Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

This article builds on my presentation at Gartner’s Global CISO Executive Summit in New Orleans, where I introduced the framework “Five Forces Breaking the Digital Board.” What follows expands on that analysis, integrating fresh research on digital fragmentation, supply chain weaponisation, and my scenario planning methodology. The argument is simple: it’s not prediction that matters, but positioning. Positioning is resilience, and resilience decides who wins tomorrow.

From Plumbing to Battlefield

When Salt Typhoon briefings reached Capitol Hill in December 2024, the response was visceral. Senators walked out of classified sessions visibly rattled. Mark Warner called it “the worst telecom hack in our nation’s history.” Christopher Wray described it as “the most significant cyberespionage in history.” Marco Rubio dispensed with understatement, labelling it “the most disturbing and widespread incursion into our telecommunications systems in the history of the world.”

This episode was not theatre. It was the realisation, at the highest levels of government, that the plumbing metaphor for cyber has expired. For years, boards and their management, treated cyber like piping in a building: invisible until it burst, patchable when it did, and insurable against financial leakage. That era is gone. Cyber today is not hidden infrastructure behind the walls. It is contested terrain outside the front door. The water company may still deliver supply, but in this world it could also be an adversary with a hand on the valve.

The Persistence Condition

Too many organisations continue to approach cyber threats in an episodic manner, responding to an attack, mounting a response, ensuring recovery, and then issuing a report. That model is obsolete.

Volt Typhoon maintained access to U.S. critical infrastructure for at least five years. Salt Typhoon burrowed into telecommunications networks from 2022 through late 2024 and was still present during congressional briefings. These were not mere raids. They were patient positioning campaigns, a reminder that persistence is not an exception in cyber but the norm.

Cyber persistence theory explains why. Michael Fischerkeller and colleagues argue that unlike conventional warfare (which seeks victory through conflict) or nuclear strategy (which seeks to prevent conflict), cyber operates in “the alternative to war”—a space of continuous competitive campaigning below the threshold of armed conflict. The very interconnectedness of cyberspace creates the conditions that make persistence inevitable.

The translation is straightforward: persistence is the condition. Stop planning for “return to normal”. There is no normal. There is only continuous pressure, with adversaries maintaining footholds while business continues.

The Five Forces Breaking the Digital Board

In my presentation in New Orleans I argued that five forces are fracturing the digital order. They are not speculative; they are already reshaping contracts, compliance requirements, and boardroom assumptions.

The first force is technology as seen through a national security lens. Semiconductors, artificial intelligence, cloud services, and telecommunications are no longer primarily commercial domains. They are instruments of statecraft. U.S. export controls in 2022, 2023, and 2024 progressively tightened choke points. The December 2024 measures went further than ever by explicitly restricting high-bandwidth memory, a critical enabler of advanced AI systems. Beijing retaliated with export bans on gallium, germanium, and antimony. By October, antimony shipments to Europe had fallen to zero; by December, exports to the United States were prohibited entirely. These were not marginal supply chain disruptions. These served as examples of how economic warfare can leverage critical materials. For organisations, the implication is stark: every technology decision is now a geopolitical decision. Vendor risk is alignment risk.

The second force influencing geopolitics is regulation. By early 2023, one hundred separate data localisation measures were in effect across forty countries. More than two-thirds of the measures combined storage requirements with outbound flow restrictions, which are the most restrictive form possible. GDPR fines reached €1.2 billion in 2024 alone, with cumulative penalties since 2018 amounting to €5.88 billion. Survey data consistently shows regulatory fragmentation as a growing concern. PwC's 2024 Global Digital Trust Insights found that 73% of executives cite regulatory complexity as hindering cyber resilience efforts, while Gartner's 2024 CISO survey indicated that 68% of security leaders expect compliance requirements to create operational friction within two years. These frameworks are not converging. They are colliding. Compliance has become less about legal diligence and more about strategic positioning to maintain market access.

