Join us at Binding Hook Live on October 27 at Underbelly Boulevard Soho in London
Join us at Binding Hook Live
Request an invite
Main Logo Expert commentary on tech and security

Cyber threats are increasingly complex. What can governments do to defend against them?

Eugenio Benincasa / Livia Fries / Lapo Moriani / Jonas Franken / Fabio Seferi 22 April 2025
Share On:
Virtual Routes fellows look for ways to shrink the gap between cyber threats and defensive capabilities, from regulatory sandboxes to supranational understandings of critical infrastructure.
Main Top Image
A Maersk container ship in Aarhus, Denmark. Photo: Razvan Mirel/Unsplash

Virtual Routes is pleased to welcome the 2025-2026 cohort of European Cybersecurity fellows to our community. As part of their application, each fellow wrote an essay on one of three set questions addressing some of the biggest issues facing European cybersecurity policy and practice. We are delighted to introduce this group of talented young cybersecurity professionals with a short series of excerpts from their essays, grouped by question.

In our first installment, three fellows tackled the question, What’s the biggest blind spot in our understanding of cyber conflict, and why can’t we afford to ignore it?

Next, a pair of fellows explored whether commercial cyber threat intelligence is doomed to fail or poised to thrive. 

In this final installment, fellows Eugenio Benincasa, Livia Fries, Lapo Moriani, Jonas Franken, and Fabio Seferi respond to a December 2024 warning from UK National Cyber Security Centre chief Richard Horne, that ‘there is a widening gap between the increasingly complex threats and our collective defensive capabilities […], particularly around our critical national infrastructure,’ along with the follow-up question, what policies can counter this trend?

Eugenio Benincasa, senior cyberdefense researcher, Center for Security Studies, ETH Zurich

The European Union faces growing cybersecurity risks due to fragmented policies, reliance on non-EU technology, and the absence of a unified offensive strategy. To address these challenges, member states should reduce strategic technological dependencies on non-EU countries, particularly those deemed high-risk, and enhance proactive cybersecurity capabilities.

EU reliance on non-EU technology providers introduces risks such as the potential for backdoors, weakened data sovereignty, and supply chain vulnerabilities. The EU has attempted to mitigate these threats, banning certain non-EU technology providers and promoting domestic cybersecurity firms and technology providers through initiatives like ‘Cybersecurity Made in Europe’ and the Gaia-X initiative

However, these efforts are undermined by inconsistent national policies and a lack of competitive European alternatives in key areas such as 5G, semiconductors, and cloud infrastructure. A coordinated EU-wide strategy is needed, with financial incentives and promotion of European cybersecurity firms in public procurement.

As cyber threats grow, some EU nations are integrating ‘active defense’ policies: proactive cybersecurity strategies aimed at neutralising and mitigating cyber threats. Germany’s 2023 National Security Strategy recognized the importance of active defense, while both Romania and Italy have taken steps toward offensive cyber operations. Some member countries face unresolved legal, operational, and political challenges, while gaps in technical capacity and coordination across the EU limit their ability to address cross-border threats effectively.

These national-level disparities highlight a broader issue: the absence of a unified EU approach to active cyber defense. To mitigate the inconsistencies caused by this, EU nations should collaborate to define the scope, authority, and limitations of active cyber defense, enhance intelligence-sharing, and invest in cybersecurity talent by expanding hands-on training environments and attack-defence exercises.

Livia Fries, public policy manager, Darktrace

The discovery of the Volt Typhoon cyber espionage campaign was a stark reminder of the challenges policymakers face in addressing the gap between increasingly sophisticated cyber threats and our collective defensive capabilities. This attack underscored two principal concerns. First, it revealed how cross-border integration creates porous security structures, as the incident affected not only primary targets, but also US allies and strategic partners. Second, the attackers’ use of ‘living off the land’ techniques – leveraging legitimate system tools and processes rather than deploying foreign malware – to embed themselves in IT systems underscored the persistent and stealthy nature of cyber threats, with adversaries increasingly driven by long-term geopolitical objectives. 

