When Cybersecurity Becomes Geopolitics

Many of us first learned power through a television screen, sitting in a quiet room while the glow of an old documentary filled the space. A calm narrator would walk through empires, wars, alliances, rival nations, collapsing regimes, and the long struggle to shape the world order. Back then, power looked physical. It looked like borders, ships, missiles, banks, armies, maps, flags, and leaders standing behind podiums as history moved around them.

Today, that picture feels different.

The struggle for power has not disappeared. It has moved into the systems beneath daily life. It lives inside the models that shape information, the clouds that carry institutions, the chips that power intelligence, and the invisible code that determines what people see and trust. The next battlefield may not always announce itself with smoke, sirens, or soldiers crossing a border. It may begin quietly, inside a model before release, an identity before compromise, a video before verification, or a cyber operation moving faster than institutions can interpret.

That is what makes the recent U.S. executive order on artificial intelligence and cybersecurity worth watching. On its surface, it may look like another technology policy update. Another government attempt to keep pace with a fast-moving industry. But beneath it is a larger signal: national security is becoming increasingly dependent on private technology infrastructure.

President Donald Trump recently signed an executive order directing U.S. agencies to work with leading artificial intelligence companies on cybersecurity and national security risks. The order creates a voluntary framework that allows advanced AI models to be reviewed by government agencies before public release. Agencies such as Treasury, Defense, Commerce, and Homeland Security are expected to play a role in evaluating potential vulnerabilities.

That alone says something about the moment. The government is no longer watching the technology sector only from the outside. It is asking to look inside certain systems before they fully enter the public environment.

The New Geopolitical Questions

For decades, national security could be imagined through visible structures: military readiness, energy security, intelligence capability, financial stability, industrial strength, and diplomatic alignment. Those structures still matter. But now a new set of questions sits beside them.

Who controls the model? Who secures the cloud? Who owns the infrastructure beneath communication? Who can detect synthetic content before it moves public belief? Who decides whether an AI system is safe enough to release?

These are no longer only technical questions. They are geopolitical questions.

Ian Bremmer has described this emerging reality as a "technopolar" order, a world where technology companies are not merely vendors or platforms but actors capable of shaping the global environment. The older imagination of power was built around states. Governments held territory, commanded armies, regulated currencies, formed alliances, and claimed sovereignty over the outcomes that mattered most.

That world has not disappeared. But it now shares the stage with companies that control much of the operating layer of modern life. Their systems carry communication, host data, shape attention, and increasingly influence how information is created and trusted. In moments of war, crisis, election pressure, market instability, or social unrest, those systems do not sit outside geopolitics. Increasingly, they become part of it.

Ukraine and the Visibility of Digital Infrastructure

Ukraine made this visible. The war has still been fought through soldiers, weapons, intelligence, sanctions, and diplomacy. But it has also shown how modern conflict depends on digital infrastructure: the ability to communicate, preserve access, defend networks, interpret open-source intelligence, and keep critical systems connected under pressure. The lesson was not simply that technology matters during conflict. The lesson was that private digital infrastructure can become part of the conflict environment itself.

That is the world cybersecurity now inhabits.

Cybersecurity is no longer only about protecting a network from intrusion. It is about protecting the conditions that allow governments, markets, institutions, and citizens to know what is real. Who is speaking. Which systems can be trusted. Whether critical operations can continue under pressure.

AI-Enabled Threat Operations

This is why adversarial states are investing so heavily in AI-enabled cyber and influence operations. Microsoft's 2025 threat reporting warned that countries such as China, Russia, Iran, and North Korea are using AI to support cyberattacks and disinformation. The concern is not simply that these actors can attack systems more efficiently. It is that they can use AI to scale deception.

A phishing message becomes more fluent. A false identity becomes more convincing. A voice can carry familiar emotion. A fake image can travel before verification catches up. A cyber intrusion can be paired with disinformation so the event is not only about access. It becomes confusion. In that environment, the goal may not be only to steal information. It may be to weaken confidence in the systems people rely on to understand what is true.

That is where cybersecurity becomes larger than IT.

The Convergence of Risk Categories

It becomes financial crime when a stolen credential stops being a login issue and becomes movement. An account is accessed. A payment is authorized. A mule is activated. Value is pushed into places where recovery becomes difficult.

