10 Conversations Defining the Future of AI, Cyber, and Conflict
Ahead of an upcoming interview with Mario Nawfal, these are the conversations which matter most right now
With an upcoming conversation on the horizon, these are the questions I believe will define the next phase of AI, cyber operations, and hybrid conflict. If we try to cover all of these in one go, we’re doing it wrong. Some will inevitably be left for another conversation. These are questions that deserve revisiting as the technology, and the conflicts, ethics, policies, and regulations surrounding it, continue to evolve.
20 January 2026 at 19:00 GMT One-on-one interview on X with Mario Nawfal and on his YouTube afterwards
1. Why investors consistently underestimate cybersecurity risk
Cybersecurity risk is still treated as a technical problem, when it is fundamentally an economic one. Investors tend to evaluate companies based on growth, market share, and narrative momentum, while cyber risk lives in places that are harder to quantify, slower to surface, and easier to defer. As a result, security is often priced as an operational cost rather than as an existential business risk.
This mismatch creates blind spots. Cyber incidents rarely fail a company immediately, but they quietly erode trust, operational resilience, and long-term value. By the time consequences appear in earnings, regulation, or litigation, the underlying exposure has already been normalized as unavoidable or industry wide.
Investors must, and I repeat must, treat cybersecurity and privacy as core components of due diligence. That means reviewing security posture and privacy practices, measuring them against appropriate frameworks, and validating claims through independent testing and certification rather than marketing assurances. Anything less is risk acceptance by omission.
This is becoming more costly by the year. Regulatory obligations are no longer theoretical. Frameworks such as the EU AI Act and the EU Cyber Resilience Act introduce direct compliance, liability, and enforcement costs that will materially affect valuations. Investors who fail to account for this are not just underestimating cyber risk. They are mispricing the future.
2. How generative AI collapses trust faster than security teams can respond
Generative AI has accelerated a problem cybersecurity teams were already struggling to contain. Trust is now easier to manufacture than it is to verify. Images, voices, documents, and even technical artifacts can be generated at scale, with just enough realism to pass initial scrutiny and just enough ambiguity to delay response.
Security teams are structured to investigate incidents, validate evidence, and establish timelines. Generative AI exploits that gap. By the time something is confirmed as synthetic, the narrative damage is often already done. Misinformation spreads faster than attribution, and perception hardens long before facts arrive.
This is not just a technical failure. It is an organizational one. Most defences still assume that authenticity is the default and deception is the exception. Generative AI inverts that assumption. In an environment where synthetic content is cheap and plentiful, trust itself becomes the attack surface.
This is why generative AI poses such a challenge for cybersecurity, journalism, markets, and public institutions simultaneously. The issue is no longer whether something can be verified, but whether verification can happen quickly enough to matter.
The image below is AI generated. It is used deliberately to illustrate how easily credibility and proximity can be manufactured, and why that matters in an era of synthetic media.
Why this is not theoretical
None of this is abstract to me. These dynamics are already playing out in the real world, shaping elections, destabilizing regions, and lowering the barrier for influence operations at a speed most institutions are not prepared for. I have written about this in detail elsewhere, particularly in the context of AI-driven influence operations, generative media, and how quickly they are being operationalized in hybrid conflict environments.
What concerns me most is not the sophistication of the technology, but how normalized it is becoming. Generative AI has moved from novelty to infrastructure. It is already embedded in information warfare, political manipulation, and cyber operations, often faster than regulations, security teams, or public understanding can adapt.
These are the realities I want to explore further. Not as hypotheticals, but as lived conditions. Not all of them will fit into a single conversation, and they should not. These questions deserve to be revisited as the technology, and the conflicts, ethics, policies, and regulations surrounding it, continue to evolve.
If you want to support further articles and research consider becoming a paid subscriber or buy one of my books :-)
3. Why AI security debates focus on models, not outcomes
Much of the current AI security debate is fixated on models themselves. Attention gravitates toward alignment, guardrails, and whether a system produces the “right” or “wrong” outputs in controlled settings. These questions matter, but they are increasingly disconnected from how AI is actually being used in the wild.
Real-world harm rarely comes from a single model behaving badly in isolation. It comes from how systems are deployed, combined, automated, and scaled. Outcomes are shaped by incentives, speed, and access, not by lab benchmarks. An AI system does not need to be malicious to be weaponized. It only needs to be useful in the wrong context.
This disconnect is reinforced by media narratives. Coverage tends to focus on spectacular failures or hypothetical future risks, while operational misuse receives far less attention. The result is a debate optimized for visibility rather than impact. Meanwhile, influence operations, cyber campaigns, and automated decision-making continue to advance beneath the threshold of public scrutiny.
