Caught between two hammers — international law and technological dependence on the private sector — modern state sovereignty is in crisis. When a state attempts to act decisively against an adversary operating below the threshold of armed attack, it risks not only diplomatic sanctions and international condemnation but the loss of access to critical digital infrastructure owned by private corporations. In wartime, that loss is catastrophic, as we both experienced firsthand during Russia’s brutal invasion of Ukraine.
The classical understanding of state sovereignty is being challenged. States now must actively ask for permission to use private capabilities for defensive purposes. Two structural vulnerabilities emerge from this reality.
First, exploiting the calculated ambiguity of international law, aggressor states can weaken or even paralyze a target’s ability to decisively respond to destructive cyber operations that fall below the threshold of an armed attack. This grants carte blanche to low-level operations in cyberspace — a strategy institutionalized by the Russians, widely referred to as the “Gerasimov Doctrine,” since 2013. This term, while contested, accurately describes a pattern of Russian strategic behavior. This approach has effectively eroded the boundary between peace and war, establishing a gray zone as a primary theater of operations that is increasingly manifested in the strategies of other revisionist powers globally. But the marginalization of international law is only part of the equation. The second aspect is the erosion of state sovereignty driven by critical technological dependence on global corporations like Google, Microsoft, Meta, Amazon, and SpaceX. A decision from a CEO’s boardroom can impose a de facto veto on the military operations of a sovereign state, driven by the company’s own commercial or ethical calculations. Not every state, and not every crisis, has the safeguards to prevent it. Control over critical infrastructure, cloud computing, and communications transforms a global corporation into an autonomous geopolitical actor. The capacity to exercise the right to self-defense is increasingly rented from private tech giants.
But sovereignty is not just borders. It is a nation’s capacity to make decisions free from external cognitive manipulation.
The First Hammer: International Law
The current legal doctrine — specifically, the prevailing approach to when a cyber operation qualifies as a use of force under Article 2, Section 4 of the U.N. Charter, as Lukasz Olejnik observed at an international defense forum in Warsaw in January 2026 — is predicated on the principle of kinetic equivalence. A cyber incident is recognized as a cyberattack only if its consequences functionally resemble those of a kinetic strike. This creates an asymmetry in which international law may be used to justify preventing escalation, while the aggressor state weaponizes this restraint as a shield, deliberately conducting destructive cyber operations below the threshold of recognition — operations that, in aggregate, can threaten a state’s survival. This produces a situation in which allied states — constrained by political commitments and institutional obligations — effectively use international law as self-restraint, while revisionist powers can afford to disregard these frameworks with acceptable consequences.
Political pressure and sanctions in response to cyber incidents do not function as deterrents, or at least there’s no clear evidence of that. They are collateral costs — ones the aggressor is willing to absorb for the result it seeks.
This diplomatic silence — the so-called gray zone — became the perfect camouflage for a quiet war. Exploiting the legal vacuum, Russia transitioned from information operations to building a fully-fledged cyber army. From 2014 onward, the aggressor state began embedding backdoors — hidden access points allowing an attacker to reenter a compromised system at will — in Ukrainian systems, strategically masked as espionage rather than an active attack. The inadequacy of existing frameworks allowed Russia to plant thousands of backdoors across Ukrainian systems, which it activated at the moment of full-scale invasion in 2022 — severely undermining the state’s defense capability. This demonstrates a direct link between such preparatory efforts and kinetic action.
Based on one of the authors’ — Demediuk — direct operational experience as deputy secretary of the National Security and Defense Council of Ukraine, up to 2,500 backdoors may still remain prepositioned in Ukrainian systems as of early 2026. This fact demolishes the illusion of a gray zone, revealing it to be nothing more than a cover for cowardice on the part of states that choose to preserve an ambiguity exploited by more powerful states, rather than confront them. For some states, inaction is the lesser of two evils.
Yet the greatest strategic failure was not merely the neglect of cyberattack preparation. It was the failure to comprehend how deeply cyber operations have been integrated into the kinetic strike cycle.
Drawing on his role coordinating Ukraine’s cyber defense, Demediuk identifies a kinetic-cyber cycle that Russia has successfully employed since 2014, consisting of four core phases.
The cycle begins with an information pretext: creating a media narrative and designating the target as hostile to legitimize the forthcoming strike in the eyes of the domestic population. This is followed by digital targeting: cyber reconnaissance and the installation of digital beacons by compromising and amplifying routers and other radio-controlled devices, enabling precision guidance for the kinetic strike. The third phase is the kinetic strike itself: physical destruction of the target. Finally, the cycle concludes with information rationalization: an information campaign asserting the necessity of the strike, regardless of its actual outcome.