Despite the clear vulnerabilities laid bare by Volt Typhoon, cyber defence has, for too long, been treated as a matter of patching individual weaknesses rather than addressing the systemic fragility of digital infrastructure. Without a fundamental shift in strategy, the balance of power will continue to tilt in favour of adversaries who exploit the inherent opacity of modern IT ecosystems – characterised by complex, interdependent networks, limited visibility into supply chains, and the widespread use of proprietary and legacy technologies that obscure potential vulnerabilities. Addressing these challenges thus requires a three-pronged approach: (1) operational, by reinforcing foundational security; (2), behavioural, by fostering a proactive approach to cyber resilience; and (3) strategic, by embracing principles of collective defence.

The rapid digitalisation of critical national infrastructure has left governments and organisations reliant on outdated, insecure architectures. Meanwhile, increasingly interwoven supply chains have expanded the attack surface of these essential systems. Comprehensive asset identification, rigorous security-by-design principles, and the extension of regulatory oversight to critical supply chains are essential to deter attackers from exploiting blind spots within the digital infrastructures on which modern economies depend.

Additionally, fostering a proactive cyber resilience approach is necessary to stay ahead of evolving threats, such as AI-driven attacks and quantum decryption risks. The slow implementation of regulatory measures has placed defenders at a perpetual disadvantage. Shifting towards a more proactive stance will require enhanced intelligence sharing, strengthening public-private partnerships for real-time threat collaboration, and the integration of cybersecurity into executive decision-making as a core governance priority.

Finally, the intensification of state-sponsored cyber operations underscores the imperative for enhanced collective defence mechanisms. A more cohesive approach is needed – one that prioritises not just information sharing but also joint cyber defence initiatives. Expanding NATO’s cyber mandate, establishing legally binding norms on cyber warfare, and strengthening multilateral cybersecurity frameworks should form the backbone of this effort. Nations should leverage the Volt Typhoon incident as a catalyst for a fundamental shift in cybersecurity strategy and close the gap between attack and defence.

Lapo Moriani, Joint Intelligence & Security Division policy officer, NATO*

A severe cyber incident affecting critical national infrastructure – such as disruptions to port operations or air traffic control – could paralyse essential services and critically undermine NATO’s ability to coordinate and execute operations by delaying deployments, hindering communication, and obstructing logistics. Cyberspace is a critical enabler for operations across air, land, sea, and space, underpinning NATO’s deterrence and defence mission.

The Cyber Common Operational Picture, or CyCOP, would mitigate these risks by correlating cyber threat intelligence, communication and information systems status, and mission relevance into a unified picture. At the strategic level, it would support political and military decision making, providing commanders with critical cyber situational awareness. Additionally, visibility on critical national infrastructure offers an opportunity for enhanced NATO-EU cooperation, helping to inform EU cybersecurity policies, such as the NIS2 Directive, and supporting the implementation of the Cyber Diplomacy Toolbox in responding to malicious activity.

However, implementing the CyCOP presents challenges, particularly overcoming national and private-sector reluctance to share relevant data, information, and intelligence. NATO must establish secure, standardized frameworks for information sharing, balancing transparency with security concerns. Additionally, interoperability issues and real-time data processing must be addressed through common threat classification standards and AI-driven analytics.

As adversaries refine their cyber capabilities, NATO must act decisively. The CyCOP is not just a technical upgrade but a strategic imperative – without it, the alliance risks being unprepared for cyber incidents that could severely disrupt its ability to respond to crises and conflicts.

Jonas Franken, doctoral candidate and research associate in computer science, Technical University of Darmstadt

Critical infrastructure protection policies must evolve beyond national frameworks such as critical national infrastructure to reflect the interconnected nature of current infrastructure architectures and cyber threats. Modern infrastructures, like energy grids, cloud services, and subsea communication cables, operate across borders, making national security policies that focus solely on domestic infrastructure increasingly outdated. The UK, historically a global infrastructure hub, remains deeply dependent on international networks, yet its cybersecurity strategies often fail to reflect this reality. 

