.

8. What This Means for Strategy

A more realistic model requires several shifts.

Stop overestimating coherence. Fragmentation matters.
Stop underestimating stability. Resilience has deeper roots than many analysts admit.
Distinguish capacity from competence. China has enormous capability but uneven execution.
Treat sovereignty based alignment as a structural force, not a temporary coalition.
Anchor cyber and geopolitical strategy in incentive based analysis rather than ideological preference.

Threat inflation wastes resources. Threat blindness creates consequences.

Closing Reflection

China is not collapsing and it is not on the verge of global dominance. It is behaving like a rising and insecure great power that wants space, insulation and the ability to shape its environment where it can.

Effective strategy starts with describing reality as it is, not as we wish it to be. Everything else is theatre. Strategic clarity beats strategic theatre. Every time.

Author’s Note

A follow up essay will examine how these same modelling failures distort Western cyber strategy and how to build a more realistic threat framework.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

The message arrived from a good friend and colleague in Asia — a CISO at one of the region’s major banks.

“A lot of talk around sovereign tech, tech bifurcation etc but no real concrete so what for private organisations… I’m secretly hoping your next Substack will focus on this because there’s too much motherhood crap coming from media.”

He’s right. Governments across the Asia-Pacific are wrestling with sovereignty and vendor trust. Australia’s ASPI talks about “trusted tech ecosystems”. The United States actively weaponises export controls. The European Union builds sovereignty through regulation. Meanwhile, CISOs at banks, insurers, and telcos face vendor committees next Tuesday, making decisions that will lock in operational risk for the next decade.

The gap between policy discourse and operational necessity has never been wider, and this essay aims to bridge that divide.

The Problem: Geopolitical Risk Without a Language

Technology bifurcation, one of the Five Forces I’ve argued is reshaping the digital order, is now a defining feature of the technology landscape. But recognising the trend doesn’t help a CISO explain to a CFO why vendor nationality matters or how to quantify the difference in exposure between cloud providers under different legal regimes.

Traditional enterprise frameworks measure financial stability, cyber maturity, and compliance. None translate jurisdictional exposure into risk appetite. When a board asks, “Why does it matter if our cloud is American, Chinese, or European?” most frameworks offer hand-waving.

The issue moved from theoretical to immediate in 2023 when Chinese state actors exploited a flaw in Microsoft’s cloud identity infrastructure, enabling access to senior US officials’ emails. The subsequent review by the US Government’s Cyber Safety Review Board described “a cascade of avoidable security failures” at Microsoft. But the deeper lesson for CISOs was not simply technical; it was that large global vendors are subject to geopolitical incentives and legal systems that shape their threat profile. In other words, some vendors attract sovereign-level attention regardless of how strong their engineering is.

For Asia-Pacific firms operating under conflicting regulators — BNM, RBI, MAS, APRA, HKMA, BSP — this becomes existential. Technology choices made today embed structural dependencies that will persist long after the procurement team has moved on. Cloud computing, identity, and communications platforms define operational sovereignty in ways that few organisations fully confront.

Beyond Binary Thinking: A Framework for Vendor Geopolitical Risk

The real question isn’t “Which country’s technology should we trust?”
It’s:

What risks arise from this vendor’s legal obligations, given the sensitivity of the system and the geopolitical exposure of the organisation—and how can these risks be mitigated?

A pragmatic framework rests on four dimensions:

Worked Example: Singapore-Based Bank, 2025

Scenario: Migration of a core payments platform — AWS Singapore vs Huawei Cloud Hong Kong.
Criticality/Sensitivity: High-High (real-time payments, regulated data).

Vendor Jurisdictions:

• AWS → subject to U.S. CLOUD Act.

• Huawei → subject to PRC National Intelligence Law & Data Security Law.

Organisational Exposure: Operates in Singapore and Australia; no mainland China footprint; under MAS and APRA supervision.

Mitigations:

• External key management

• MAS-aligned data localisation

• Tested regional failover

Assessment:
AWS introduces U.S. legal reach; Huawei introduces PRC data-access exposure. Under MAS/APRA mapping, U.S. exposure is manageable with external KMS. PRC exposure is not acceptable for a High-High financial system.

Decision:
Proceed with AWS plus mitigations.

• Cost: +22% vs single vendor

• Resilience: ~3× RTO improvement (24h → 8h)

This is what geopolitical risk looks like when translated into an operational decision.

Translating Framework to Risk Appetite

Boards don’t need another sentence about having a “low appetite” for foreign influence. They need decision gates.

High-High Systems

• Vendor jurisdiction must align with at least two primary regulatory regimes

• Encryption keys must be externalised

• Annual failover and portability testing

• Transparent reporting of government data requests

High-Low Systems

• Multi-cloud or regional redundancy preferred

• Portability and continuity clauses required

Low-Criticality Systems

• Traditional commercial and technical assessment

• Jurisdiction as a secondary consideration

This turns geopolitical noise into something a board can govern.

The Financial Services Layer: Supervisory Fractures

Regulators across the region are diverging, not converging:

• MAS (Singapore): Cloud-pragmatic, resilience-focused, strong on exit planning.

• APRA (Australia): CPS 230 heightens scrutiny on offshore dependencies and material service providers.

• HKMA (Hong Kong): Sensitive to data flows that may be accessible from mainland China.

A regional bank must therefore design for regulatory interoperability, not regulatory uniformity.

• Regulatory mapping: Understand divergence in localisation, sovereignty, and resilience.

• Architecture by jurisdiction: e.g., regional cloud for MAS markets; hybrid with externalised KMS for APRA markets.

• Supervisor engagement: Seek alignment before deploying critical workloads.

• Audit trail: Document how geopolitical risks were assessed, mitigated, and accepted.

Expanding the Options: Beyond the US–China Binary

The US–China vendor dichotomy obscures more strategic choices than it reveals. It’s a framing that dominates the headlines but rarely helps boards or CISOs make operational decisions.

In my analysis of the uBios development and other arguments, I have shown that origin is a blunt and misleading proxy for risk. A Chinese vendor operating in Singapore, a US vendor operating in Frankfurt, and an EU vendor operating in Australia all carry extraterritorial legal exposure. The risks differ — but not in the simplistic “country-of-origin = trustworthiness” way the public debate assumes. Jurisdiction, legal obligations, and system criticality matter far more than flags or sentiment. This is why a framework-based approach beats ideology every time.

With that in mind, the real choice set is broader:

Sovereign cloud alternatives
Australia: AUCloud (Sovereign Cloud Australia) and Canberra Data Centres offer Australian ownership and in-country operations, reducing foreign legal exposure. Trade-offs: limited scale and service breadth versus hyperscalers, especially for advanced analytics and AI.

Singapore: Government Commercial Cloud (GCC/GCC+) provides government-orchestrated environments on commercial clouds with Singapore-only regions and sector-specific compliance for public sector workloads.

Both models reduce but don’t eliminate cross-border legal risk while constraining capability compared to global platforms.

Alliance-based trust frameworks
AUKUS, EU–US adequacy arrangements, and Five Eyes-aligned assurance models

• Lower friction for specific data classes

• Highly sector-dependent (especially defence, national security)

Open-source and self-managed models
Kubernetes/OpenStack on sovereign compute

• Maximum jurisdictional independence

• High operational complexity and cost

Each option still requires evaluation across the same four dimensions: system criticality, vendor jurisdiction, organisational exposure, and mitigation.

From Framework to Tools

1. Vendor Geopolitical Risk Scorecard

Ten practical lenses:
legal compulsion · transparency · regulator alignment · portability · resilience · sector targeting · supply-chain opacity · financial durability · incident behaviour · exit cost/time

2. Technology Estate Classification Matrix

Classify all systems by criticality × sensitivity to trigger differentiated vendor requirements.

3. Strategy Comparison: Cost–Resilience Trade-Offs

4. Scenario Planning

Stress-test vendor choices against plausible shocks:

• CLOUD Act subpoena

• PRC DSL/NIL enforcement abroad

• CPS 230 interpretations

• Taiwan/Philippines escalation

• Supply-chain ransomware attack on a major cloud provider

Indicators to Watch (2026–27)

1. CLOUD Act case law on overseas data production

2. First PRC Data Security Law enforcement involving non-Chinese entities

3. APRA’s CPS 230 guidance on offshore dependency

4. Legal durability of the EU–US Data Privacy Framework

5. AUKUS implementation for data handling and tech-sharing

6. RCEP digital harmonisation trends across ASEAN

As these factors change, your vendor risk posture will change accordingly.

The CISO as Geopolitical Risk Manager

Technology bifurcation has quietly turned CISOs into interpreters of geopolitics. We still manage cyber resilience, but now we also arbitrate between legal systems, evaluate jurisdictional incentives, and design around geopolitical exposure.

It’s shared work:

• Boards must understand why jurisdiction matters

• Executives must accept cost–complexity trade-offs

• Risk teams must integrate geopolitical exposure into frameworks

Different organisations, such as a bank in Melbourne, a fintech in Jakarta, or an insurer in Hong Kong, will establish different boundaries, but they all stand to gain from transforming rhetoric into measurable, defensible criteria.

My next piece in this series will transform this framework into a concrete scorecard and a board-ready appetite dashboard—practical tools designed to make sovereign technology decisions both repeatable and defensible.

Closing Thought

The vendor committee meets next Tuesday. The cloud business case goes to the board next month. Geopolitical risk isn’t a policy debate; it’s part of the operating environment.

Operational sovereignty isn’t declared; it’s engineered, and increasingly, that work starts with the CISO.

References

[1] Department of Homeland Security Cyber Safety Review Board, “Review of the Summer 2023 Microsoft Exchange Online Intrusion,” March 2024

[2] Clarifying Lawful Overseas Use of Data Act (CLOUD Act), 18 U.S.C. § 2713, 2018

[3] People’s Republic of China, National Intelligence Law (2017) and Data Security Law (2021)

[4] European Union, General Data Protection Regulation (GDPR) 2016/679 and Network and Information Security Directive (NIS2) 2022/2555

[5] Monetary Authority of Singapore, “Technology Risk Management Guidelines,” January 2021 (updated June 2023)

[6] Australian Prudential Regulation Authority, “Prudential Standard CPS 230: Operational Risk Management,” effective July 2025

[7] Australia-United Kingdom-United States Security Partnership (AUKUS), technology-sharing provisions announced September 2021, implementation ongoing

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

In September, at the Gartner Global CISO Summit in New Orleans, I outlined five forces breaking the digital order. The fourth—technology bifurcation—described how sovereignty is no longer confined to borders or trade law but is now being written directly into silicon and standards. A few weeks later, China proved the point with the release of UBIOS, an indigenous firmware stack designed to eliminate foreign code from the most trusted layer of computing.

Now, Brussels has offered its response, not in firmware, but in spreadsheets.