It becomes governance when a board has to determine whether it truly understands the cyber risk embedded in vendors, cloud environments, models, and data. It becomes sanctions risk when blocked actors, proxy networks, or adversarial states use digital infrastructure to evade pressure or fund operations. It becomes national security when attacks threaten banking, healthcare, energy, emergency services, public confidence, or government continuity.

In that world, cybersecurity is not a back-office function. It is part of the architecture of institutional trust.

Early Review of Consequential Technology

The executive order reflects this reality. By creating a process for early government review of advanced AI models, the United States is signaling that some technologies may be too consequential to treat as ordinary product releases. Releasing a powerful model is no longer only a commercial event. Depending on its capabilities, it can become a cyber-risk event, a national-security event, and a governance event.

That does not mean every model is dangerous. It means advanced AI now sits close enough to critical infrastructure, information integrity, cyber defense, and adversarial capability that institutions cannot afford to learn about the risk only after deployment.

The old model of oversight often reacted after harm became visible. A breach occurred. A system failed. A regulator investigated. A report was written. A control was strengthened. But AI-enabled cyber risk does not wait comfortably for after-action review. It moves quickly, adapts quickly, and can be copied or modified across jurisdictions faster than traditional institutions can absorb.

The Defining Governance Question

This is why the relationship between government and private technology companies is becoming one of the defining governance questions of the next decade.

If government moves too slowly, private systems may shape public life faster than public institutions can govern them. If government moves too aggressively, it may weaken innovation and national competitiveness. If companies move too freely, critical risks may be discovered only after public release. If companies move too cautiously, adversaries may gain ground.

That tension is not going away. It will define the new digital order.

The Problem of Convergence

The United States and China are still competing for economic, technological, and military advantage. Russia, Iran, North Korea, and other adversarial actors continue to test the edges of cyber power and information warfare. But the field itself is changing. It is no longer only a contest of governments acting through traditional instruments of state power. It is also a contest over the systems that make modern society function.

A model can shape what people believe. A cloud outage can become an operational crisis. A platform decision can influence public perception before official institutions have time to respond. A synthetic video can move emotion faster than truth can correct it. A cyberattack can begin as code and end as a financial, political, or national-security event.

That is the problem of convergence. Cyber risk no longer stays in one lane. It travels. It moves from compromised systems into payments. From synthetic content into public belief. From model vulnerabilities into institutional exposure. From private infrastructure into national resilience. The categories that once looked separate are starting to meet inside the same systems.

Questions for Risk Leaders

That is the signal. The question is whether institutions are prepared to interpret it.

Risk leaders should be asking whether their cyber programs are close enough to fraud, AML, sanctions, third-party risk, model governance, and executive decision-making. Boards should be asking whether they understand which technology dependencies have become strategic. Compliance leaders should be asking whether AI-enabled deception is changing the assumptions behind their controls. Financial institutions should be asking whether customers, employees, vendors, and models can be manipulated before a transaction, alert, or incident ever appears.

The future will not reward institutions that treat every risk category as separate. It will reward institutions that can see how one signal moves across the system.

The Endurance of Judgment

That is where judgment becomes essential.

Automation will matter. AI-assisted defense will matter. Public-private collaboration will matter. Better intelligence tools will matter. But none of it removes the need for human responsibility. If an AI system flags a vulnerability, someone must decide what to do with it. If a model generates a warning, someone must understand whether it is meaningful. If a company releases a system with geopolitical implications, someone must own the governance behind that release.

Technology may accelerate detection, but judgment still determines response.

The Quieter Threats

The most serious cyber risks ahead may not present themselves first as explosions, outages, or visible breaches. They may appear as normal activity: a convincing message, a trusted login, a familiar voice, a routine vendor update, a model release, a small anomaly, or a piece of content that feels real enough to move behavior.

That is why cybersecurity has become geopolitics. The fight is no longer only over systems. It is over perception, infrastructure, identity, continuity, and trust.

The same world that once taught us to imagine power through borders, ships, missiles, banks, armies, maps, and flags is now asking us to recognize power in quieter places. It lives in a model before release. In a cloud environment before compromise. In a synthetic video before belief spreads. In a cyberattack before attribution. In a signal before the world fully understands what it is seeing.

The battlefield has moved beneath the screen.

That does not make it less real. It makes it harder to see. And the institutions that matter most will be the ones disciplined enough to recognize the shift before it becomes obvious.