Geopolitics used to be the business of maps, treaties and tanks. Cyber risk used to be the business of patches, passwords and firewalls. For twenty years boards kept them in separate committees. That separation has collapsed.
In the past two years, the same crises that redraw alliances have also rewritten attack patterns. A trade dispute becomes a port system outage. A territorial stand-off becomes a wave of phishing against ministries. A sanctions package becomes wiper malware in a logistics firm three continents away. The logic is simple. Cyber operations offer speed, reach and deniability below the threshold of war. States have learnt to use them not as a sideshow but as a primary lever of power.
This is not theory. It is daily practice. National cyber centres in Europe now treat infrastructure attacks as the home front of foreign conflicts. Intelligence agencies in The Hague, Berlin and Ottawa publicly name the same small group of states as the principal drivers of disruption. Private sector surveys find executives reporting losses from fraud and extortion at levels that track political tension as closely as they track technical vulnerability. The coin has two sides, but it is one currency.
TWO SIDES OF THE SAME COIN
Three structural shifts explain the merger.
First, digital dependence. Energy grids, hospitals, banks and ports now run on cloud platforms, remote access and complex supply chains. That creates leverage points a state can reach without crossing a border. You do not need a navy to slow a port if you can compromise the terminal operating system.
Second, the normalisation of grey zone activity. Major powers have concluded that disruptive cyber operations rarely trigger a military response, yet they can coerce, deter or signal intent. The war in Ukraine accelerated this learning. Techniques tested on the battlefield, from mass credential theft to attacks on satellite links, have since appeared against civilian targets elsewhere.
Third, the industrialisation of crime. Ransomware groups, initial access brokers and data launderers now sell capability as a service. States can rent, task or simply mimic these networks, which blurs attribution and lowers cost. The result is a marketplace where political objectives and criminal profit reinforce each other.
THE NEW TOOLKIT
The modern campaign rarely looks like the Hollywood hack of a decade ago. It looks like this.
It starts with intelligence gathering at scale. Large language models are used to craft fluent lures in local languages, to summarise leaked documents, and to automate reconnaissance of cloud environments. The barrier to credible phishing has fallen, and the speed of targeting has risen.
It moves through identity, not perimeter. Attackers seek valid credentials, OAuth tokens and service-to-service trust relationships. Once inside, they live off legitimate tools, making detection harder. The aim is often not immediate theft, but persistent access that can be activated when a political moment demands it.
It spreads through third parties. A managed service provider, a software update, a law firm or a payroll vendor becomes the bridge into dozens of clients. Supply chain concentration means a single compromise can cascade across sectors and borders.
It ends, when needed, with effects that are political rather than purely financial. Data leaks timed to elections. Deepfake audio of executives. Disruption of transport during a summit. The payload is chosen for narrative impact, not just for ransom.
States do not need to build all of this themselves. They can direct, enable or simply benefit from criminal activity that aligns with their interests. That ambiguity is the point.
WHO BEARS THE COST?
The burden is not evenly distributed.
Critical infrastructure operators carry the immediate operational risk. Hospitals, power utilities and water companies face the choice between paying, restoring from backups, or sustaining outages that have public safety consequences.
Financial services carry the systemic risk. Banks and fintechs sit at the intersection of data, money and trust. A well timed leak or a successful fraud campaign can move markets, erode confidence and invite regulatory action.
Small and medium enterprises carry the volume risk. They are less likely to have dedicated threat intelligence or 24-hour response, yet they are deeply embedded in supply chains. When they are compromised, larger partners inherit the exposure.
Emerging markets carry the spillover risk. In West Africa, for example, where growth in digital payments and cloud adoption has outpaced local security capacity, firms depend on foreign platforms, undersea cables and software vendors headquartered in geopolitical rivalries. A dispute between those rivals can manifest locally as delayed patches, sudden changes in terms of service, or targeted campaigns against high-profile sectors such as finance and telecoms. The risk arrives without a local cause.
The common thread is skills. The global shortage of cybersecurity professionals remains acute. Even well-funded organisations struggle to hire analysts who can bridge geopolitics and technical defence. That gap is most visible at the point where risk decisions are made, in boardrooms that understand sanctions but not service principals, or in security teams that understand malware but not maritime chokepoints.
WHAT GOOD DEFENCE LOOKS LIKE NOW
If risk has merged, defence must merge too. Five shifts are practical and affordable.
Integrate intelligence. Put geopolitical monitoring and cyber threat intelligence in the same weekly meeting. Map your critical vendors not only by service level but also by jurisdiction, ownership and legal exposure. Ask what happens if a key supplier becomes subject to export controls or is pressured to share data.
Design for fragmentation. Assume that data residency rules, cloud availability and cross-border data flows will diverge. Build the ability to move workloads, to operate in split modes, and to maintain minimum viable service when a region is cut off. Test those playbooks; do not file them.
Prioritise identity and third parties. Remove standing administrative access. Enforce phishing-resistant multifactor authentication for all privileged roles. Inventory every SaaS to SaaS connection and review it quarterly. Treat your supply chain as part of your perimeter.
Exercise for political triggers. Tabletop exercises should start with a geopolitical event, a sanctions announcement, a maritime incident, or an election and then trace the technical consequences. This trains executives to recognise early indicators and to authorise actions before an incident escalates.
Invest in hybrid talent. Train policy analysts to read a threat report and train engineers to read a sanctions notice. Create small fusion cells that can translate between the two languages. In a merged risk environment, translation is a control.
Regulators and national centres have a role, but they cannot substitute for internal readiness. Public-private sharing helps with indicators and attribution, but speed of containment still depends on architecture, hygiene and rehearsal.
CONCLUSION
Geopolitical risk and cyber risk are no longer two separate disciplines to be managed in parallel. They are one operational reality. States will continue to use cyber operations to pursue political aims because they are effective, deniable and scalable. Criminal markets will continue to provide the tooling. Artificial intelligence will continue to compress the time between intent and impact.
For leaders, the implication is straightforward. Stop asking whether an event is geopolitical or cyber. Start asking how quickly a political development can become a technical compromise in your environment and whether your organisation is organised to respond at that speed.
The organisations that thrive will be those that treat resilience as a strategic capability, not a compliance checklist. They will map power as carefully as they map packets. They will build teams that can analyse both. In a world where foreign policy and hacking move together, defence must move the same way.