The EU Cloud Sovereignty Framework (v1.2.1, October 2025) doesn’t control what code runs at boot time; it controls who gets paid. If a cloud provider fails the minimum SEAL level on even one of eight sovereignty objectives, it is disqualified from the €180-million initial procurement, no exceptions, no appeals, and no diplomatic courtesy. Where China hard-codes sovereignty into firmware, Europe encodes it into procurement rules. The intention is the same: define the boundary, make it measurable, and use it to reclaim strategic independence from external control.

The question is whether spreadsheet sovereignty can deliver what UBIOS hard-codes—strategic independence from foreign leverage, or whether it will accelerate the very fracture it hopes to prevent.

The Framework Decoded

The Cloud Sovereignty Framework introduces Sovereignty Effectiveness Assurance Levels (SEAL-0 → SEAL-4).

• SEAL-0 – No Sovereignty: Services under exclusive non-EU control.

• SEAL-1 – Jurisdictional Sovereignty: EU law applies but enforcement is limited.

• SEAL-2 – Data Sovereignty: Material non-EU dependencies remain.

• SEAL-3 – Digital Resilience: Minimal external control.

• SEAL-4 – Full Digital Sovereignty: Complete EU control, no critical foreign dependencies.

Each tenderer receives a Sovereignty Score weighted across eight objectives, and failing a minimum SEAL threshold on any single objective means automatic disqualification. Among those who qualify, the overall score influences award rankings.

On firmware, the framework examines the “jurisdiction and provenance of embedded code controlling hardware”, scrutinising CPUs, GPUs, storage, and network components for European origin or verifiable transparency. It’s UBIOS logic repurposed for procurement, where Beijing mandates indigenous firmware, and Brussels demands auditable provenance.

Encryption policy requires that “only the customer, not the provider, has effective control over cryptographic keys.” If U.S. law can compel a provider to surrender access, the service fails—no matter how strong its technical isolation.

Jurisdictional exposure is explicitly scored: the framework lists the U.S. CLOUD Act and Chinese Cybersecurity Law as examples of extraterritorial reach incompatible with higher SEAL levels. It names what diplomacy usually avoids: sovereignty cannot coexist with compulsory foreign legal access.

The framework came into effect through an initial six-year procurement for EU institutions, with up to four providers expected to win contracts between December 2025 and February 2026. It remains guidance rather than regulation, but it sets a precedent that could soon shape eligibility for all public-sector cloud tenders in Europe.

The Lattice Test

The framework’s strategic test is straightforward: can Europe preserve interoperability while building resilience, or will its internal contradictions collapse the middle ground?

Brussels is trying to construct what might be called lattice logic—graduated thresholds that preserve cross-border operations while reducing critical dependencies. The SEAL system allows shades of sovereignty rather than a binary pass or fail. Weightings of 20 percent for supply chain, 15 percent each for operational, strategic, and technological sovereignty, and 10 percent for legal, data, and compliance objectives reveal a policy trying to balance ambition with realism. It is Europe’s attempt to build what I call the Strategic Lattice: a world in which geopolitical tension is managed through minimum viable interoperability instead of outright fragmentation.

Yet lattice stability depends on credible enforcement, and enforcement demands institutional backbone. The framework lacks the machinery that gives other EU regimes their power: no penalties, no designated authority, and no sustained technical-audit capacity. By comparison, GDPR, NIS2, and DORA all carry both enforcement and consequence; GDPR alone has produced over €5.6 billion in fines since 2018 [1]. Without similar mechanisms, the Cloud Sovereignty Framework risks becoming what critics already call regulatory theatre: architecturally sophisticated, operationally hollow.

Meanwhile, U.S. hyperscalers continue to localise at scale. AWS has committed €7.8 billion to its Brandenburg region [2]; Microsoft, over €20 billion in European infrastructure within sixteen months [3]; and Google has expanded sovereign partnerships with Thales and T-Systems [4]. These projects deliver local staffing, customer-held keys, and EU-incorporated entities, yet they remain legally American, still bound by the CLOUD Act. As one French MP observed during Senate testimony, “A cloud can be in France and still answer to Washington.” [5a]

Operational sovereignty can be engineered; jurisdictional sovereignty requires geopolitical leverage that Europe still lacks.

The Delaware Problem

Consider an EU pharmaceutical company running high-value research workloads on Microsoft Azure Germany. Its data sits in Frankfurt, encryption keys are customer-controlled, and operations are handled by EU citizens employed by Microsoft Deutschland GmbH. On paper, it qualifies for SEAL-3.

Now imagine the U.S. Drug Enforcement Administration issues a CLOUD Act order to Microsoft Corporation in Delaware, demanding tenant-level access. Microsoft Deutschland asserts that German law prevents compliance, yet the parent company faces contempt charges if it refuses.

The framework anticipates such conflicts; it scores them at SEAL-1 or SEAL-2 depending on the degree of exposure but provides no circuit breaker, no adjudicator, and no tested fallback plan. The customer must either comply through its provider or migrate mid-crisis to a European vendor it has never validated.

This is operational sovereignty colliding with jurisdictional sovereignty. The framework can measure the gap, but it cannot close it. That limitation, more than any technical weakness, will determine whether Europe’s lattice holds or slides into a Red Zone of regulatory incompatibility.

Enforcement, Markets, and the Math of Dependence

There is no enforcement body, no penalty structure, and no budget for technical verification; compliance simply determines who gets invited to bid.

The contrast with GDPR and NIS2 is stark—and so is the market reality. U.S. hyperscalers control roughly 70 percent of Europe’s €61 billion cloud market, while European providers hover around 15 percent [5]. Even perfect compliance cannot rebalance that scale. The graduated scoring is therefore a political compromise—an attempt to signal ambition without upending dependence.

The economics are no kinder. Achieving full digital sovereignty would cost around €3.6 trillion over a decade—twelve times more than a partnership model [6]—and likely leave Europe three technology generations behind its competitors. Spreadsheet sovereignty is cheaper than rebuilding the stack but still costly enough to test Europe’s fiscal patience.

What Boards Should Do

Boards cannot legislate sovereignty, but they can design for it.

Interrogate vendor SEAL claims. When a provider claims SEAL-3 compliance, ask which legal mechanism prevents CLOUD Act enforcement and how quickly it can respond to a non-EU order.

Map workloads by sovereignty need. Identify which systems truly require SEAL-3 assurance and which can safely operate under SEAL-1 contracts.

Engineer for migration speed. A multicloud strategy that cannot move a critical workload within 90 days is theatre, not resilience.

Track policy as intelligence. Regulatory divergence is now as important an indicator as a state-sponsored intrusion.

Push decision-making closer to the risk. Fragmented governance is slow governance; authority must sit where information concentrates.

The central question for executives is no longer “Are we compliant?” but “Which dependencies can be weaponised against us, and how fast can we replace them?”

The Bootloader of Procurement

Europe’s framework captures a broader truth: when a region cannot compete on innovation speed, it competes on governance reach. Whether that becomes strategic patience or strategic paralysis will depend on how quickly the framework grows teeth.

UBIOS shows sovereignty imposed with binary clarity at the firmware layer; the EU’s framework shows sovereignty negotiated through twenty-seven democracies and filtered by trillion-dollar lobbyists—optional, gradual, and slow. Yet both rest on the same logic: when dependencies become weapons, control becomes currency. China chose architectural independence; Europe chose procurement governance. Neither guarantees resilience, but both recognise that sovereignty can no longer be deferred.

The crucial difference is enforceability. UBIOS is mandatory within Chinese jurisdiction, while the Cloud Sovereignty Framework remains voluntary guidance. One operates at the millisecond before an operating system loads; the other, at the months-long cadence of contract awards. The open question is whether procurement policy can ever deliver strategic effect when the infrastructure itself remains under foreign jurisdiction.

Australia faces a similar dilemma. The government’s Whole-of-Government Hosting Strategy and its AUD $2 billion Top Secret Cloud partnership with AWS [7] mirror Europe’s procurement-based approach: operational control is local, but jurisdictional control remains offshore. Canberra, like Brussels, is learning that sovereignty measured through procurement checklists is not the same as sovereignty enforced through law. Jurisdiction travels with the parent company, not the rack. The real test is whether Australia can build credible enforcement and domestic capability before legal dependence hardens into strategic vulnerability.

Europe’s wager is that measurement can substitute for power—an attempt to reverse-engineer leverage through rules and thresholds, much as Basel III once did for banking. Whether that preserves the Strategic Lattice or accelerates Red Zone drift will hinge on three indicators:

1. Whether France, Germany, and the Netherlands make SEAL thresholds mandatory for national procurement by mid-2027.

2. Whether the Commission proposes an enforcement mechanism within eighteen months.

3. Whether any U.S. hyperscaler attains SEAL-4 by 2027—a near-impossibility that will reveal how much of this sovereignty is real and how much is theatre.

In systems architecture, as in geopolitics, the winner is not the actor with the most elegant framework but the one still able to operate when frameworks collide.

John Ellis writes about the geopolitics of technology and cyber security at GeopoliticalCyber. The views expressed are his own.

Sources

[1] DLA Piper, GDPR Fines and Data Breach Survey, Jan 2025; CMS Law, GDPR Enforcement Tracker Report, Mar 2025.
[2] AWS, AWS plans to invest €7.8 billion into the AWS European Sovereign Cloud, May 2024.
[3] Microsoft, Landmark EU Data Boundary announcement, Feb 2025.
[4] Google Cloud, Advancing digital sovereignty on Europe’s terms, Oct 2022; Advances in sovereignty and security, May 2025.
[5] Synergy Research Group data, 2025; Heise Online, July 2025.
[5a] French Senate hearing on Cloud Act implications, Paris, July 2024 (reported in Le Monde and DCD).
[6] CEPA, Digital Sovereignty: Can Europe Afford It?, Nov 2025.
[7] Australian Department of Defence, AWS Top Secret Cloud Partnership, July 2024; Office of National Intelligence, TS Cloud Announcement, July 2024.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

Years ago, I watched a board receive news that a key business system had been compromised only hours before their scheduled meeting. The CISO presented slides showing the breach resulted from an unpatched vulnerability, one that had appeared on the risk register as “medium” for six months. A non-executive director asked whether the breach represented a failure of basic hygiene. The CISO confirmed it did. The board chair reminded everyone that the organisation had no appetite for losses exceeding [a material threshold], a statement that had appeared verbatim in the minutes for the past eighteen months.

The discussion felt decisive. Nothing changed.

I’ve seen variations of this scene across financial services, healthcare, and critical infrastructure throughout my career. The language differs, but the pattern holds: boards accept measurements based on what can be easily reported rather than what fundamentally affects organisational resilience. Formal discussions appear robust, while the underlying measurement remains superficial. This is the essence of the governance paradox: the tendency to govern what is manageable rather than what is meaningful.