It is precisely because of the cyclical and predictable nature of these actions that Ukrainian authorities developed an automated predictive system. By analyzing detected cyber incidents in phases 1 and 2, the system can forecast the approximate time and location of a kinetic strike. Its current accuracy, according to Demediuk, is approximately 60–65 percent. The first test was conducted shortly before a major Russian missile strike on a civilian target in Kyiv. Based on identified cyber incidents, the system detected the probability of a kinetic attack, and the target’s administration was notified in advance.
This synchronization is not a new phenomenon — it was embedded in the architecture of the war from its very inception. The war did not begin with the crossing of borders but with a cyberattack on the Viasat satellite communications network used by the Armed Forces of Ukraine and state institutions. The initial intrusion began hours before the ground invasion, with the destructive phase disabling communications approximately one hour prior to incursion. This operation gave Russia a decisive advantage at the moment of attack.
In modern warfare, the first weapon deployed is code, not a tank. The gray zone is often nothing more than a convenient justification for one’s own inaction. Yet, the persistence of this concept in 2026 is, in fact, a strategic political choice by states. They deliberately keep destructive operations in this space, where the rules of war remain conveniently blurred.
The Second Hammer: Big Tech
States are not defenseless against private sector overreach. The United States, in particular, maintains a robust architecture of contractual obligations, service-level agreements, and legal authorities — including the Defense Production Act — designed to ensure private compliance with national security requirements. But these mechanisms are not absolute. The 2026 confrontation between the U.S. Department of Defense and Anthropic demonstrated it: Despite a $200 million contract, the company refused to lift restrictions on the use of its AI for fully autonomous lethal systems and mass domestic surveillance, and was met with an unprecedented designation as a supply chain risk — a measure previously reserved for foreign adversaries. Even in peacetime, within a structured contractual relationship, a state cannot guarantee full control over how a private company deploys or restricts its technology.
But this is only part of the problem. In the reality of modern conflict, states may find themselves in a position where the urgency of the moment or cross-border dependencies leave no room for building such safeguards at all — forcing them to rely on the verbal commitments of private sector leaders. The war in Ukraine proved exactly this.
At Ukraine’s most critical moment, Starlink provided access to its technology for the Ukrainian military. An objective reality must be acknowledged: In the vacuum created by damaged state communications systems, the deployment of Starlink became a vital element of the defense, saving Ukraine from informational paralysis — a lifeline that was critical in the war’s opening weeks.
But it was precisely here that Ukraine — and, by extension, the entire democratic world — collided with a new reality: National defense had become critically dependent on the will and algorithms of a single private corporation. This dependency created new attack vectors and potential channels for the leakage of state secrets.
A paradoxical situation had emerged: The military was forced to use private infrastructure as its primary communications channel, fully aware of the risks. All that remained was the attempt to secure the data’s confidentiality.
But the gravest threat was the emergence of a strategic veto overstate action by the private sector.
Starlink in Ukraine represents the most vivid example of how a private sector individual, endowed with power, can single-handedly restrict the military operations of a sovereign state.
The starkest illustration of this problem was observed during the Ukrainian counteroffensive on the southern front in autumn 2022. At the moment when assault forces crossed a certain line — advancing into occupied territory — they suddenly lost Starlink connectivity, plunging the battlefield into chaos. Without communications, commanders were forced to drive to the front line to enter radio range, losing precious time and risking their lives for the sake of basic coordination. The cause of this chaos was not a technical failure. It was the deliberate use by the company of geofencing technology, which reportedly restricts the connectivity zone.
A private company effectively drew a line where its systems may be used and for what purpose. This decision created a technical boundary that redefined the operational limits of a sovereign state’s defense. The decision of one private sector individual led to a significant number of Ukrainian military casualties that could have been avoided.
This situation exposed a significant operational asymmetry: The effectiveness of military maneuvers became dependent on coordination with private entities rather than purely on the national chain of command.
Notably, this occurred in the absence of a formal defense procurement contract between Ukraine and SpaceX — the technology was provided as emergency assistance, not under binding service obligations. In the chaos of the war’s opening hours, with state communications infrastructure destroyed, negotiating contractual terms was not an option. While states like the United States may have contractual safeguards with their providers, states dependent on emergency access to foreign private infrastructure have none.