The third force is supply chain weaponisation. The 2021 compromise of Microsoft Exchange servers, attributed to Hafnium (linked to China’s Ministry of State Security), rippled through hundreds of thousands of organisations globally. By 2024, 81 percent of companies reported direct negative impacts from third-party breaches. The lesson is that one vendor compromise can cascade across entire sectors and geographies. Optimising for cost or speed alone is dead. Supply chains must now be mapped by jurisdiction as well as by function, with credible alternatives in place. Otherwise, one supplier sneezes in Shenzhen and the boardroom catches pneumonia in Sydney.

The fourth force is technology bifurcation. From 5G standards to encryption algorithms, rival stacks are emerging. Sovereign cloud infrastructure, designed to meet national data requirements, was a $96.8 billion market in 2024. By 2033 it is projected to reach nearly $649 billion. The result is not market hype. This approach incorporates coding sovereignty directly into the architectural design. For global firms, the outcome is maintaining parallel infrastructures. Efficiency will not save you from sovereignty. Organisations must design for modularity, knowing they will pay to run the same functions twice.

The fifth force involves fragmentation in both financial systems and standards. When Russia was excluded from SWIFT in March 2022, seven banks, including VTB, were cut off, representing up to 1.5 percent of daily transactions. It was a watershed moment, signalling that financial infrastructure itself is now an instrument of statecraft. The rise of central bank digital currencies and alternative settlement rails reinforces the trend. The result is parallel monetary systems that may not interoperate. For companies, resilience is no longer disaster recovery. It is the capacity to settle, pay, and be paid across shifting regimes.

Positioning, Not Prediction

Boards crave certainty: forecasts, percentages, straight lines. But in the cyber-geopolitical environment, certainty is an illusion. The risk is being lulled into the tyranny of the present – assuming tomorrow will be a linear extension of today.

Scenario planning is the antidote. It accepts that there is no single “most likely” future. Instead, it maps multiple plausible outcomes shaped by forces outside management’s control. The value is not in accuracy but in agility—expanding mental models so leaders are not blindsided when discontinuities hit.

My framework builds from this principle:

• Plausible futures are mapped against two critical axes: Threat Pressure (low to high) and Alignment (harmonised to fragmented). This generates distinct operating environments rather than one “expected case”.

• Preferences and constraints define what each actor wants and what structural limits allow. These shape the range of possible moves.

• Watchpoints and thresholds identify the signals that shift scenario weightings—tightened export controls, diverging AI governance blocs, or exposure to long-term persistence campaigns.

• Dynamic updating means probabilities are never fixed; they flex as signals emerge. Think less like a forecast and more like a GPS recalculating when a roadblock appears.

Futures of Fragmentation (Scenario Planning Quadrant)

Axes:

• X-axis: Threat Pressure → Low to High

• Y-axis: Alignment → Harmonised to Fragmented

Figure 1. Futures of Fragmentation (Scenario Planning). Framework developed by the author. Probabilities shift dynamically as signals (watchpoints) accumulate.

This approach translates directly to the boardroom. When I assigned a probability of 35–55% for a Red Zone trajectory within three years, it wasn't a random guess. This estimate was based on a specific point in time. However, when subsequent signals, such as mineral export bans, new choke points, and Salt Typhoon’s scope, all fired, the analysis pushed that probability north of 70%, and and the framework flexed, not because I “revised a forecast”, but because the evidence updated the map.

The point is simple: success doesn’t come from predicting which scenario will play out. It comes from positioning the organisation so it can survive and compete across whichever future emerges.

Red Zone vs Strategic Lattice

From this framework, two dominant high-threat futures matter most for organisations.

The Red Zone
This is what happens when threat pressure is high and alignment collapses. Regulatory regimes diverge until they are mutually incompatible. Rival technology stacks proliferate with little interoperability. Supply chains segregate along bloc lines. Financial and communications infrastructures evolve in parallel, cutting across assumptions of global integration. Intelligence sharing shifts from cooperative to competitive. If leaders fail to take action, the Red Zone will emerge as the default trajectory within 18 to 36 months.

