Key Takeaways
- Cyber security has evolved from a purely technical issue to a central instrument of geopolitics and statecraft.
- Governments are increasingly using offensive cyber operations to disrupt adversaries, moving beyond passive defense.
- The lack of a unified international consensus creates fragmented rules of the road, raising risks of miscalculation and escalation.
- Private‑sector firms are being asked to participate in state‑led offensive cyber activities, requiring clear legal, ethical, and jurisdictional preparation.
- Board members and senior executives now bear direct responsibility for cyber resilience, with regulations such as the EU’s NIS 2 Directive imposing director liability and mandatory training.
- Public‑private collaboration is shifting from mere information sharing to potential joint offensive operations, demanding new frameworks of trust and accountability.
- Ongoing conflicts (e.g., Iran/Middle East) demonstrate cyber’s integration into broader military and whole‑of‑state actions, reinforcing the report’s thesis.
- Leaders must develop a shared language across military, government, industry, and technical domains to make cyber considerations concrete in planning and decision‑making.
Overview of the NCC Group Global Cyber Policy Radar
The fifth edition of NCC Group’s Global Cyber Policy Radar seeks to reframe the conversation about cyber security. Rather than treating cyber as a isolated technical problem, the report argues that it has become a strategic lever in international relations and a core governance issue for corporate boards. This shift reflects the growing recognition that digital infrastructures underpin modern economies and societies, making their protection—and potential exploitation—matters of high‑level policy and risk management.
Cyber as a Geopolitical Instrument
Kat Sommer explains that cyber has undergone a “geopoliticalization.” The foundations of economies and societies are now driven by digital technologies, so the security and resilience of those foundations are directly tied to national power. Consequently, states view cyber not only as a defensive shield but also as an offensive tool that can be woven into broader diplomatic and military strategies to achieve strategic objectives without kinetic confrontation.
Offensive Cyber Strategies and Government Approaches
A notable shift has emerged from a preventative, wall‑building mindset to an active stance aimed at disrupting adversary behavior. Led largely by the United States, governments are investing in capabilities that enable them to probe, degrade, or dismantle hostile cyber infrastructure. Importantly, this offensive push is no longer confined to state actors; governments are increasingly looking to private‑sector operators of critical infrastructure to support or even execute these operations, expanding the traditional public‑private partnership model beyond mere intelligence sharing.
Risks of Fragmentation, Coordination, and Escalation
Sommer warns that the pursuit of national offensive capabilities is occurring without a cohesive international norm‑building process. While the UN has attempted to establish rules of responsible state behavior in cyberspace, divergent national interpretations mean that what is permissible in one jurisdiction may be prohibited in another. This fragmentation heightens the risk of miscalculation, unintended escalation, and challenges in coordinating defensive measures across borders, especially when private firms are drawn into state‑led offensives.
Private‑Sector Preparedness for Offensive Roles
When governments solicit private firms to partake in offensive cyber actions, companies must answer complex questions beforehand. Leaders need to assess the legal implications under domestic and international law, consider potential liabilities in each jurisdiction where they operate, and reflect on the moral and ethical dimensions of enabling state‑led cyber attacks. Establishing an internal decision‑making process—whether to decline, negotiate conditions, or participate—helps ensure that firms act responsibly and avoid inadvertent violations of law or norms.
Board‑Level Accountability and Regulatory Pressure
Cyber responsibility has moved from the IT manager or CISO to the boardroom. Regulations such as the European Union’s Network and Information Security Directive 2 (NIS 2) introduce director liability, requiring board members to undergo cyber‑security training and to demonstrate that they have asked the right questions about organizational resilience. In the United Kingdom, the Chancellor of the Exchequer has publicly queried FTSE 350 boards, eliciting responses that show a growing awareness—though still uneven—of cyber obligations at the highest corporate levels.
Implications of Ongoing Conflicts (Iran/Middle East)
The report’s thesis is reinforced by recent developments in Iran and the broader Middle East, where cyber operations are no longer isolated incidents but are integrated into wider military campaigns. Cyber activities now support kinetic actions, intelligence gathering, and influence operations, illustrating a whole‑of‑state approach where digital and traditional weapons are employed in tandem. This integration validates the argument that cyber has become a true instrument of statecraft rather than a peripheral technical concern.
Making Cyber Real for Leaders: The Need for a Shared Language
To translate cyber awareness into effective action, leaders across military, government, industry, and technical domains must develop a common vocabulary and understanding of cyber threats, defenses, and offensive capabilities. A whole‑of‑society effort—where policymakers, executives, militaries, and technologists sit at the same table—ensures that decisions are informed by realistic assessments of cyber impact, facilitating coherent strategies that bridge the gap between abstract risk and concrete operational planning.
Conclusion and Recommendations
The NCC Group Global Cyber Policy Radar underscores that cyber security is now inseparable from geopolitics, corporate governance, and military strategy. Organizations should anticipate government requests for offensive cyber participation, embed legal‑ethical review processes, and ensure board members are equipped with the requisite knowledge and authority. Simultaneously, policymakers must work toward clearer international norms to reduce fragmentation and escalation risks. By fostering cross‑sector collaboration and a shared conceptual framework, societies can better harness cyber’s strategic potential while safeguarding against its inherent dangers.