Unlike traditional suppliers, the visibility afforded by real-time digital infrastructure allows a nonstate actor to impose a de facto veto on military actions. As evidenced by high-level discussions between U.S. defense officials and private leadership, this capacity establishes the provider not just as a contractor, but as a primary geopolitical actor.
While private sector leverage in armed conflict is not new, digital infrastructure introduces a qualitatively different dynamic: the ability to revoke access to critical capabilities in real time, mid-operation — setting a precedent in which, as one Pentagon official put it, the state found itself “living off his good graces.”
The Anthropic case showed a state seeking to restrict the rights of a private company. The Starlink case showed a private company restricting the sovereignty of a state. Together, these cases reveal that the absence or weakness of enforceable agreements between states and technology providers creates risks that run in both directions.
But the problem extends far beyond individual cases. The excessive concentration of assets — cloud storage and data centers — in the hands of a few key companies —Amazon, Google, Microsoft, SpaceX, and Meta — creates a scenario where a systemic technical failure could trigger a domino effect in global security.
Paradoxically, it was precisely decentralization at the physical level — the existence of thousands of internet service providers — that saved Ukraine at the start of the war. What might be characterized as market chaos from one perspective was, in the critical moment, the thing that allowed the state to stand.
Though Ukraine is as dependent on Big Tech as any other state, it is saved by a unique network access architecture. It is decentralization that makes it impossible for the enemy to sever the network across the entire country through a single point — a characteristic that fundamentally distinguishes Ukrainian architecture from that of countries like the United States or Israel, and points to the effectiveness of decentralized networks as a model of wartime resilience.
Ukraine’s experience makes it unequivocally clear: The world is changing, and the international community cannot afford to delay adaptation on the international legal front or on the technological one. If we do, we may find ourselves at a point where the consequences are measured not in financial costs but in human lives and the structural integrity of the democratic world.
First, we should accelerate the evolutionary recalibration of international norms regarding cyberattack classification. The de facto existence of the gray zone is the primary threat to our defense. In the reality of 2026, the international community can no longer afford the luxury of slow normative shifts. Any state-sponsored cyber operation of a destructive nature must be classified as an armed attack — not by the current standard of kinetic equivalence, but by intent and cumulative effect. This reclassification should be advanced through the newly established UN Global Mechanism on ICT security. Only when the cost of cyber aggression consistently exceeds its strategic gain will deterrence become real.
Waiting for physical consequences only gives the adversary time to prepare — and that can be fatal.
Second, states should reclaim control over critical defense capabilities through structured partnerships with the private sector. A system in which the success of an operation depends on the decision of one private individual is a system predestined for catastrophe.
This requires legal frameworks for state–corporate cooperation that clearly define the rights, obligations, and limitations of both parties. Just as traditional defense contractors are bound by continuity-of-service obligations under procurement law, digital infrastructure providers whose systems are designated as critical to national defense should be subject to comparable requirements — including enforceable penalties for unilateral withdrawal of critical services during active operations — not as a restriction on corporate autonomy, but as the necessary counterpart to the strategic power these companies now wield. From defense procurement contracts to legislative frameworks such as the U.S. Defense Production Act, precedents already exist for compelling private sector cooperation when national security is at stake. These frameworks are imperfect, but they remain far preferable to the complete absence of safeguards that characterizes emergency cross-border dependencies.
Ultimately, the private sector must exist solely as an auxiliary element of the state’s defense architecture. States should invest in their own alternative capabilities to achieve genuine technological sovereignty. Obviously, building such alternatives requires enormous investment and technological capacity — which is precisely why this dependency persists. But only this can guarantee that, in the critical moment, troops do not pay with their lives for decisions made in a corporate office across the ocean.
Mykhailo Andreichyn is an independent security researcher and the founder of NoctuaSec, a cybersecurity research organization. He conducts authorized physical and digital security assessments and has organized international defense forums featuring speakers from Ukraine’s National Security and Defense Council, the Polish Institute of International Affairs, and King’s College London. He is mentored by Gynvael Coldwind, a former Google Information Security Technical Lead.
Serhii Demediuk is the former deputy secretary of Ukraine’s National Security and Defense Council where he coordinated the country’s cyber defense during the full-scale Russian invasion. He is a key architect of Ukraine’s Cyber Police. He currently serves as chairman of the Institute of Cyber Warfare Research, and as professor and chief research fellow at the National Academy of the Security Service of Ukraine.
Image: Support Forces of Ukraine Command via Wikimedia Commons