A central issue in critical infrastructure security is the ambiguity of the referent object – what or whom cybersecurity policies aim to protect – nations, governments, private operators, or the public. qA cyberattack on a cloud data centre in Ireland could have severe consequences for businesses and services in the UK, illustrating how disruptions in one location can ripple across borders.

Additionally, designating infrastructures as ‘critical’ does not inherently protect them and may, in fact, make them more attractive targets for cyberattacks. 

Given these complexities, a more internationally coordinated approach is necessary. National policies should move beyond territorially confined regulation and acknowledge transnational dependencies. This requires cybersecurity frameworks that include global risk assessments, shared response mechanisms, and cross-border resilience strategies. Regulatory efforts, such as the EU’s Critical Entities Resilience Directive, show promise in fostering international cooperation. 

However, nation-centred cybersecurity strategies, which prioritise state control over digital infrastructures, risk fragmenting the global cyber landscape, frustrating operators of transnational companies, and increasing – instead of decreasing – vulnerabilities. 

To address these challenges, governments must better understand infrastructure interdependencies, assess software and hardware supply chains, and reconsider the role of privatisation in securing essential services. Ultimately, in an era where cyber threats transcend borders, defensive strategies must follow suit. Strengthening international coordination and resisting isolationist cybersecurity policies is crucial to ensuring resilience in the face of evolving digital threats.

Fabio Seferi, PhD candidate in cybersecurity, IMT School for Advanced Studies Lucca and University of Florence

To bridge the gap between cyber threats and defensive capabilities, governments should move away from single measures and toward a dynamic, principles-driven approach to cyber resilience. Cybersecurity policy can be viewed as an iterative process, rather than a series of disconnected steps. This entails reassessing three things: the pace of cybersecurity policymaking, its foundational values, and the key supporting actions that sustain their implementation.

First, governments are lagging behind rapidly evolving threats. Existing regulatory frameworks are sometimes too rigid, and experimental mechanisms such as regulatory sandboxes should be employed as an attempt to sharpen cybersecurity policy in working settings. An ecosystem of coordinated regulatory sandboxes can ensure that cyber regulations are continuously evaluated in controlled real-world conditions, accelerating their formulation, adoption, and adaptation. 

Second, a principles-based approach would close possible gaps between the necessary expertise of policymakers and the granular technicalities needed to ensure a secure and cyber resilient ecosystem. For critical national infrastructure, there are three broad principles that should be considered: security-by-design, zero-trust architectures, and stronger supranational cooperation (using structures like the European Cybersecurity Shield or NATO’s CCDCOE).

Third, these principles need to be implemented, with implementation based on some chief actions. Defining tailored security obligations and supporting mechanisms for small- and medium-sized enterprises (SMEs) in critical supply chains is of paramount importance. Public funds must be invested to modernise legacy infrastructure in essential services so that they can withstand cyberattacks. SMEs, more vulnerable due to their fewer resources, must be subsidised to strengthen their cybersecurity posture. Coordinated efforts, like the EU 5G security toolbox, can introduce consistency across borders in key enabling technologies.

Coordinated investment in enabling technologies is also key. AI-based solutions, distributed ledgers, and quantum computing should be high-priority areas for future research in cyber defence. Encouraging collaboration via information sharing and analysis centres and joint cyber incident response task forces will enhance situational awareness and crisis management. Cybersecurity effectiveness requires a solid, multi-level approach, resilient within the ever-shifting threat landscape.

*The views expressed are the author’s own and do not represent the official positions of his current or former employers.

avatar
Eugenio Benincasa
avatar
Livia Fries
avatar
Lapo Moriani
avatar
Jonas Franken
avatar
Fabio Seferi

Related

Featured image
Binding Edge
‘Safety by design’ could prevent domestic abuse through smart devices
Andi Brown 28 February 2024
Read more arrow
Featured image
Binding Edge
Neglecting cybersecurity could harm Indonesia’s competitiveness
Gatra Priyandita / Christian Guntur Lebang 1 April 2025
Read more arrow
Featured image
Binding Edge
Ghosts in the machine and the hidden dangers of autopoiesis
Jack Goldsmith 14 February 2025
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.