The Strategic Lattice
The counter-scenario arises when threat pressure is high but alignment holds, at least partially. Here, blocs remain in competition but maintain a minimum viable architecture of interoperability. Some cross-border data flows are preserved, regulatory frameworks are selectively recognised, and crisis communication channels remain intact. Think of it as a cyber-era Bretton Woods: rivalry without collapse. Unlike the Red Zone, the Lattice will not emerge naturally. It requires deliberate leadership within the next 12 to 18 months.

Red Zone vs Strategic Lattice (Comparison Table)

Figure 2. Comparative scenarios. The Red Zone emerges by default; the Strategic Lattice requires active leadership to preserve interoperability under pressure.

Governance Implications

The governance challenge is no longer “What is the probability?” But “How do we know when probabilities change?” Scenario positioning beats point forecasting precisely because it avoids false precision while keeping strategic relevance.

• Board Chairs must anchor oversight in watchpoints: which signals—new sanctions, regulatory divergence, long-term campaigns—would force a shift in strategy?

• CEOs must guard against stranded growth. Models built for seamless efficiency can become liabilities in a Red Zone. Governance is now about optionality.

• CISOs must shift from episodic response to continuous operation under compromise. Volt Typhoon’s five-year dwell time is not an exception—it is the new benchmark. Detection, containment, and restoration metrics must be board-level indicators.

• Risk officers and insurers must acknowledge that persistence and supply chain aggregation create systemic exposures beyond actuarial modelling. Cyber is no longer an episodic, insurable peril—it is a continuous operational condition requiring new transfer models.

Operational Priorities for Boards

Compliance architecture must assume divergence. A data flow lawful in Frankfurt may be criminalised in Shanghai and blocked in Washington. Boards should require data flows to be tagged with lawful bases and kill switches built in, with rerouting capabilities tested regularly.

Supply chain sovereignty must be stress-tested. A backup supplier on paper is not resilience unless it has been exercised under production-like conditions. The December 2024 export controls showed how quickly critical components can disappear.

Technology stacks should be designed for hot-swappability. Crypto-agility is not jargon; it is survival when a regulator declares yesterday’s algorithm non-compliant. Identity providers, storage back-ends, and algorithm sets should be engineered for rapid replacement.

Geopolitical intelligence must sit alongside cyber threat intelligence. Organisations should not only track indicators of compromise but also indicators of regulation, sanctions, and persistent campaign intent. Trigger lists — what law or sanction would force a workload migration or supplier switch — should already exist.

Finally, decision velocity must be addressed. Fragmentation multiplies cognitive load. Authority must sit where information concentrates. Strategy can remain central, but execution must be distributed. Decision-making speed should be tested in scenario exercises, not assumed.

What Success Looks Like

Successful organisations will look different in the fractured digital order. They will hold portfolios resilient enough that no single vendor, standard, or jurisdiction represents critical dependency. They will have compliance capability that functions as a competitive differentiator. Their systems will be engineered for operational sovereignty, with components swappable at speed. They will continue operating under compromise, treating persistent adversary access as a baseline rather than an exception. And they will operate within trusted networks of alliances that span jurisdictions and sectors, recognising that ecosystem resilience matters more than platform dominance.

The Choice Ahead

We have crossed into a world where cybersecurity is inseparable from geopolitical positioning. The Red Zone is not inevitable, but signals keep firing. Only if leaders make it happen will the Strategic Lattice remain viable.

Boards face a strategic paradox: they must prepare for the Red Zone while working to preserve the Strategic Lattice. Success requires not predicting which scenario will emerge but building adaptive capacity for either outcome.

In geopolitics as in chess, the winner is not the grandmaster with elegant theory. It is the player who still has pieces on the board when the clock runs down.

The winners will be those who recognise cybersecurity, not as IT plumbing but as geopolitics.

John Ellis is Global Head of Security Trust & Influence at QBE Insurance and writes at GeopoliticalCyber. The views expressed are the author’s own and do not represent the positions or policies of any employer or affiliated organisation.