Boards are under growing pressure to demonstrate cyber resilience, yet most continue to rely on management reports built around heatmaps and binary appetite statements that create an illusion of control over what is inherently probabilistic. A more mature approach begins when boards require risk appetite to be expressed in probabilistic terms, materiality to be calibrated as conditions evolve, and assurance to validate the reasoning behind the numbers rather than just the presence of documentation.

When a board adopts a probabilistic mindset, it begins to govern uncertainty with the same discipline that insurers apply to capital adequacy and solvency management. This represents the next stage in the maturity of cyber governance [1][2][3].

The Governance Paradox

Cyber risk is inherently probabilistic, yet it is commonly managed through deterministic tools. Heatmaps, control ratings, and binary appetite statements reduce complex risk distributions into simplified traffic-light representations. The result is a paradox in which the most material risks often receive the least quantified scrutiny [8].

Consider a loss exceedance curve compared to a standard heatmap. The heatmap may show a risk marked green, suggesting it is well managed. The exceedance curve, however, reveals a nine per cent probability of losses exceeding fifty million dollars. These aren’t two interpretations of the same information; they represent fundamentally different understandings of exposure. One provides comfort; the other provides insight. Boards that require appetite to be expressed in probabilistic terms gain a more accurate understanding of what they’re actually facing.

Board and Management: Distinct but Interdependent Roles

A frequent source of confusion in cyber governance is the boundary between oversight and execution. Some boards, influenced by industry commentary or internal reporting structures, assume responsibilities that properly belong to management.

Management is responsible for implementation. It measures and reports on controls, allocates resources, and converts risk appetite into operational action. The board governs by defining appetite, setting strategic direction, challenging management’s reasoning, and ensuring that reporting faithfully represents exposure. It carries ultimate accountability for oversight [1][2][3].

The Australian Institute of Company Directors puts it clearly: “While it is not the role of the board to directly manage cyber risk, the board does have ultimate accountability for how risks are governed and addressed.” [1]

Effective governance depends upon a disciplined separation of these functions. The quality of oversight improves when boards challenge management’s reasoning rather than its activity.

The Illusion of Appetite

Risk appetite statements often provide reassurance without measurement. Phrases such as “no appetite for losses exceeding twenty million dollars” express intent but fail to convey probability.

Douglas Hubbard’s How to Measure Anything in Cybersecurity Risk demonstrates why this matters [8]. The same statement can be reframed as: “The organisation aims to maintain less than a five percent probability of losses exceeding twenty million dollars per year.”

This statement isn’t semantic wordplay. The first version is aspiration; the second is governance. It converts intent into quantifiable commitment and provides a foundation for investment, oversight, and assurance decisions. Declaring risk appetite is not governance; quantifying it is.

Connectedness and the Learning Loop

Early in my career I viewed cyber risk as a function of control status: green was acceptable, and red was not. Dashboards reinforced this illusion by presenting progress as the number of issues closed. The work of Jack Jones and the FAIR model fundamentally altered that understanding [10][11].

Risk is not a set of discrete control failures but an interconnected network of conditions that collectively shape the probability of loss. Individual control weaknesses rarely operate in isolation. Each alters the likelihood of success for subsequent stages in an attack chain.

Here’s a concrete example: during a red team exercise at a previous organisation, the team compromised an employee’s credentials through a phishing simulation. That initial success wasn’t just one control failure. It significantly increased the likelihood of lateral movement, privilege escalation, and data exfiltration. When we updated our loss estimates, we didn’t just mark “phishing awareness” as red. We recalibrated our probability estimates for every scenario where initial access was a precondition for more damaging outcomes.

This reflects a Bayesian approach to governance where prior assumptions are updated as new evidence emerges. A failed red-team test or a recurring audit finding isn’t another point of failure on a scorecard; it’s evidence that should revise the organisation’s estimate of loss probability. Weak multi-factor authentication increases both the probability of compromise and the frequency of attempts as adversaries identify opportunity. Frequency and susceptibility are linked.

The objective, described by Richard Seiersen as “risk removal”, is to eliminate entire pathways to loss rather than marginally improve control scores [8][12]. Boards don’t need to view equations to appreciate this principle, but they should be confident that the organisation learns from evidence and recalibrates its understanding of exposure as conditions change. This principle is the distinction between static compliance reporting and adaptive, evidence-based governance.

Worked Example: Translating Appetite into Measurement

When appetite is expressed probabilistically, it becomes possible to evaluate trade-offs with clarity. Suppose a board’s tolerance is defined as a five per cent probability of losses exceeding fifty million dollars. If current modelling shows the probability at ten percent, management can propose options that the board can compare based on evidence:

Although Option A requires greater expenditure, it achieves a larger reduction in loss probability at a lower cost per risk-reduction point. If the board’s target appetite is five percent, then option A brings the organisation within one point of that target, while option B leaves a residual gap of 3.5 points.

Quantification transforms risk management from a compliance exercise into an investment decision, enabling evidence-based capital allocation rather than intuition-driven spending.

From Concept to Practice: Lessons from the Field

During my time at Akamai in the mid-2010s, quantifying the return on investment in security products was a persistent challenge for clients. Everyone accepted that the controls had value, yet few could express that value with the financial confidence needed to justify cloud adoption for DDoS protection and web security, especially in Asia, where I was based at the time.

The FAIR model provided a structured way to make such calculations feasible and, more importantly, to shift the conversation. It introduced just enough rigour, enough maths and science, to translate security discussions into the language of business value at risk: what needed to be protected, the cost to protect it, and the effect of investment on reducing that value at risk. It was a more mature, more relatable conversation for executives.

Controls were then mapped to their loss-reduction value and linked to tangible business outcomes. In sectors such as aviation and financial services, where digital sales, booking platforms, and deferred revenue could be measured, the financial impact of cyber events became quantifiable. Once we established those linkages, we could express reductions in potential harm as measurable benefits instead of abstract improvements in maturity.

Sean Coady, a colleague at the time, recognised that the task was not a technical exercise but a financial one: a method for connecting investment value to business value. Many of the more forward-leaning organisations were already moving in this direction—a practice now formally recognised as Cyber Risk Quantification (CRQ).

For many organisations, data quality, analytical capabilities, and cultural readiness remain obstacles. The correct response is to begin small and focus on the scenarios that intelligence identifies as most probable or consequential. Quantification should be treated as a programme of work rather than a project.

Establish periodic release cycles (for example, every six months) to review assumptions, inputs, and reporting. Structured iteration communicates that this is a continuous process rather than a discrete task. Similar to all areas of business management, understanding and governing cyber risk is an ongoing process without a definitive endpoint.

Several approaches are available. In previous organisations, we developed internal capabilities using the OpenFAIR toolkit, supported by threat modelling and open-source intelligence feeds. Commercial offerings such as RiskLens and KPMG’s Cyber Risk Insights (CRI) provide mature frameworks, and independent analyst coverage such as The Forrester Wave: Cyber Risk Quantification, Q2 2025 offers market context [13].

Quantification is best viewed not as a technology but as a mindset: begin with intelligence-led scenarios and evolve quantification as a disciplined and iterative practice linking cyber resilience to business value.

The Future of Cyber Governance

Advances in artificial intelligence now permit real-time updates to loss-exceedance models. Regulators, including APRA, MAS, the SEC, and the PRA, increasingly expect quantitative and decision-useful reporting [2][4][5][6][7]. Cyber insurers are also determining coverage prices based on validated risk exposure instead of relying on qualitative indicators.

The convergence of analytics, regulation, and insurance economics will reshape how boards understand and govern cyber risk. The integration of quantification into assurance and capital disciplines will redefine effective governance.

Boardroom Questions

Directors can use these questions to assess whether their organisation is measuring what matters:

• What is the organisation’s current probability of a material loss?

• How has that probability evolved, and what factors have driven the change?

• Which assumptions or control dependencies have the greatest influence on this estimate?

• Which investments would most efficiently alter that probability?

• What assurance is there regarding the data and methodologies used?

• How frequently is materiality recalibrated?

• Is the organisation learning from evidence, or is it merely reporting on compliance?

Closing Reflection

Boards cannot remove uncertainty, but they can govern it with intelligence and discipline. Risk appetite should be expressed as probability rather than aspiration, and materiality should be revisited as conditions evolve. Assurance must evaluate reasoning and evidence rather than the presence of documentation.

All models are approximations. A measure of governance quality lies in how consistently an organisation learns from evidence and improves its understanding of risk over time. At stake is the transition from governance theatre to governance substance, where the objective is not certainty but confidence derived from disciplined measurement.

References

1. Australian Institute of Company Directors. Cyber Security Governance Principles. 2025.

2. Australian Prudential Regulation Authority. CPS 234 Information Security. July 2019.

3. National Institute of Standards and Technology. The NIST Cybersecurity Framework (CSF) 2.0. February 2024.

4. U.S. Securities and Exchange Commission. Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure. Release Nos. 33-11216; 34-97989. July 26, 2023.

5. Monetary Authority of Singapore. Notice 655 – Cyber Hygiene. Consolidated version.

6. Bank of England Prudential Regulation Authority. SS2/21 – Outsourcing and third-party risk management. Effective 2022.

7. Bank of England Prudential Regulation Authority. SS1/21 – Operational resilience: Impact tolerances for important business services. March 2021.

8. Hubbard, D. and Seiersen, R. How to Measure Anything in Cybersecurity Risk. Wiley. 2016 (2nd ed. 2023).

9. Howard, R. Cybersecurity First Principles (series). The CyberWire. 2022.

10. FAIR Institute. FAIR Model Overview (Technical Brief).

11. RiskLens. An Introduction to FAIR (Whitepaper).

12. Seiersen, R. “Risk Removal.” Conference presentation and related materials, 2020.

13. Forrester. The Forrester Wave: Cyber Risk Quantification, Q2 2025.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

When I spoke in New Orleans at the Gartner Global CISO Community event, I outlined five forces breaking the digital order. The fourth was technology bifurcation, the emergence of rival stacks operating under different governance, using different standards, and ultimately answering to different authorities. I focused on 5G, sovereign cloud, and competing AI frameworks.

I should have been talking about firmware.

China’s recently announced Unified Basic Input/Output System (UBIOS) represents bifurcation at its most fundamental level. This is not about applications or cloud providers. It is about divergent roots of trust at the bootloader, the first code a machine executes. If you control what a system trusts before the operating system loads, you control the foundation on which everything else depends.

A sovereign bootloader

Thirteen Chinese institutions, including Huawei, Inspur, and the China Electronics Standardisation Institute, have co-developed UBIOS as a domestic replacement for the Unified Extensible Firmware Interface (UEFI), the dominant firmware standard of the past two decades.

The significance is straightforward. Firmware sits below everything else. It determines what a machine trusts when it initialises. For years, that handshake has relied on American code signed and certified by Intel, AMD, or Microsoft. The global computing base has, in effect, been booting on American cryptographic authority.

