Defending the invisible front line: security in a digital world

​

The invisible front line of cyber-security runs through the physical and digital systems that underpin daily life. In recent years, state-backed hackers have burrowed into telecoms networks, ransomware gangs have forced British hospitals back to paper records, and incidents in the Baltic and Red Seas have severed undersea communication cables, threatening to disrupt terrestrial internet traffic. Artificial intelligence (AI) is now increasing the speed and variety of attacks while the internet of things is broadening the attack surface, adding to cyber-vulnerabilities.

Cyber-resilience is a shared responsibility across governments, businesses and technology firms scrambling to manage a continuum of risks. Closing the Cyber Risk Protection Gap, a 2024 white paper issued by Zurich Insurance Group (Zurich) and Marsh, explains how one end of this continuum is occupied by everyday cyber-threats that digital tools, best practices and vendor-provided services can guard against. Further along are quantifiable catastrophic cyber-risks, which should be insured for, and unquantifiable risks that may be better addressed through public-private partnerships that muster the capabilities of states and their defence organizations. Continued developments in AI are heightening the significance of these latter categories.

Despite the seriousness of today’s cyber-threats, the World Economic Forum’s (WEF) recently published Global Risks Report shows that the risks are underappreciated. The survey of more than 1,300 experts and business leaders found “disruptions to critical infrastructure ranked just 23rd among global risks for the next decade”, says Peter Giger, the chief risk officer of Zurich, adding that that is “a dangerous oversight”.

AI: offence and defence

Some leaders in cyber-security, however, are well aware of the threat landscape, which is shaped by growing interconnectedness, geopolitical tensions and automation-driven increases in attack speed. These concerns framed a panel discussion on cyber-risk programmed by Economist Impact, sponsored by Zurich and held on the sidelines of the WEF’s annual meeting in Davos on January 20th, 2026.

Panelists resisted framing AI as a technology that clearly favors either offence or defence. Carlos Creus Moreira, the chief executive of cyber-security firms WISeKey and SEALSQ, described it as both a defensive tool that sharpens awareness of cyber-risks and an offensive one that enables new types of attacks such as prompt injection and interference with satellite links.

As AI becomes pervasive, Mr Creus said, risks emerge in systems that access and act on data with limited human oversight. Meredith Whittaker, the president of the non-profit organization Signal Foundation, cited early implementations of the Windows Recall feature as an example of how AI-enabled tools can undermine “cyber-security hygiene” by collecting data that users intended to keep private, including encrypted messages.

A crisis likely to worsen

Cyber-security is already fragile, and panelists warned that future failures could be worse. Dame Fiona Murray, the chair of the NATO Innovation Fund, observed that repeated attacks have “practically collapsed” large companies in Britain “for weeks at a time”, with knock-on effects across infrastructure and the economy. The question, she added, is “not when” the next disruption will be, but how large.

Longer-term risks also loom. Mr Creus argued that quantum codebreaking and AI are not just specific threats, but catalysts that will “[awaken] people to the protections required for cyber-security” and bring the public and private sectors together to build resilience. Horizon-scanning—where organizations identify and record emerging risks, and review their strategic plans to match—creates resilience by preparing decision-makers to respond to cyber-threats when they materialize. This is key in Zurich’s risk management process, underpinned by the fundamentals of insurance: assessing, pricing and enabling risk-taking that drives innovation.

The risks of a more fragmented internet

Geopolitics also threatens to undermine the foundations of the internet. Mr Creus warned that cyber-risks could intensify if large countries or blocs pursue “sovereign” digital architectures, which could have their own certificate issuers, identity systems, and state-controlled traffic routing and filtering. He cautioned that shared technical underpinnings have so far acted as a stabilizing force; fragmenting them could remove an important barrier to escalation. This could be viewed as a parallel to a costly regional de-coupling in trade. The head of the World Trade Organization has suggested that if the world economy were to split into two isolated trade blocs, long-term global economic output would fall at least 5%.

