One thing is for sure: Cybersecurity means today’s national security. This was reconfirmed last week in Munich, where the Munich Security Conference (MSC) and the Munich Cybersecurity Conference (MCSC) had their annual meetings with around 2000 hand-picked participants, among them 60 heads of state and more than 200 Ministers from 120 countries.

The heads of state, foreign and defence ministers met at the “Hotel Bayrischer Hof”; the Digital Ministers and Cyber Ambassadors met at Munich’s “Chamber of Commerce”, just one block away from the Hotel. But in both venues, the discussion circled around the same issues: the future of the transatlantic partnership, the threat of hybrid wars in the digital age and the risks and opportunities of AI.

Under Destruction

This year’s conference title was “Under Destruction.” The chairman of the MSC, Ambassador Wolfgang Ischinger, did use the language of a “demolition ball” which attacks the rules-based order of the United Nations. The UN emerged after World War II and has so far saved us from World War Three. But what about the future? If this order is gone, as the Canadian prime minister Carney recently recognized in Davos?

The options discussed in Munich were a little enlightening. There was a consensus that the “post-Cold War era” is over. However, it remained unclear what comes next. Will the “demolition ball” prepare for something exciting new—remember Schumpeter’s “Creative Destruction” - or will the world be pulled into a disaster?

The Indian Foreign Minister Jaishankar probably gave the most precise outlook: “We are moving into a twilight zone,” he argued. And in such a twilight zone, there are different spaces and places. Somewhere, rules are working, and somewhere the law of the jungle will prevail. He did not see a “rupture” of the existing order. For him, it is a “transition.” The “Global North” is now confronted with similar uncertanies as the “Global South”. But also, Jaishankar did not offer a vision of what we will have at the end of the transition. It seems that we are crossing a big waterfall without any idea what the other side of the river will look like.

Transatlantic Partnership

Regarding the transatlantic partnership, there was also more irritation than clarification.

Last year, US Vice President Vance came to Munich and criticized EU policies on climate change, gender, migration, and free speech. This year, US foreign minister Rubio changed the tone, but not the substance. Rubio received standing ovations for acknowledging the strong historical and cultural ties between Europe and the US. But he also said that the UN did not deliver and needs an alternative. And he added that both former US administrations and the EU made historical mistakes in recent years that need to be corrected.

He invited the Europeans to follow the Americans’ U-turn on climate, gender and migration. Rubio said the US would prefer to walk together with a strong Europe. But the US could also go alone. He did not mention the “Board of Peace.” But Rubio’s travel plans after Munich—Bratislava in Slovakia and Budapest in Hungary, the two EU dissidents—were a clear signal. Hungary has joined the “Board of Peace.” 25 EU member states refused it.

A similar language was used by Sean Cairncross, the National Cyber Director in the White House, during the MCSC. “US first is not US alone.” said Cairncross, but Europe should reconsider, inter alia, its digital rulebook. Regulation stands at the end of digital development processes. Innovation should come first. The US compliments for a strong EU were very poisoned. But the Europeans made their position clear: Digital sovereignty, human rights, and the rule of law, as enshrined in the Charter of the United Nations, are Europe’s priorities.

EU Commissioner Henna Virkkunen said that the EU’s “Digital Omnibus ”, which aims to reduce regulatory bureaucracy in the digital sphere, does not mean digital deregulation. High-level European speakers stuck to their values, using a unified language. They agreed with Rubio that it is time for a strong Europe and that there are deep historical and cultural relations across the Atlantic. But French president Macron, British prime minister Starmer and the president of the EU Commission, von der Leyen, also made it clear that Europe has a different agenda when it comes to the UN, climate, gender and migration. The MAGA agenda is not our agenda, said the German Chancellor Friedrich Merz. In other words, the transatlantic relationship is moving into a twilight zone.

Hybrid Wars

Another controversial issue was how to address the growing threats of hybrid war in the digital age and the right balance between cyber defence and cyber offence.