If security is judged only by how a model behaves, we will continue to miss how harm actually occurs. Outcomes, not architectures, are where accountability should live.
4. Emerging technology creates asymmetric cyber risk faster than regulation can react
Emerging technologies consistently introduce new platforms faster than security models can adapt. Each new layer of connectivity brings novel capabilities, but it also expands the attack surface in ways that are rarely fully understood at deployment. Innovation rewards speed, while security consequences tend to surface later and unevenly.
Attackers exploit this asymmetry. They are not constrained by compliance cycles, procurement processes, or regulatory uncertainty. New platforms are probed and abused long before standards are written or oversight mechanisms are enforced. By the time governance frameworks begin to respond, adversaries have already mapped weaknesses and adjusted tactics.
The deeper issue is that most governance models were designed for slower technological eras. They assume stable platforms, clear jurisdictions, and linear risk. Emerging technologies break those assumptions. Cyber risk now evolves dynamically, crossing sectors and borders in ways that legacy regulatory structures were never designed to manage.
Until governance models catch up with the pace of technological change, asymmetric cyber risk will remain the default condition rather than the exception.
5. Space cyber is already critical infrastructure, whether we admit it or not
Space systems are no longer peripheral technologies. Satellites underpin communications, navigation, weather forecasting, financial transactions, and military coordination. Treating them as specialized or niche systems obscures how deeply they are embedded in everyday civilian and economic life.
Timing is the quiet dependency most people overlook. Global networks rely on precise time synchronization for everything from mobile communications to power grids and financial markets. GNSS provides that timing. Disruptions do not need to be dramatic to be damaging. Even small degradations can cascade across systems that assume accuracy and availability.
The risk is not limited to satellites being taken offline. Interference, spoofing, and subtle manipulation can introduce uncertainty that propagates through dependent infrastructure. Because so many systems are interconnected, failures in space based services rarely remain isolated. They cascade.
Whether or not we formally classify space cyber as critical infrastructure, adversaries already treat it as such. The gap between classification and reality is where systemic risk accumulates.
6. Post-quantum computing is not about the future, it is about stored secrets today
Post-quantum computing is often framed as a distant concern, something to be addressed once quantum systems become practical and widespread. That framing is dangerously misleading. The real risk is already present, embedded in data that has been collected, stored, and assumed to be secure under current cryptographic standards.
The harvest-now-decrypt-later model is not theoretical. Sensitive data is being collected today with the explicit expectation that it can be decrypted once quantum capabilities mature. Government communications, critical infrastructure data, intellectual property, and long-lived personal records are all exposed by this logic. The passage of time does not protect them. It works against them. I wrote extensively about this topic, yet investment remains lean.
This is why post-quantum risk cannot be treated as a future migration problem. It is a present-day exposure problem. Decisions being made now about encryption, data retention, and system lifecycles will determine whether information remains secure or becomes retrospectively transparent.
The uncomfortable truth is that much of the data that matters most cannot simply be resecured later. Once secrets are compromised, they stay compromised. This is not a hypothetical scenario. It is a timeline problem that has already started.
7. Why critical infrastructure cyberattacks are never truly non-kinetic
Cyberattacks against critical infrastructure are often described as non-kinetic, as if their effects exist only in the digital realm. That framing collapses the moment civilian systems are targeted. When energy, water, healthcare, or border security systems are disrupted, the consequences are physical, immediate, and borne by civilians.
I have worked inside multiple destructive cyber incidents where this distinction failed in practice. After the Shamoon wiper attack against Saudi Aramco, tens of thousands of systems were rendered inoperable through malware designed explicitly to destroy. The impact was not limited to IT environments. It affected industrial operations, safety processes, and national energy confidence. That incident made clear that cyber operations aimed at destruction produce real-world effects long before anyone debates terminology.
On 26 February 2022, I reported the first recognized digital violation of the Geneva Conventions, involving a destructive wiper malware attack against Ukrainian border systems during the opening phase of the invasion. This was not a theoretical scenario or a retrospective analysis. The attack directly impacted civilian movement, state functions, and human security at a moment of active conflict. The digital operation was inseparable from the physical consequences it produced.
Energy systems under cyberattack affect heating, food supply chains, and medical services. Water infrastructure disruptions create public health emergencies. Healthcare systems lose availability and visibility precisely when lives depend on them. I have seen these effects unfold in real time. In each case, the digital action produces harm that cannot be meaningfully separated from kinetic outcomes.
Labelling these operations as non-kinetic obscures responsibility and delays accountability. When cyber operations produce physical consequences for civilians, they cross into violations of civilian protection norms. The question is no longer whether cyber can cause real harm. It is whether states are prepared to acknowledge that harm and govern it accordingly.