UBIOS replaces that lineage. It brings Chinese governance frameworks, cryptographic standards, and certificate authorities into the trust chain. The geopolitical intent is unmistakable. Beijing wants the first line of code executed inside China not to require permission from Washington, Santa Clara, or Redmond. This is digital sovereignty implemented at the hardware–firmware boundary.

From dependency to detachment

UBIOS aligns with Document 79, the 2022 directive mandating the removal of foreign technology from state systems by 2027. The document was reportedly handled under strict controls, with no photocopying and review in secure settings, which signals how seriously Beijing treats technological independence.

UBIOS is part of a broader structural pattern. China has pursued RISC-V to bypass x86 dependencies, developed Loongson for domestic production, and built HarmonyOS to reduce reliance on Android. Each layer insulates core systems from external pressure and creates optionality under sanctions or export controls.

The logic is precedent, not paranoia. For two decades, the United States held leverage through control of firmware trust chains and root certificates. That visibility enabled dominance over standards and, importantly, over how the global computing base initialises and validates itself. If chips, operating systems, and cloud services can be weaponised, firmware is the logical next frontier.

UBIOS severs that dependency chain. The 2022 to 2024 export control cycle targeting advanced chips and high-bandwidth memory showed that access can be restricted overnight. Rebuilding the stack, from silicon to firmware to operating systems, becomes a matter of national resilience.

The firmware frontline

Firmware is invisible to most users but strategically foundational. It anchors boot integrity, enables remote attestation, and establishes platform trust. Whoever governs firmware defines what “assurance” means in a computing environment.

Replacing UEFI with UBIOS localises not only production but authority. Once standardised across Chinese data centres and exported via Digital Silk Road projects, Western transparency at the hardware level will erode. That matters because security validation frameworks such as Common Criteria and FIPS 140-3 are built around Western cryptographic primitives, including RSA for public key operations, ECDSA for digital signatures, and SHA-256 for hashing.

China mandates its own ShangMi (SM) cryptographic standards, governed by the Commercial Cryptography Administration. SM2 provides elliptic curve signatures and key exchange. SM3 offers hashing. SM4 handles symmetric encryption. These are not mere re-skins of Western algorithms. They are distinct standards maintained under Chinese regulatory authority.

The result is an asymmetry of visibility. Western assessors cannot easily inspect or attest to initialisation sequences in UBIOS systems using SM-series cryptography. Tooling does not translate cleanly. Certificate chains terminate in Beijing rather than in Verisign or DigiCert. Governance operates under Chinese law rather than under regimes Western regulators can audit or compel.

A practical scenario makes the point. An Australian critical infrastructure provider procures Chinese-manufactured servers. Under UEFI, assurance is well-established. Verify firmware signatures against known Intel or AMD roots, check published vulnerabilities, and validate the boot chain against independently audited hashes.
With UBIOS, the process shifts. The certificate authority is Chinese. The cryptographic algorithms are SM-series, which many Western tools do not natively validate. The firmware source is governed by Chinese intellectual property frameworks and may not be available for independent audit. The trust anchors, the root certificates underpinning the chain, are managed by state-aligned institutions rather than global certification bodies.

Western assurance frameworks must either develop new validation methodologies that accommodate Chinese cryptography and governance or accept a degree of operational blindness. Neither path is attractive, and both have implications for supply chain security and regulatory compliance.

Strategic symmetry, not rebellion

This is best read as strategic symmetry, not defiance. Washington has long leveraged hardware and firmware standards as instruments of influence, just as export controls shape semiconductor supply. Beijing’s response is architectural independence, a parallel stack immune to Western veto.

Competing stacks

• Western: UEFI/Secure Boot; NIST-approved cryptography (RSA, ECDSA, SHA-256); global certification bodies operating primarily under U.S. and European regulatory frameworks.

• Chinese: UBIOS/National Trust Chain; SM-series cryptography (SM2, SM3, SM4); state-aligned certification authorities under Chinese regulatory oversight.

This split occurs at the lowest software layer, before operating systems or hypervisors, where the definition of trusted is set. Interoperability becomes a political choice, not a technical default.

In New Orleans, I argued that technology bifurcation was fracturing the digital order. UBIOS shows the fracture runs deeper than many assumed. It reaches all the way to the firmware that decides, in milliseconds, which code a machine will believe.

What changes for institutions

For national security planners, firmware sovereignty shifts risk from the technical to the policy domain. The question is no longer only “Is this secure?” but “Under whose authority is trust established, and what are the geopolitical implications of that dependency?”

For enterprises operating across jurisdictions, UBIOS reshapes third-party due diligence. Supply chain security, regulatory assurance, and audit practices have assumed that organisations can validate hardware and firmware using globally recognised tools. That assumption is weakening. Systems procured from Chinese manufacturers, or deployed in Chinese data centres, may initialise under cryptographic authority that Western teams cannot readily inspect.

Critical infrastructure operators face the most acute challenge. Logistics, manufacturing, telecommunications, and energy networks may depend on devices initialised under foreign cryptographic governance. The resulting assurance gap, the difference between what must be validated and what can be validated, becomes as consequential as any zero-day. You cannot defend against what you cannot see, and you cannot validate trust chains you cannot inspect.

The operational answer is dual-stack validation, frameworks capable of attesting firmware integrity across both UEFI and UBIOS architectures. That requires technical diversity, fluency in both Western and Chinese cryptographic ecosystems, and geopolitical awareness of which jurisdictions govern which trust anchors under what legal norms. This is the next evolution of cyber resilience. Success will favour organisations that operate confidently across both ecosystems without assuming either is inherently superior or inherently compromised.

The bootloader as battlefield

When a server powers on, it decides whom to trust. That decision, unseen yet absolute, now sits at the centre of global competition.

UBIOS is Beijing’s declaration that Chinese systems will not boot on foreign permission. It is the digital analogue of launching a sovereign satellite constellation, largely invisible to citizens yet strategic in every sense. Just as GPS underwrote American advantage and BeiDou underwrites Chinese independence, UBIOS underwrites independence at the firmware layer.

The decisive contests ahead will not begin with software exploits. They will begin in the milliseconds before the operating system loads, when a machine decides whose cryptographic authority defines truth. This is where sovereignty is encoded into silicon, where alignment is embedded into boot sequences, and where the future of technology governance is being written.

In New Orleans, I described a possible future I called the Red Zone, a world of high threat pressure, collapsing alignment, diverging regulations, proliferating stacks, and segregated supply chains. UBIOS is what the Red Zone looks like when it’s coded into firmware. The alternative, what I called the Strategic Lattice, remains possible: a world where high pressure is managed through minimum viable interoperability. But it will not emerge by accident.

In geopolitics, as in Bayesian reasoning, priors update when evidence arrives. UBIOS is new evidence. The question is whether institutions will update their strategies or continue operating on assumptions that no longer fit a world of bifurcated trust architectures.

Author bio:
John Ellis is the author of GeopoliticalCyber, a blog exploring the intersection of cyber resilience, strategy, and geopolitics.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

This article builds on my presentation at Gartner’s Global CISO Executive Summit in New Orleans, where I introduced the framework “Five Forces Breaking the Digital Board.” What follows expands on that analysis, integrating fresh research on digital fragmentation, supply chain weaponisation, and my scenario planning methodology. The argument is simple: it’s not prediction that matters, but positioning. Positioning is resilience, and resilience decides who wins tomorrow.

From Plumbing to Battlefield

When Salt Typhoon briefings reached Capitol Hill in December 2024, the response was visceral. Senators walked out of classified sessions visibly rattled. Mark Warner called it “the worst telecom hack in our nation’s history.” Christopher Wray described it as “the most significant cyberespionage in history.” Marco Rubio dispensed with understatement, labelling it “the most disturbing and widespread incursion into our telecommunications systems in the history of the world.”

This episode was not theatre. It was the realisation, at the highest levels of government, that the plumbing metaphor for cyber has expired. For years, boards and their management, treated cyber like piping in a building: invisible until it burst, patchable when it did, and insurable against financial leakage. That era is gone. Cyber today is not hidden infrastructure behind the walls. It is contested terrain outside the front door. The water company may still deliver supply, but in this world it could also be an adversary with a hand on the valve.

The Persistence Condition

Too many organisations continue to approach cyber threats in an episodic manner, responding to an attack, mounting a response, ensuring recovery, and then issuing a report. That model is obsolete.

Volt Typhoon maintained access to U.S. critical infrastructure for at least five years. Salt Typhoon burrowed into telecommunications networks from 2022 through late 2024 and was still present during congressional briefings. These were not mere raids. They were patient positioning campaigns, a reminder that persistence is not an exception in cyber but the norm.

Cyber persistence theory explains why. Michael Fischerkeller and colleagues argue that unlike conventional warfare (which seeks victory through conflict) or nuclear strategy (which seeks to prevent conflict), cyber operates in “the alternative to war”—a space of continuous competitive campaigning below the threshold of armed conflict. The very interconnectedness of cyberspace creates the conditions that make persistence inevitable.

The translation is straightforward: persistence is the condition. Stop planning for “return to normal”. There is no normal. There is only continuous pressure, with adversaries maintaining footholds while business continues.

The Five Forces Breaking the Digital Board

In my presentation in New Orleans I argued that five forces are fracturing the digital order. They are not speculative; they are already reshaping contracts, compliance requirements, and boardroom assumptions.

The first force is technology as seen through a national security lens. Semiconductors, artificial intelligence, cloud services, and telecommunications are no longer primarily commercial domains. They are instruments of statecraft. U.S. export controls in 2022, 2023, and 2024 progressively tightened choke points. The December 2024 measures went further than ever by explicitly restricting high-bandwidth memory, a critical enabler of advanced AI systems. Beijing retaliated with export bans on gallium, germanium, and antimony. By October, antimony shipments to Europe had fallen to zero; by December, exports to the United States were prohibited entirely. These were not marginal supply chain disruptions. These served as examples of how economic warfare can leverage critical materials. For organisations, the implication is stark: every technology decision is now a geopolitical decision. Vendor risk is alignment risk.

The second force influencing geopolitics is regulation. By early 2023, one hundred separate data localisation measures were in effect across forty countries. More than two-thirds of the measures combined storage requirements with outbound flow restrictions, which are the most restrictive form possible. GDPR fines reached €1.2 billion in 2024 alone, with cumulative penalties since 2018 amounting to €5.88 billion. Survey data consistently shows regulatory fragmentation as a growing concern. PwC's 2024 Global Digital Trust Insights found that 73% of executives cite regulatory complexity as hindering cyber resilience efforts, while Gartner's 2024 CISO survey indicated that 68% of security leaders expect compliance requirements to create operational friction within two years. These frameworks are not converging. They are colliding. Compliance has become less about legal diligence and more about strategic positioning to maintain market access.