One panel in the MCSC was held under the title “Cyberdiplomacy Needed More than Ever.” Efforts to define common rules on a global level as the UN Cybercime Convention, or to establish a new “Global Mechanism” for cybersecurity in the UN, were mentioned, but it was seen more as a minor thing, a “nice to have” with only little impact for the new generation of digital warfare.

The discussion circled not about “norms implementation” but more around “norms circumventing.” General Magowan from the UK Ministry of Defence said that the adversaries do not respect existing norms. “If we play by the rules, we will lose ,” said the general. And he encouraged European leaders to take more risks in their responses. Later, he clarified that more risk-taking doesn’t mean ignoring international law, but that, in his view, there is space for “interpretation”.

Also, the head of the German Intelligence Agency (BND), Martin Jäger, argued that the West should go beyond hardening its cyberdefence and reconsider its cyberoffence options. Just notifying and condemning cyberattacks from abroad would not be enough. He proposed asymmetric offence responses. “If the Russians attack the datacenter of our railway system, we should not attack their railway system, but we could remove some cryptocurrency from their accounts”. Hack back is obviously on the rise, regardless of the difficulties of attribution. Also, here, the twilight zone is growing. And this includes a high risk for an escalation with cascading effects. Can this go out of control?

The problem is that cyber defence is expensive, while cyber offence is cheap. Cyberoffenders can use private criminal proxies to destabilize the enemy’s political landscape. “Cybercrime as a Service” is not only commercially attractive for organized crime, but it can also pollute the relationship among states, regardless of UN Conventions.

Is there an alternative to escalation? It seems that the challenges of day-to-day conflicts have silenced thinking outside the box. Thinkers in Munich were looking at the “demolition ball” like rabbits on the snake. What was missing was creativity. Nobody proposed any reasonable options for moving out of the dark and rebuilding trust in cyberspace.

Weaponization of AI

Also, the future of AI will lead us into a twilight zone. How risky will it be to delegate cybersecurity to an AI agent?

One thing is for sure: AI will play a central role in future cybersecurity. And AI will be weaponized, as Pirro Vengu, the Albanian defence minister, argued. Many speakers referred to the war in Ukraine as a test bed for drones and killerrobots. A test for what? How far will this go? The AI arms race is in full swing. And as long as each side believes it can do better than the enemy, this will continue.

The parallel to the nuclear arms race in the 1950s and 1960s is obvious. In the “nuclear age” it needed the Cuba crisis, which brought the world to the brink of nuclear war, to start serious negotiations which produced the nuclear Test Ban Treaty (1963), the Non-Proliferation Treaty (1968) and the first SALT agreements on the limitations of strategic offensive and defensive systems, as the ABM Treaty (1972).

One big difference is that in the 1960s and 1970s, there was a recognition of the risk of a Mutually Assured Destruction (MAD). But so far, it is unclear how deterrence will work with AI weapons. Will there be something like a MAD in a global AI-based hybrid war? Nothing is happening without a crisis, one discussant said at the MSCS. Do we need a “digital Cuba moment” to think about a new detente in the AI age?

Nobody in Munich mentioned the UN negotiations on lethal autonomous weapon systems (LAWS). Nobody quoted the late Pope Francis, who called for a ban on LAWS. Nobody mentioned the proposal from UN Secretary-General Guterres to adopt an internationally legally binding instrument on LAWS.

Nevertheless, we see an ongoing global discussion on AI Governance. The UN has just appointed 40 members of the new AI Panel, which will deliver its first report to the “Global Dialogue on AI Governance” in Geneva in July 2026. One week after Munich, the AI Impact Summit in New Delhi encouraged the “Global South” to play a more active role. This summit was the fourth in a row, after London, Seoul and Paris. The so-called “Bletchley Process” started in 2023 and will continue in 2027 in Geneva and in 2028 in Abu Dhabi. There is obviously a growing consensus that the world needs some guardrails for AI. But how to achieve this in the form of a general AI agreement that would be respected by both governments and big tech companies remains, at least for the moment, also in the twilight zone.