Ms Whittaker was skeptical that internet standards can be easily replaced. “We would all love to rip out DNS, because it’s a bad system, but we have built around it,” she remarked, adding that she saw more immediate risks coming from how AI-powered tools can be embedded as agents within operating systems. There, large language models can demand sweeping permissions, creating something “that looks…like a malware vulnerability at the core of your machine”. Leaders within organizations should understand and confront these technical realities.

Between the internet splintering and AI introducing new classes of systemic vulnerability, the boundaries between public and private responsibility become increasingly blurred. Strengthening cyber-resilience now depends on coordinated action across governments, industry and technology providers. This is a recognition at the core of Zurich’s work on systemic risk, and a theme that emerged repeatedly at Davos.

Bridging public and private efforts to increase cyber-resilience

Organizations such as the NATO Innovation Fund can help bridge the gap between public ambition and technical expertise. Dame Fiona noted that defence ministries are being pushed to invest rapidly in cyber-security despite limited in-house understanding of the technologies involved.

 

That gap creates a role for institutions like the NATO Innovation Fund, which was created to sustain “collective defence security and resilience” by keeping the transatlantic alliance “at the forefront of technological innovation”. The fund operates as a venture vehicle, with 24 NATO countries as limited partners, investing across member states in promising young companies whose innovations could support peace and security for the alliance. One example is Space Forge, a Cardiff-based startup that aims to make material for semiconductors in space.

Independent bodies could also play a role in collecting and analyzing data on cyber-incidents that fall outside thresholds for mandatory reporting such as those that apply in the European Union. Bart Groothius, a Dutch member of the European Parliament, has noted a place for such institutions in relation to attacks on infrastructure including undersea communication cables.

Measuring resilience, not just risk

Recent cyber-incidents have highlighted why resilience measurement is a growing business imperative. Companies whose systems were compromised saw stocks go to waste as their warehouse and e-commerce networks stayed offline, resulting in significant financial losses. Understanding exactly how factors such as system downtime, regulatory compliance and supply-chain disruptions will affect a business, and what capacity exists to respond and to recover, can help minimize the impact and justify the case for investing in protective measures.

The discussion in Davos noted how the evolution of cyber-threats often seems to outpace the organizations that have to defend against them. As automation and geopolitical motives cause attacks to proliferate, cyber-defence risks are becoming fragmented and reactive. One answer is for leaders to carefully examine their existing cyber-resilience and to pursue a unified, data-driven strategy for increasing it.

That means tracking not just breaches, but also how quickly vulnerabilities are patched, incidents contained and operations restored. Metrics such as audit coverage, the age of exploited vulnerabilities and the percentage of unfilled cyber-security positions offer practical gauges of preparedness and recovery. According to the Cyber Metrics for Key Decision-Makers report published by Zurich last year, consistent sets of national-level cyber-metrics, enabled by the presence of national cyber-statistics bureaus that collect, analyze and publish the data, and shared by the public and private sectors, could reduce systemic risk, improve cyber-resilience and strengthen decision-making on policy and investments. The report found only one of six among Zurich’s suggested metrics—detection—was fully covered by EU incident-reporting requirements.

Panelists suggested that resilience can be improved by making policy and procurement more technically aware, and by increasing collaboration between private and public organizations to boost defence innovation. Attacks are inevitable, but advantage can be gained from understanding where digital systems are weak and how well countries and businesses are poised to recover when defences are breached.

For Zurich, resilience is defined not only by the strength of defences, but by the speed and coherence of recovery when they fail. The company’s research shows that visibility into vulnerabilities, rapid remediation and the capacity to restore operations are the factors that most effectively reduce systemic cyber‑risk, along with bridging the skills gap in the cyber-security industry. In an environment where attacks are inevitable, these capabilities increasingly determine organizational resilience and national preparedness alike.

To understand emerging vulnerabilities in a digital world, and how public- and private-sector leaders can close the gap, explore Zurich’s research on cyber-resilience.

Learn more

​