The third force is supply chain weaponisation. The 2021 compromise of Microsoft Exchange servers, attributed to Hafnium (linked to China’s Ministry of State Security), rippled through hundreds of thousands of organisations globally. By 2024, 81 percent of companies reported direct negative impacts from third-party breaches. The lesson is that one vendor compromise can cascade across entire sectors and geographies. Optimising for cost or speed alone is dead. Supply chains must now be mapped by jurisdiction as well as by function, with credible alternatives in place. Otherwise, one supplier sneezes in Shenzhen and the boardroom catches pneumonia in Sydney.

The fourth force is technology bifurcation. From 5G standards to encryption algorithms, rival stacks are emerging. Sovereign cloud infrastructure, designed to meet national data requirements, was a $96.8 billion market in 2024. By 2033 it is projected to reach nearly $649 billion. The result is not market hype. This approach incorporates coding sovereignty directly into the architectural design. For global firms, the outcome is maintaining parallel infrastructures. Efficiency will not save you from sovereignty. Organisations must design for modularity, knowing they will pay to run the same functions twice.

The fifth force involves fragmentation in both financial systems and standards. When Russia was excluded from SWIFT in March 2022, seven banks, including VTB, were cut off, representing up to 1.5 percent of daily transactions. It was a watershed moment, signalling that financial infrastructure itself is now an instrument of statecraft. The rise of central bank digital currencies and alternative settlement rails reinforces the trend. The result is parallel monetary systems that may not interoperate. For companies, resilience is no longer disaster recovery. It is the capacity to settle, pay, and be paid across shifting regimes.

Positioning, Not Prediction

Boards crave certainty: forecasts, percentages, straight lines. But in the cyber-geopolitical environment, certainty is an illusion. The risk is being lulled into the tyranny of the present – assuming tomorrow will be a linear extension of today.

Scenario planning is the antidote. It accepts that there is no single “most likely” future. Instead, it maps multiple plausible outcomes shaped by forces outside management’s control. The value is not in accuracy but in agility—expanding mental models so leaders are not blindsided when discontinuities hit.

My framework builds from this principle:

• Plausible futures are mapped against two critical axes: Threat Pressure (low to high) and Alignment (harmonised to fragmented). This generates distinct operating environments rather than one “expected case”.

• Preferences and constraints define what each actor wants and what structural limits allow. These shape the range of possible moves.

• Watchpoints and thresholds identify the signals that shift scenario weightings—tightened export controls, diverging AI governance blocs, or exposure to long-term persistence campaigns.

• Dynamic updating means probabilities are never fixed; they flex as signals emerge. Think less like a forecast and more like a GPS recalculating when a roadblock appears.

Futures of Fragmentation (Scenario Planning Quadrant)

Axes:

• X-axis: Threat Pressure → Low to High

• Y-axis: Alignment → Harmonised to Fragmented

Figure 1. Futures of Fragmentation (Scenario Planning). Framework developed by the author. Probabilities shift dynamically as signals (watchpoints) accumulate.

This approach translates directly to the boardroom. When I assigned a probability of 35–55% for a Red Zone trajectory within three years, it wasn't a random guess. This estimate was based on a specific point in time. However, when subsequent signals, such as mineral export bans, new choke points, and Salt Typhoon’s scope, all fired, the analysis pushed that probability north of 70%, and and the framework flexed, not because I “revised a forecast”, but because the evidence updated the map.

The point is simple: success doesn’t come from predicting which scenario will play out. It comes from positioning the organisation so it can survive and compete across whichever future emerges.

Red Zone vs Strategic Lattice

From this framework, two dominant high-threat futures matter most for organisations.

The Red Zone
This is what happens when threat pressure is high and alignment collapses. Regulatory regimes diverge until they are mutually incompatible. Rival technology stacks proliferate with little interoperability. Supply chains segregate along bloc lines. Financial and communications infrastructures evolve in parallel, cutting across assumptions of global integration. Intelligence sharing shifts from cooperative to competitive. If leaders fail to take action, the Red Zone will emerge as the default trajectory within 18 to 36 months.

The Strategic Lattice
The counter-scenario arises when threat pressure is high but alignment holds, at least partially. Here, blocs remain in competition but maintain a minimum viable architecture of interoperability. Some cross-border data flows are preserved, regulatory frameworks are selectively recognised, and crisis communication channels remain intact. Think of it as a cyber-era Bretton Woods: rivalry without collapse. Unlike the Red Zone, the Lattice will not emerge naturally. It requires deliberate leadership within the next 12 to 18 months.

Red Zone vs Strategic Lattice (Comparison Table)

Figure 2. Comparative scenarios. The Red Zone emerges by default; the Strategic Lattice requires active leadership to preserve interoperability under pressure.

Governance Implications

The governance challenge is no longer “What is the probability?” But “How do we know when probabilities change?” Scenario positioning beats point forecasting precisely because it avoids false precision while keeping strategic relevance.

• Board Chairs must anchor oversight in watchpoints: which signals—new sanctions, regulatory divergence, long-term campaigns—would force a shift in strategy?

• CEOs must guard against stranded growth. Models built for seamless efficiency can become liabilities in a Red Zone. Governance is now about optionality.

• CISOs must shift from episodic response to continuous operation under compromise. Volt Typhoon’s five-year dwell time is not an exception—it is the new benchmark. Detection, containment, and restoration metrics must be board-level indicators.

• Risk officers and insurers must acknowledge that persistence and supply chain aggregation create systemic exposures beyond actuarial modelling. Cyber is no longer an episodic, insurable peril—it is a continuous operational condition requiring new transfer models.

Operational Priorities for Boards

Compliance architecture must assume divergence. A data flow lawful in Frankfurt may be criminalised in Shanghai and blocked in Washington. Boards should require data flows to be tagged with lawful bases and kill switches built in, with rerouting capabilities tested regularly.

Supply chain sovereignty must be stress-tested. A backup supplier on paper is not resilience unless it has been exercised under production-like conditions. The December 2024 export controls showed how quickly critical components can disappear.

Technology stacks should be designed for hot-swappability. Crypto-agility is not jargon; it is survival when a regulator declares yesterday’s algorithm non-compliant. Identity providers, storage back-ends, and algorithm sets should be engineered for rapid replacement.

Geopolitical intelligence must sit alongside cyber threat intelligence. Organisations should not only track indicators of compromise but also indicators of regulation, sanctions, and persistent campaign intent. Trigger lists — what law or sanction would force a workload migration or supplier switch — should already exist.

Finally, decision velocity must be addressed. Fragmentation multiplies cognitive load. Authority must sit where information concentrates. Strategy can remain central, but execution must be distributed. Decision-making speed should be tested in scenario exercises, not assumed.

What Success Looks Like

Successful organisations will look different in the fractured digital order. They will hold portfolios resilient enough that no single vendor, standard, or jurisdiction represents critical dependency. They will have compliance capability that functions as a competitive differentiator. Their systems will be engineered for operational sovereignty, with components swappable at speed. They will continue operating under compromise, treating persistent adversary access as a baseline rather than an exception. And they will operate within trusted networks of alliances that span jurisdictions and sectors, recognising that ecosystem resilience matters more than platform dominance.

The Choice Ahead

We have crossed into a world where cybersecurity is inseparable from geopolitical positioning. The Red Zone is not inevitable, but signals keep firing. Only if leaders make it happen will the Strategic Lattice remain viable.

Boards face a strategic paradox: they must prepare for the Red Zone while working to preserve the Strategic Lattice. Success requires not predicting which scenario will emerge but building adaptive capacity for either outcome.

In geopolitics as in chess, the winner is not the grandmaster with elegant theory. It is the player who still has pieces on the board when the clock runs down.

The winners will be those who recognise cybersecurity, not as IT plumbing but as geopolitics.

John Ellis is Global Head of Security Trust & Influence at QBE Insurance and writes at GeopoliticalCyber. The views expressed are the author’s own and do not represent the positions or policies of any employer or affiliated organisation.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

Trump’s back. Tariffs are flying. And “Liberation Day” is grabbing headlines across the globe. But behind the slogans lies something more consequential: a shift in U.S. economic posture that’s sending ripples well beyond America’s borders. For allies like Australia, it signals a broader inflection point—one that tests our economic resilience and raises deeper questions about where we’re exposed.

Australia isn’t the main target of America’s latest protectionist push, but we’re certainly not immune. A 10% tariff now applies to $23.9 billion worth of Australian exports—beef, pharmaceuticals, aluminium among them. The message, while not overt, is hard to miss: alignment matters.

And while tariffs dominate the headlines, they’re only part of the story. Beneath the trade tension lies a more enduring strategic concern—one that’s embedded in how we operate day to day: our deep reliance on U.S.-controlled digital infrastructure.

Visible Dependence – Trade Tensions in Sharp Relief

Let’s start with what we can quantify:

• Beef exports, a key component of our trade relationship with the U.S., now face a 10% cost hike. Demand may remain high, but margins just got tighter.

• Pharmaceuticals have been exempted—for now. That likely has more to do with global health supply chains than any special diplomatic carveout.

• Mining, while not directly targeted, remains exposed to second-order effects if demand slows in China, South Korea, or Japan.

KPMG has projected that the tariff package could reduce Australia’s GDP by A$27 billion. That’s not theoretical—it’s fiscal pressure with real-world consequences. This isn't just about trade. It’s about how the world is reorganising itself.

At home, policymakers are weighing two competing instincts: align more closely to avoid collateral damage—or maintain strategic space. It’s not a left-right issue. It’s a resilience calculus.

The Hidden Dependency – Deeply Embedded Digital Reliance

But beyond the tariff sheets and customs codes lies another form of dependency—one that doesn’t show up on a shipping manifest.

Australia’s public and private sectors run on U.S.-controlled platforms:

• AWS supports infrastructure for over 140 government agencies.

• Microsoft 365 is now the de facto productivity suite across the federal landscape.

• Azure and Google Cloud underpin critical services in finance, healthcare, and telecoms.

• Apple and Android dominate mobile platforms. Google Search is near-universal.

These are exceptional technologies. But reliance, no matter how efficient, comes with risk. Not because the platforms are flawed, but because they exist within a different legislative and geopolitical context.

What happens if access is limited—not out of hostility, but through regulatory change? What happens if geopolitical tension triggers restrictions? We’ve seen both play out globally.

The question isn’t whether these platforms are trustworthy. It’s whether we have a contingency if conditions shift.

Rethinking Sovereignty – From Borders to Backends

Sovereignty once meant border control, defence capability, and national infrastructure. Today, it must also account for platform control, data jurisdiction, and the resilience of digital systems.

The U.S. has demonstrated it will use digital platforms as tools of statecraft—sometimes directly, sometimes through broader legal mechanisms like the CLOUD Act or export controls. This isn’t a criticism. It’s a recognition of how power is exercised in the 21st century.

Even allies must understand: access to core systems can become conditional. Not out of malice, but as a function of shifting strategic priorities. Resilience now requires more than strong firewalls. It requires structural optionality.

