In this Help Net Security interview, Kaja Ciglic, Senior Director, Cybersecurity Policy and Diplomacy at Microsoft, discusses how nation-state cyber programs have changed over three years.
Cyber has become a core instrument of state power, integrated with military, economic, and diplomatic tools. Ciglic argues that responses like sanctions and indictments need broader strategies, including conditional economic pressure and state accountability for ransomware havens. She addresses NATO’s Article 5 ambiguity around cyber attacks and calls for standing coordination between governments and private sector partners before crises occur.
Which nation‑state cyber program has evolved most surprisingly over the past three years, and what does that evolution tell us about broader strategic ambitions?
Across regions and political systems, state cyber programmes have evolved in three closely related ways.
First, cyber has moved from a specialist tool to a core instrument of state power, increasingly treated alongside military, economic and diplomatic capabilities. Analyses of recent conflicts show cyber operations being embedded into broader national security strategies and defence planning, particularly around critical infrastructure and societal resilience, not just espionage or disruption.
Second, the integration of cyber with other instruments of power has deepened. Experience from Ukraine and, more recently, the Middle East demonstrates that cyber operations are now coordinated with kinetic actions, information operations and economic pressure. In these contexts, cyber has been used to prepare the environment, shape perceptions, disrupt logistics and test resilience rather than to deliver decisive, stand‑alone effects.
Third, automation and AI‑enabled tooling have accelerated operational tempo. Multiple assessments point to state and state‑aligned actors using automation and machine‑assisted techniques to scale reconnaissance, exploit vulnerabilities and conduct influence operations more persistently than before. This evolution has lowered the barrier to sustained activity while increasing pressure on defenders.
North Korea’s cyber program now functions as a sanctions‑evasion mechanism. Does this blur the line between espionage, warfare, and organised crime?
Yes, and that blurring is structural. North Korean cyber operations are best understood as a state‑directed criminal enterprise, where revenue generation is a core objective. Cryptocurrency theft, supply‑chain compromise, and illicit IT worker schemes directly fund state priorities. Our existing legal frameworks struggle because they assume clean distinctions between espionage, crime, and armed conflict. In practice, this convergence demands closer coordination between financial regulators, cyber defenders, and national security authorities—responses designed for one domain alone are no longer sufficient.
After SolarWinds, Colonial Pipeline, and Exchange, policymakers keep reaching for sanctions and indictments. What would a more consequential response architecture look like?
Responses should seek to be deterrent in nature, proportionate and non-escalatory while imposing sufficient costs to dissuade adversaries going forward.This begins with signaling limits on acceptable behavior and then consistently calling out violations and imposing consequences. Importantly, states should not limit themselves to responding in cyberspace and instead employ response options across economic, diplomatic and regulatory domains as needed. Sanctions and indictments are certainly valuable tools in the consequence toolbox, but they are certainly not the only options.
When faced with persistent intrusions, for example, consequences should ideally be conditional and reversible, designed to shape behavior. The pressure that can be dialed up or down depending on adversary response. This might include sustained economic or diplomatic measures that remain in place until malicious actors verifiably exit compromised networks or demonstrate restraint over time. This keeps escalation in check while restoring leverage to defenders.
When it comes to criminal activity that is enabled by adversary states providing safe havens for things like ransomware attacks, consequences should focus on state accountability and not just on the individual actors. In the US, designations of “state sponsors of cybercrime,” similar to state sponsors of terror, could help draw attention to these safe havens and open up new avenues of accountability, prompting states to exercise necessary due diligence.
As much as these cyberattacks are technological challenges, they are also political ones that will require political solutions. Red lines and consequences as we have in other domains. Deterrence in cyberspace will not come from louder condemnations. It will come from consistent, adaptive, behavior‑based responses that reflect how cyber operations work, and that give states real options short of crisis or conflict.
NATO’s ambiguity around Article 5 and cyber operations. Is that an asset or a liability?
Some ambiguity is inevitable, and even useful, in deterrence. But ambiguity without credible thresholds and response pathways can become a liability. Adversaries are highly adept at operating below ill‑defined red lines. From our perspective, the most stabilising approach is to strengthen collective resilience, attribution, and response coordination so that sustained cyber campaigns reliably produce consequences, even if those consequences are diplomatic, economic, or legal.
If you could redesign one structural feature of how democracies coordinate cyber policy, what would it be, and what stands in the way?
I would prioritise standing, operational cyber coordination mechanisms that connect governments and trusted private‑sector operators before crises occur—not ad hoc task forces assembled after the fact. We still rely too heavily on informal relationships when speed matters most. The biggest obstacle is trust: legal, cultural, and political hesitation to share sensitive information across borders and sectors. Yet without that trust, democracies will continue to face asymmetry, where defenders must coordinate slowly while adversaries move at machine speed.
Kaja Ciglic is a speaker at Span Cyber Security Arena 2026 taking place in May. Help Net Security will be on-site, get in touch to book a meeting.