8. Why hybrid warfare succeeds in the grey zone
Hybrid warfare succeeds not because it is subtle, but because it is designed to live in legal and ethical ambiguity. It operates below established thresholds of armed conflict, deliberately avoiding the triggers that would force clear political, legal, or military responses. This is not accidental. It is the strategy.
Below-the-threshold activity allows states and non-state actors to apply pressure without formally declaring intent. Cyber operations, information manipulation, and economic leverage are combined in ways that make attribution politically inconvenient even when it is technically possible. The result is plausible deniability that slows decision making and fragments response.
Information operations amplify this effect. Narratives are shaped to confuse responsibility, normalize disruption, and exhaust public attention. Cyber incidents are framed as accidents or criminal activity. Economic pressure is presented as market behaviour. Each component alone appears manageable. Together, they create sustained strategic pressure without crossing a single clear red line.
This convergence is why hybrid warfare is so difficult to deter. It exploits governance structures that are built to respond to discrete events, not to cumulative harm. Until legal, ethical, and policy frameworks adapt to this reality, the grey zone will remain the most active battlefield.
9. AI weaponization is happening without the language to describe it
AI weaponization is often imagined as autonomous weapons or futuristic battlefields. That framing misses what is already underway. The most consequential uses of AI today accelerate decision making, compress timelines, and remove friction from processes that previously required human judgment. These shifts do not need new hardware to be weaponized.
Decision acceleration changes how quickly force, pressure, or influence can be applied. AI systems enable faster targeting, faster prioritization, and faster execution, often without proportional increases in oversight. When speed becomes the primary advantage, errors scale as efficiently as successes.
Targeting is no longer limited to physical objectives. AI enables precise targeting of individuals, communities, and narratives. Influence operations can be personalized, automated, and sustained at a scale that would have been impractical only a few years ago. Harm does not require violence when behaviour can be shaped indirectly.
Automation completes the loop. Once influence and decision processes are automated, harm can be applied continuously with minimal human intervention. This lowers the political and moral cost of action while increasing its reach. We lack shared language and frameworks to describe this form of weaponization, which makes it harder to recognize, regulate, and restrain.
10. What most people still misunderstand about modern digital conflict
The most persistent misunderstanding about modern digital conflict is that it is primarily about hacks. Intrusions, exploits, and technical feats draw attention because they are visible and measurable. But they are rarely the objective.
Digital conflict is about power, narrative, and timing. Cyber and AI are tools used to shape conditions, influence decisions, and constrain options. Success is measured not by access gained, but by outcomes achieved, often long after the technical activity has faded from view.
Narratives determine how events are interpreted and whether responses are justified. Timing determines whether actions provoke escalation or pass unnoticed. Power lies in the ability to coordinate these elements across domains. Cyber and AI enable this coordination, but they are not the end goal.
When we focus only on the technical layer, we miss the strategic one. That blind spot is what allows the same patterns of digital conflict to repeat, even as the tools evolve.
Data and cybersecurity sovereignty
At the core of all of these conversations is a question of sovereignty. Who controls the data, the infrastructure, and the rules that govern digital systems increasingly determines who holds power. Cybersecurity failures are no longer just technical incidents. They are failures of governance, jurisdiction, and accountability.
As data moves across borders faster than laws can adapt, states, companies, and citizens are losing visibility into where their information lives and who can act on it. Security decisions made for convenience or cost now have geopolitical consequences. In this environment, sovereignty is not about isolation. It is about resilience, transparency, and the ability to make informed choices about risk.
These are not abstract debates. They shape markets, elections, and conflict. If we continue to treat data and cybersecurity sovereignty as secondary concerns, we should not be surprised when digital dependencies become strategic vulnerabilities.
I look forward to seeing you all 20 January 2026 at 19:00 GMT One-on-one interview on X with Mario Nawfal or on his YouTube afterwards
📌 More on Me • Chris Kubecka – Wikipedia
#CyberSecurity #MarioNawfal #AI #HybridWar #Technology #Investors #TheHacktress #ChrisKubecka
Chris Kubecka is the founder and CEO of Hypasec NL an esteemed cyberwarfare expert, advisor to numerous governments, UN groups and freelance journalist. She is the former Aramco Head of Information Protection Group and Joint Intelligence Group, former. Distinguished Chair of the Middle East Institute, veteran USAF aviator and U.S. Space Command. She specializes in critical infrastructure security and unconventional digital threats and risks. When not getting recruited by dodgy nation-states or embroiled in cyber espionage, she hacks dictatorships & Drones (affiliate link to my books) and drinks espresso.
@SecEvangelism on Instagram, X, BlueSky LinkedIn Substack YouTube Medium
Great points Chris
Congrats on getting Elon musk interested in your books 💀💀