Building Digital Resilience: What It Actually Takes

So what does that look like in practice? Not panic. Not wholesale decoupling. But deliberate, strategic rebalancing:

1. Multi-cloud architectures – Prioritise design flexibility to avoid single points of failure.

2. Local capability uplift – Invest in domestic platforms for critical and high-sensitivity functions.

3. Trusted regional alliances – Collaborate with partners like Japan, South Korea, and EU nations on shared digital frameworks.

4. Critical infrastructure standards – Treat cloud and data platforms with the same scrutiny we apply to ports, grids, and pipelines.

5. Tech diversification as trade strategy – Just as we’ve expanded export markets, we must expand our tech stack.

6. A national digital sovereignty plan – A roadmap that aligns economic, cyber, and supply chain resilience into a single strategic narrative.

This isn’t about building digital fortresses. It’s about building optionality at scale.

Final Thought: Optionality is Strategic Strength

U.S. platforms will remain core partners. Their innovation and scale are unparalleled. But resilience demands more than efficiency. It demands the ability to pivot when circumstances change.

Sovereignty used to mean borders. Today, it means controlling your platforms, your data flows, and your digital identity.

In an era of multipolar technology and global interdependence, resilience isn’t just protection—it’s the ability to adapt.

If we want to navigate the future on our own terms, we need more than access. We need agency.

All views are my own. You can disagree. But the infrastructure still runs in Virginia.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

"The Fire of Illusions" - pictured generated by DALL·E, AI image-generation tool

In shadowed caves where echoes reign,
Men watch the walls and call it plain.
Bound by chains of whispered lore,
Truth is but the tale they swore.

The priests once spoke from altars high,
Marking stars upon the sky.
"This is light, this is dark,
Bow your head, ignite the spark."

But kings soon learned, with gilded pen,
That gods could rule through mortal men.
The papal seal, the emperor’s writ,
Turned holy tongues to politics.

Then came the press, the printed page,
A new machine, the war of age.
Monarchs fell, the truth stood free,
Yet money bought its sovereignty.

The radio hummed, the screens soon shone,
And every voice became a throne.
Wars were waged on what was real,
Truth was shaped by those who deal.

And now the net, the tangled sprawl,
A hundred flames, none true at all.
A million prophets, each their creed,
All selling doubt as holy seed.

The East weaves whispers in the mist,
The West cries out, yet both insist:
“We speak the light, they speak the lies.”
Yet truth, like smoke, still twists and flies.

And so we stand, axe in hand,
Chopping wood upon the land.
Before enlightenment, the fire burned,
After? Only lessons learned.

For truth’s no beacon, standing bright,
But a bonfire lit in the dead of night.
Fed by power, fanned by schemes,
A flickering wisp of shattered dreams.

So ask not what is truth, my friend,
But who has shaped it in the end.

The Bonfire of Truth – Reflections and Annotations

What is truth?

A simple question with an answer that has been shaped, twisted, and weaponized throughout history. From the shadows of Plato’s cave to the altars of religion, from monarchs' decrees to the algorithms that now dictate what we see, truth has always been less about objective reality and more about who holds the power to define it.

This poem started as a passing comment in a chat group, turned into a journal entry, then escalated into a late-night debate with my wife (which, for the record—and for my continued domestic peace—I definitely lost). The spark? A discussion about narratives in global geopolitics, particularly Peter Zeihan’s views on the Ukraine-Russia war, Western commentary, US politics, and China’s approach to information warfare.

But beyond the politics, this piece is something more personal. I’ve always been fascinated by the tug-of-war between perception and reality—how civilizations have built entire frameworks around belief, how power has always found a way to shape “truth,” and how, despite all our technological advancements, we are still just as susceptible to illusions as the prisoners in Plato’s cave. Maybe even more so.

This poem is my meditation on truth, power, and perception throughout history. It weaves together my understanding of philosophy, historical shifts in information control, and the cynical realities of modern narratives. Below, I’ve included a breakdown of the themes and references embedded in the lines—so you can see the thought process behind what I wrote and why.

In the end, I kept circling back to a line from Epictetus:

“It is impossible for a man to learn what he thinks he already knows.”

So here’s my take—a poem on the malleability of truth, shaped by my interest in history, philosophy, Stoicism, cyber security, and geopolitics. Hope it sparks some thoughts of your own.

1. Plato’s Cave and the Perception of Truth

In shadowed caves where echoes reign,
Men watch the walls and call it plain.

This is a direct nod to Plato’s Allegory of the Cave from The Republic. In his metaphor, prisoners are chained in a cave, only able to see shadows projected onto a wall. They mistake these shadows for reality because it is all they have ever known. The line highlights the idea that our perception of truth is often nothing more than reflections of deeper realities controlled by unseen forces.

2. Religion as the Original Shaper of Perception

The priests once spoke from altars high,
Marking stars upon the sky.
"This is light, this is dark,
Bow your head, ignite the spark."

Here, the poem references the role of organised religion in shaping societal beliefs. Throughout history, religious institutions have dictated moral and cosmological truths—claiming divine authority to define what is right, wrong, sacred, or heretical. This duality of light vs. dark reflects how structured narratives shape human behavior, often invoking divine legitimacy to command obedience.

3. The Transition to Political Power and Ideological Control

But kings soon learned, with gilded pen,
That gods could rule through mortal men.
The papal seal, the emperor’s writ,
Turned holy tongues to politics.

As empires rose, kings and rulers realised that controlling religious doctrine meant controlling the people. The Divine Right of Kings, the Holy Roman Empire, and imperial mandates all showcase this fusion of religious and political power. When the papal seal or an emperor’s decree determined ‘truth,’ it blurred the line between faith and governance.

4. The Printing Press and the Battle for Information

Then came the press, the printed page,
A new machine, the war of age.
Monarchs fell, the truth stood free,
Yet money bought its sovereignty.

This section touches on the Gutenberg press and the democratisation of knowledge. The printing press enabled the Reformation, the fall of absolute monarchies, and the spread of new ideologies. However, while information became more widely available, it also became commodified—truth no longer belonged to the clergy but to whoever controlled the press, the publishers, and later, the media.

5. Mass Media, Propaganda, and the 20th Century

The radio hummed, the screens soon shone,
And every voice became a throne.
Wars were waged on what was real,
Truth was shaped by those who deal.

This reflects the rise of mass media, propaganda, and information warfare. From World War II propaganda to the Cold War’s ideological battles, truth became a tool wielded by governments and corporations. The advent of television and radio ensured that controlling the narrative meant controlling entire populations. The phrase “those who deal” alludes to media moguls, intelligence agencies, and corporate interests shaping public perception for profit and power.

6. The Digital Age and the Chaos of Competing Truths

And now the net, the tangled sprawl,
A hundred flames, none true at all.
A million prophets, each their creed,
All selling doubt as holy seed.

This section encapsulates the internet’s role in fragmenting truth. Unlike past centuries where centralised authorities controlled narratives, today’s digital landscape has created an explosion of competing voices. From conspiracy theorists to state-sponsored misinformation campaigns, everyone claims to hold the ‘real’ truth. The phrase “selling doubt as holy seed” is a nod to how skepticism—once a tool for enlightenment—has been weaponised to erode trust in institutions, leaving people susceptible to manipulation.

7. Geopolitical Propaganda and the New Battlefields

The East weaves whispers in the mist,
The West cries out, yet both insist:
“We speak the light, they speak the lies.”
Yet truth, like smoke, still twists and flies.

This section moves into the realm of geopolitical information warfare, particularly between China, Russia, and Western powers. Every major global player claims to represent the light while casting their adversaries in shadow. China’s state-controlled media, Russian disinformation strategies, and Western corporate news spin all operate under the same fundamental principle: control the narrative, control the populace.

Yet, as the last line suggests, truth remains elusive—drifting like smoke, impossible to grasp fully.

8. Zen Philosophy and the Return to Simplicity

And so we stand, axe in hand,
Chopping wood upon the land.
Before enlightenment, the fire burned,
After? Only lessons learned.

This is inspired by the Zen proverb: "Before enlightenment, chop wood, carry water. After enlightenment, chop wood, carry water." It suggests that even after great revelations or awakenings, the fundamental nature of existence remains unchanged.

In the context of the poem, this passage questions whether uncovering ‘truth’ changes anything at all. Despite humanity’s endless search for certainty—through philosophy, religion, media, and war—the struggle remains the same.

9. The Final Cynical Reflection: Who Holds the Match?

For truth’s no beacon, standing bright,
But a bonfire lit in the dead of night.
Fed by power, fanned by schemes,
A flickering wisp of shattered dreams.

Here, truth is likened not to a guiding light but to a bonfire—manipulated, fed, and controlled. The image of a bonfire in the night suggests that truth, far from being an objective force, is something that those in power construct and manipulate to serve their needs.

So ask not what is truth, my friend,
But who has shaped it in the end.

The final lines drive home the ultimate cynicism of the poem: truth is rarely a pure, objective reality. More often than not, it is a construct—crafted, shaped, and reshaped by those with the means to do so.

In the world of geopolitics, information warfare, and ideological battles, the question is not simply what is true? but who benefits from this version of truth?

Closing Thoughts

This poem and its accompanying reflections paint a picture of truth as a contested space, a tool of power, and a shifting illusion shaped by those in control. From ancient philosophy to modern geopolitics, the nature of truth has remained as much a battlefield as it has a mystery.

In a world where competing narratives drown each other out, perhaps the only certainty is that someone, somewhere, is holding the match.

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

Introduction: From Idealism to Realpolitik

For most of my career, I believed technology could bridge divides and tackle humanity’s most urgent challenges—that AI, cyber, and digital infrastructure were enablers of global progress, not weapons in an escalating power struggle. I’ll admit, part of that optimism stemmed from a genuine desire to see innovation used for social good rather than geopolitical rivalry.

But my perspective shifted when I saw how quickly technology moved from enabler to potential weapon. The U.S. response to China’s 5G dominance, AI breakthroughs, and semiconductor push wasn’t merely fair competition—it was about containing a strategic rival. Almost overnight, innovation felt like a battlefield.

China, meanwhile, didn’t just respond—it intensified its efforts. The Chinese administration viewed cyberspace and outer space as strategic realms of global power, concluding it had to compete there. That realisation resonated deeply—especially after years spent studying China’s culture, language, and history with both admiration and curiosity.

(Acknowledging Bias: My background ties me to both Western markets and Sino perspectives, so I must ensure I don’t oversimplify either as monolithic. The West, too, can be fragmented, and China’s strategies, though often portrayed as unified, hold internal complexities.

That vantage point prompted me to re-examine my assumptions about how states leverage technology, especially once I encountered Cyber Persistence Theory, which posits that modern conflict isn’t limited to conventional or nuclear means—cyberspace is now a key domain of strategic competition. It crystallised what I had already sensed:

• Unlike conventional warfare, cyberspace is a realm of persistent exploitation, where nations don’t seek final victory but ongoing advantage—cyber operations, AI supremacy, digital dominance.