For Bruce Schneier, the cybersecurity guru from Harvard, the key problem today is “Data Integrity.” In the past, the main thing was “Data Availability.” later “Data Confidentiality.” But now the integrity of the data is the precondition to get useful output. The biggest risk today is not “data theft” but “data manipulation”, said Schneier. AI is unable to differentiate between truth and lies, between facts and fictions. If LLMs are trained—intentionally or unintentionally—with bad data, we will get bad answers. And this can be deadly for AI applications in fields such as public transport, public health, or public diplomacy. Schneier is optimistic that AI can be useful for discovering bugs in the software of our systems and for repairing them autonomously. This will make life more complicated for cyberoffenders and data manipulators. But where will we be in five years? “I don’t know” was Schneiers honest answer.

For some of the younger generation, the future was clearer. In a session, organized by Jeff Moss, the founder of “DevCon”, a new generation of speakers predicted that the AI age will be a time of dominance and sub-ordination. Arie Herbert-Voss, who worked after his PhD at Harvard with Open AI, contributed to the first GPT and is now the CEO of RunSybil, an automated offense security company, was sure that in an AI world, a handful of American (Open AI, Anthropic, Alphabet, Meta, Microsoft, etc.) and some Chinese corporations will have the say. The rest of the world will have no chance.

Outlook

How to go from Munich? Digital diplomacy will enter troubled waters. And even the multistakeholder approach to Internet Governance will be questioned by the new security challenges of the “post-Cold War era.”

Over the last 25 years, there has been a broad consensus that all stakeholders—governments, the private sector, the academic and technical community, and civil society—have in cyberspace to work hand in hand as equal partners, but in their specific roles.

In Munich, many governmental speakers reconfirmed the need for cooperation with the private sector, academia and the technical community. But they understand this cooperation not as a cooperation among equals in a network with different responsibilities. They favour the reintroduction of hierarchical structures. Non-governmental stakeholders have to serve the government, which is in the driver’s seat. This is what “digital sovereignty” means. And civil society? They had little to say in Munich. Even long-established principles such as “transparency”, “inclusion” or “bottom up policy development” were challenged. If we want to have digital sovereignty, we need more top-down than bottom-up, argued Ieva Ilves, an advisor on Cybersecurity for Ukraine. And there were a lot of nodding heads in the room.

Anny Vu from the US State Department explained the withdrawal of the US from the Global Forum on Cyber Expertise (GFCE), the European Hybrid Threat Centre (EHTC) and the Freedom Online Coalition (FOC) with new priorities in the US government. The three multistakeholder organisations are aimed at capacity building and the protection of human rights in the digital sphere. What are the signals of this US decision to the global community, engaged in Internet Governance?

Chris Painter, the first US Cyberambassador, argued: “The US was a key player in each of these organizations. Its withdrawal will not only have a crippling effect on their work, but it will also damage the US’s global reach and effectiveness in dealing with critical cybersecurity threats. This is a serious blow to collective efforts to counter cyber threats. Cybersecurity and hybrid threats are, by their nature, global and call for unprecedented global cooperation. Though the US has great cyber capabilities, it cannot succeed alone. Cybersecurity will suffer globally as well as at home.”

Just recently, during the WSIS+20 Review conference in New York in December 2025, the multistakeholder approach for policy-making in the digital age was reconfirmed. But during this meeting, many governments also signaled that they have some problems with the WSIS+20 Outcome Document. Many governments have their own interpretation of what the multistakeholder approach means in practice. And this goes beyond the usual suspects of autocracies, which see the multistakeholder approach as a Trojan Horse of the West. Also, in democracies, law enforcement, the intelligence community, as well as ministries of interior and defence, have their own views on how to implement multistakeholder cooperation in a situation that is not yet wartime but no longer peacetime. Let’s hope that in the twilight nobody switches the light off.