• China isn’t just competing; it’s playing a long game, integrating cyber and AI into supply chains, finance, and regulatory frameworks.

• The West isn’t simply defending; it’s aggressively shaping the battlefield via economic restrictions, cybersecurity mandates, and digital governance to contain China’s rise.

For me, it was a sober reminder that the cyber domain, AI, and the broader tech ecosystem aren’t just industries; they’re central arenas of modern geopolitics. As Kai-Fu Lee notes in AI Superpowers, the AI race extends beyond mere innovation—it’s about defining the future.

But this isn’t just about banning an AI model or protecting digital privacy—it’s about who writes the rules of the digital age.

If we still see this as purely about blocking one AI model, we’re playing checkers.

Whereas the real game is Go—strategic positioning ensures dominance long before anyone realises they’ve lost. Naturally, the map isn’t the territory; real geopolitics is more intricate than any board game. Still, checkers vs. Go highlights how short-term battles differ from long-term strategic power.

(Misconception to Note: “Checkers vs. Go” is just a metaphor—some take it literally, but it’s meant to illustrate how short-term or reactive bans contrast with sustained positioning.)

Navigating this landscape triggers a personal dilemma: I straddle Western markets (in cyber and insurance) yet have deep ties to China (studying its culture and language). I’m constantly seeking strategies that protect security without discarding the ideals of global collaboration I hold dear.

The Digital Battlefield: Banning AI is Just the Start

When I first wrote about the Chinese AI startup DeepSeek, I framed the push for its restrictions as a selective security measure, arguing that the real issue wasn’t just cyber security but the geopolitics of who controls the future of AI, cyber, and technology.

Since then, a clear pattern has emerged:

• Australia, South Korea, Taiwan, and Italy have all moved to restrict DeepSeek—whether by banning it from government systems or implementing broader limitations.

• In the broader struggle over security and corporate independence, the UK has ordered Apple to create an encryption backdoor (Washington Post, 2025), undermining its own privacy stance while banning foreign AI on “security concerns.” Apple’s predicament exposes a deeper tension between corporate autonomy and state control, raising the fundamental question: who sets the rules?

• China is actively embedding its digital governance frameworks across the Global South, shaping the technological landscape on its own terms. Meanwhile, the West remains on the defensive—reacting with bans rather than defining a proactive strategy.

But this isn’t just about technology bans and backdoors—it’s about fragmentation, eroding trust, and a global power struggle over digital control. The digital world is splintering into competing blocs, each imposing its own rules, standards, and strategic interests.

We’re past a simple U.S.-China standoff. The contest has expanded—spanning multiple nations, technologies, and governance models as countries navigate the increasingly complex struggle for digital dominance.

Beyond the U.S.-China Binary: A Multipolar Digital Order

An old colleague and dear friend from Singapore once said:

"John, many Westerners see this as a two-player game, China vs. US, but there are many playing their own game entirely."

He was right:

• India is developing AI and semiconductor industries to remain independent of both the U.S. and China. Its indigenous chip production is a power move, securing critical infrastructure in global supply chains.

• Singapore, Japan, and South Korea shape hybrid digital governance models aligned to their economic and security needs—not merely echoing the U.S. or China.

• The UAE is emerging as a global AI hub, positioning itself as a neutral bridge among various ecosystems.

• African nations adopt localised fintech, telecom, and AI solutions, reducing reliance on Western or Chinese platforms.

As Ian Bremmer discusses in Us vs. Them (Bremmer, 2018), local or nationalistic strategies are remaking global dynamics. Indeed, banning Chinese AI (like DeepSeek) showcases a broader shift: multiple competing digital ecosystems are arising under their own frameworks.

(Possible Bias: We might overemphasise state-level moves—governments are key, but major private players, civil society, and open-source efforts also shape these ecosystems.)

Yet as these new digital orders form, one question lingers: How does the West respond to restricting China’s tech? That leads us to the strategic paradox of bans.

The Strategic Paradox: The More We Block, The More China Builds

Western policy frequently centres on restricting China’s access to AI, semiconductors, and cybersecurity tools—assuming it’ll slow China’s ascendancy.

But it’s quickening their independence:

• Huawei, meant to be hamstrung by sanctions, is now producing 7nm chips (Reuters, 2024).

• China is “decoupling” from Western tech, building its own AI ecosystems, supply chains, and platforms.

• Through Belt & Road, China extends its digital governance norms across the Global South (Hillman, 2021).

  

And it’s not just China adapting—everyone is:

• Brazil is draughting AI and encryption laws, asserting digital sovereignty.

• The EU’s Digital Markets Act is reshaping how global tech giants operate, defining distinct regulatory standards.

• India, Israel, and South Korea craft AI and cybersecurity policies suited to their national goals.

The Five Dimensions of Digital Power (5D2P): A Framework for Strategic Influence

Rather than simply reacting to China’s AI advances, the West must proactively shape the global digital order. This requires a fundamental shift—from defensive containment to assertive leadership in defining the future of technology. Securing long-term strategic positioning demands investment, innovation, and regulatory influence, not just countermeasures.

The Five Dimensions of Digital Power (5D2P) offer a strategic lens for understanding how nations compete in the modern tech landscape. By examining these dimensions, we move beyond isolated challenges to a comprehensive strategy—one that strengthens national security, economic influence, and global leadership in an era of digital competition.

1. Technology Sovereignty – Who Controls the Foundations of Digital Power?

The first dimension—technology sovereignty—centres on control over critical technologies such as artificial intelligence, semiconductors, encryption, and cloud computing. A nation’s ability to secure and advance these foundational capabilities determines its resilience and strategic autonomy in an interconnected world. Without self-sufficiency in these areas, dependence on external suppliers creates structural vulnerabilities, exposing economies and national security to geopolitical coercion.

To achieve true technology sovereignty, the West must aggressively invest in next-generation chip design, AI leadership, and cyber security innovation. This will likely require direct government intervention, including strategic subsidies for private firms to ensure technological leadership remains aligned with national interests. The U.S. National Security Commission on AI (NSCAI) Final Report underscores the urgency of these investments, warning that falling behind in AI and semiconductor development could undermine national security (U.S. NSCAI, 2021).

Meanwhile, China’s Made in China 2025 initiative showcases how state-backed investment is actively reducing dependency on Western technology. The recent 7nm chip breakthrough by Huawei—achieved despite U.S. sanctions—demonstrates how strategic investments can accelerate domestic capabilities (Reuters, 2024). The race for technology sovereignty is not just about innovation; it’s about control over the digital and economic future.

2. Market Influence – Who Shapes the Digital Economy?

The second dimension—market influence—determines which nations shape the global AI, cyber, and digital services landscape. Economic power in these sectors isn’t just about financial gains—it translates directly into geopolitical leverage.

A common misconception is that technological dominance is driven solely by state actors. In reality, corporate giants—from Google and Microsoft to Huawei and Alibaba—dictate much of the market direction. At the same time, the European Union wields regulatory influence through the Brussels Effect, exporting its data privacy and technology standards worldwide (Bradford, The Brussels Effect, 2020).

China’s Belt and Road Initiative (BRI) extends its digital footprint through massive infrastructure investments, embedding Chinese digital norms and platforms across Africa, Latin America, and Southeast Asia (Hillman, 2021). This means digital market leadership isn’t just about selling AI models—it’s about controlling the frameworks that govern AI deployment and global digital infrastructure.

3. Governance & Norms – Who Writes the Rules of the Digital Age?

The third dimension—governance and norms—determines who sets the rules for AI security, cyber operations, and digital policy. Nations that lead in shaping digital governance don’t just influence technology; they define how AI is deployed, how cybersecurity threats are mitigated, and what ethical boundaries exist in AI-driven decision-making.

This competition goes beyond national laws—it’s about who establishes global standards. The EU’s General Data Protection Regulation (GDPR) reshaped how companies worldwide handle data, while China’s Cybersecurity Law and Data Security Law force foreign companies to comply with Chinese security requirements, embedding Beijing’s influence into the global digital framework.

As Ian Bremmer notes in Us vs. Them, the fragmentation of governance models reflects a broader geopolitical realignment, where nations shape digital governance to serve their political and economic interests (Bremmer, 2018).

While Western democracies prioritise privacy, decentralisation, and open internet principles, China advocates a state-controlled model, exporting digital authoritarianism through its state-backed tech giants (Kai-Fu Lee, AI Superpowers, 2018). The battle is no longer just about which AI systems dominate—it’s about which governance frameworks will define the future digital order.

4. Supply Chain Control – Who Owns the Infrastructure of the Digital Age?

The fourth dimension of technological competition—supply chain control—underscores the critical need for ownership over hardware, software, and essential raw materials, including rare earth elements and high-performance magnets. As Ed Conway notes in Material World, securing these resources is as vital as mastering semiconductor design (Conway, 2023). Without them, even the most advanced chip architectures remain theoretical exercises.

China currently dominates the global supply chain for rare earth elements, which are indispensable for producing semiconductors, batteries, and AI hardware. This dominance creates a structural dependency that leaves Western technology firms vulnerable to bottlenecks, stalling innovation, and weakening resilience in strategic industries.

While the CHIPS Act aims to restore domestic semiconductor manufacturing in the U.S., it does little to address the upstream dependency on critical raw materials—leaving fundamental supply chain vulnerabilities unaddressed. Compounding this risk is the continued reliance on TSMC in Taiwan and Samsung in South Korea for cutting-edge chip fabrication. These dependencies represent a geopolitical chokepoint—one that could disrupt entire industries if tensions in the Taiwan Strait or Korean Peninsula escalate (Miller, Chip War, 2022). As Chris Miller highlights, whoever controls semiconductor design holds the keys to AI leadership.

Supply chain control is not just about securing raw materials—it extends to infrastructure resilience. Dependence on foreign-owned cloud providers, semiconductor foundries, and networking equipment introduces security risks that cannot be ignored. As global supply chains fragment, so too does the digital ecosystem. The once-monolithic internet is splintering along geopolitical lines, reinforcing the urgency of technological self-sufficiency.

Securing the future isn’t merely about controlling resources—it’s about fortifying infrastructure, diversifying supply chains, and reducing strategic exposure to foreign influence. Without a concerted effort to shore up these vulnerabilities, Western economies risk ceding not just production capacity but also technological leadership itself.

5. Persistent Digital Competition – How Do Nations Secure an Ongoing Advantage?

The final dimension—persistent digital competition—reflects the reality that cyber conflict and AI-driven rivalry are ongoing, not isolated battles with clear winners and losers. Unlike traditional warfare, cyber operations and AI-enabled strategies unfold in real time, continuously reshaping the balance of power across finance, intelligence, and defence.

Nations that effectively integrate cyber security, AI-driven intelligence, and strategic disinformation gain a sustained advantage. The U.S., China, and Russia all engage in cyber espionage, influence operations, and AI-enhanced intelligence gathering—not to achieve immediate victories, but to gradually erode adversaries’ strengths and shape the future digital landscape to their benefit.

This competition extends beyond national security—it’s a struggle for economic and ideological dominance. AI-generated disinformation, financial cyberattacks, and algorithmic decision-making in warfare are no longer hypothetical threats; they are emerging tools of statecraft, forcing governments and industries into a state of continuous adaptation.

As Jonathan Hillman argues in The Digital Silk Road, China’s push for digital infrastructure dominance isn’t just about economic expansion—it’s about securing long-term strategic leverage through cyber and AI-enabled influence (Hillman, 2021). In this environment, digital resilience is no longer optional—it’s the foundation of geopolitical power.

Shaping the Future, Not Just Defending It

It is a misconception to think the semiconductor race alone will determine the outcome of this strategic contest. While chip design and fabrication are crucial, raw materials, open-source innovation, and private-sector influence play equally important roles. There is no single solution that guarantees dominance in this evolving digital landscape.

If the West hopes to lead, it must move beyond reactive policies like banning Chinese AI models or restricting access to key technologies. Instead, it must proactively define the digital ecosystem, ensuring that democratic values, technological sovereignty, and economic security remain at the forefront.

Whether through policy, investment, or market strategy, nations must play a long game—not checkers, but Go—positioning themselves to set the rules of the next digital age rather than reacting to the moves of others.

Apple’s encryption standoff in the UK exemplifies how governments can compel Big Tech to align with national priorities—touching privacy, autonomy, and global rule-setting. This microcosm captures the larger puzzle: Who truly governs our digital future?

Beyond AI and cyber, the horizon promises quantum computing, biotech, and outer space technology—all potential new battlegrounds. If we remain bogged down in reactive bans, we risk repeating these missteps in the next domain.

(Another Bias: We may lean on a zero-sum mindset—one side’s gain is the other’s loss. Yet areas like AI ethics or climate tech could benefit from partial cooperation.

Final Thoughts

This digital battlefield isn’t simply about AI—it’s about who writes the rules of the 21st century. The checkers-vs.-Go analogy may not perfectly reflect real geopolitics, but it does reveal how short-term tactics differ from sustained strategic power.

Ultimately, the West must pick: either shape the digital ecosystem with foresight and collaboration or cling to reactive bans that let others dictate the future. As someone bridging Western markets and Chinese perspectives, I believe realpolitik can still incorporate cooperation and innovative ideals—it simply demands intentional effort to script the next digital chapter instead of reading lines someone else has already written.

Personally, reconciling my commitment to global collaboration with a security-first lens means recognising that national advantage and collective progress aren’t always mutually exclusive. We must choose carefully which battles need strict regulation and which areas—like AI for healthcare or climate research—benefit from cross-border partnership. Doing so might prevent Apple-like showdowns in the future and allow us to harness technology for a more balanced, cooperative world.

(Epilogue: Yes, the map isn’t the territory; real geopolitics is messy and diverse. But if we chase illusions of simple, quick wins, we’ll overlook deeper supply chain complexities, raw material dependencies, private sector power, and the truth that neither China nor the West is monolithic. Recognising these nuances is the first step in forging a more balanced digital future.

References

1. Kai-Fu Lee, AI Superpowers: China, Silicon Valley, and the New World Order. Houghton Mifflin Harcourt, 2018.

2. [Washington Post article on Apple’s encryption backdoor (2025)]

3. Ian Bremmer, Us vs. Them: The Failure of Globalism. Portfolio, 2018.

4. [Reuters article on Huawei producing 7nm chips]

5. Jonathan E. Hillman, The Digital Silk Road: China’s Quest to Wire the World and Win the Future. Centre for Strategic and International Studies, 2021.

6. Chris Miller, Chip War: The Fight for the World’s Most Critical Technology. Simon & Schuster, 2022.

7. U.S. National Security Commission on AI (NSCAI) Final Report. March 2021.

8. Ed Conway, Material World: The Myth of Progress and the Reality of the Resource Crunch. [Knopf Doubleday Publishing Group, 2023]

Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

Illustration: Ben Jones The Economist: The front line of the tech war is in Asia

A Lifelong Fascination with the Great Game

As a kid, I spent hours poring over world maps, flipping through my Collins Encyclopedia (best present ever), and watching Sean Connery’s Bond navigate Cold War intrigue (Daniel Craig is my favourite Bond - just). That childhood curiosity evolved into a lifelong study of geopolitics, history, technology, and the great game—one that has taken me across China for over two decades, studying its language, culture, and philosophy firsthand.

Some will label me "pro-China" or even "pro-CCP." But I don’t see this as taking sides—I see it as understanding the full picture. Actually, in a playful homage to Russell Crowe’s Oscar acceptance speech: "Cheers to America! May China prosper! Kia Kaha, New Zealand! And thank the Southern Cross for Australia!"

Because let’s be clear—this debate isn’t just about DeepSeek, Huawei, or EVs. It’s about who controls the future. It’s about who sets the rules, who shapes the digital order, and who dominates the next era of global power.

Technology as a Contested Domain in the Great Power Competition

Technology is no longer just about innovation—it’s about leverage, influence, and control.

• AI, semiconductors, quantum computing, and data governance have become the frontlines of great power competition.

• China’s rapid advancements directly challenge U.S. dominance, accelerating the transition toward a multipolar world.

This shift forces us to ask:

• Are we adapting to this new multipolar reality—or just reacting to it?

• Are we critically assessing AI security risks—or defaulting to technological decoupling as a tool of strategic competition?

The Battle for the Digital Order: Competing Visions

This isn’t just about AI or cyber security. It’s about who writes the rules of the digital age.

For decades, the U.S.-led liberal order set the global norms—open markets, democratic values, and Western-dominated institutions shaping trade, finance, and technology. The West built the system, policed the system, and benefited from the system.

Now, China is creating an alternative.

• Belt and Road Initiative (BRI): Infrastructure projects that bind countries into China’s economic orbit.

• AIIB & Digital Silk Road: Parallel financial institutions and tech ecosystems that bypass Western gatekeepers.

• Technology Standards: China is actively shaping global AI, 5G, and quantum computing norms, often in ways that reflect state control over information and infrastructure.

So when we talk about AI bans, tech decoupling, and cyber security fears, we’re really talking about who sets the rules for the next era of technology.

Are we prepared to compete on that level—or are we just trying to stall the inevitable?

The Selective Security Debate: Why Only Chinese Tech?

We’ve seen this playbook before:

• Huawei & ZTE – Huawei spent years under UK National Cyber Security Centre (NCSC) scrutiny, yet was banned—not due to technical flaws, but geopolitical distrust. ZTE faced similar scrutiny, based more on state ties than clear evidence of wrongdoing.

• Chinese Electric Vehicles (EVs) – Now facing scrutiny over connected systems that supposedly pose security risks.

Yet we blindly trust connected vehicles from Tesla, Hyundai, Toyota, and BMW—all of which regularly send data offshore and have already been compromised by cybercriminals.

I drive a Subaru, and I'm not exactly thrilled about the latest security incident: Wired: Subaru Location Tracking Vulnerabilities

Why are Chinese EVs framed as an existential security risk, while others aren’t?

Is this about cyber security—or about geopolitical trust?

Cyber Operations: A Contested Domain That Won’t Disappear

One of the most naïve assumptions in this debate is that cutting off Chinese AI or banning its technology will make us "more secure."

The reality? Cyberspace is a battlefield—always has been, always will be.

• Cyber Persistence Theory (Lindsay, Fischerkeller, & Harknett) argues that cyber competition is constant, not episodic—states don’t wait for war to conduct cyber operations. They engage in persistent campaigns of intrusion, influence, and exploitation. https://academic.oup.com/book/41918

• The International Institute for Strategic Studies (IISS) confirms that every major nation-state engages in cyber operations—not just China, but also the U.S., UK, Australia, Russia, Iran, and others. https://www.iiss.org/research-paper/2022/02/great-power-offensive-cyber-campaigns/

This means that while concerns over Chinese cyber activities are valid, pretending that blocking Chinese AI or EVs eliminates cyber risk is delusional.

Because let’s be real:

• China engages in cyber espionage? Yes.

• The U.S. engages in cyber espionage? Also yes.

• The U.S. and its allies conduct persistent cyber operations against adversaries? Absolutely.

If we’re serious about national security, we need proactive cyber resilience strategies, not knee-jerk bans that give a false sense of security.

Who Profits From the Fear Narrative?

A more uncomfortable truth is that some actors profit from portraying cyber security as an absolute, existential crisis. This isn’t to downplay real threats—but who benefits from certain narratives?

• The cyber security industry thrives on fear—the more catastrophic and unsolvable the threats appear, the easier it is to sell security solutions, services, and consultancy.

• The intelligence and defense sectors benefit from heightened tensions, which drive investment into offensive and defensive cyber capabilities.

• Policymakers use cyber security fears to justify restrictive policies, sometimes for economic protectionism rather than genuine security concerns.

China’s rise in AI, EVs, and quantum computing is a challenge, but is it an existential threat that justifies shutting down engagement? That’s a stretch.

Fear sells. But is it strategically wise?

The Path Forward: Compete, Don’t Avoid

China is shaping the future of AI, connected vehicles, and the global tech order—whether the West likes it or not.

The challenge isn’t avoiding AI like DeepSeek or banning Chinese EVs—it’s learning how to engage with China’s rise strategically, without escalating into all-out technological confrontation.

Instead of retreating into binary narratives, we should be asking:

• How do we create rigorous AI evaluation frameworks that apply to all technologies—regardless of origin?

• How do we maintain leadership in AI without knee-jerk protectionism?

• How do we compete intelligently instead of reacting out of fear?

This is where Graham Allison’s Thucydides Trap becomes relevant—history shows that when a rising power (China) challenges an established hegemon (U.S.), tensions escalate—often to the point of conflict. https://www.hks.harvard.edu/publications/destined-war-can-america-and-china-escape-thucydidess-trap

However, Kevin Rudd’s The Avoidable War offers an alternative view—that this competition can be strategically managed through engagement, diplomacy, and clearly defined red lines. https://www.hachette.com.au/kevin-rudd/the-avoidable-war-the-dangers-of-a-catastrophic-conflict-between-the-us-and-xi-jinpings-china

Conclusion: Compete or Concede?

The rise of Chinese tech isn’t a threat to be avoided—it’s a challenge that demands intelligence, innovation, and strategic competition.

If the West chooses fear over engagement, it won’t just be losing the AI and tech race—it will be conceding its leadership in the future of global technology.

Because if "block China" is the best strategy we can come up with, then we’re not leading. We’re reacting. And if we’re only reacting, we’ve already lost the initiative.

The question isn’t whether we trust Chinese tech—it’s whether we trust ourselves to lead the future of global innovation.