Cybersecurity’s New Power Dynamics

Three forces are colliding to transform cybersecurity into one of the most complex challenges facing modern business. Technology has unleashed threats that operate at machine speed and scale. Governments are aggressively enforcing security failures and assessing penalties in the millions. And cyber operations have become instruments of geopolitical competition, with nation-states infiltrating companies and regulators restricting or prohibiting certain transactions involving access to bulk US sensitive personal data by “countries of concern.”

These forces interact and amplify each other. Artificial intelligence (AI) enables both autonomous attacks and sophisticated espionage. Companies must meet rising compliance standards while defending against evolving threats. Data has become both a target for adversaries and a trigger for regulatory scrutiny. The result is a risk environment in which technological defenses, legal compliance, and geopolitical awareness must be integrated.

Technology: Speed and Scale Transform the Threat

AI has fundamentally altered the economics of cyberattacks. Where successful campaigns once required specialized expertise, AI tools now enable less sophisticated actors to craft convincing phishing messages, generate deepfakes for social engineering, and develop malware that adapts to evade detection. The barrier to entry has dropped while the attack velocity has surged.

This democratization creates asymmetric pressure. Defenders must protect every endpoint. Attackers need only one successful compromise. AI compounds this imbalance by enabling machine-speed operations — automating reconnaissance, customizing exploits, and pivoting between targets faster than human defenders can respond.

US regulators are responding. The New York State Department of Financial Services (NYDFS) has issued guidance urging regulated entities to assess AI-related cybersecurity risks within their governance frameworks. The California Privacy Protection Agency (CPPA) will require risk assessments for automated decision-making systems. Widespread regulation has yet to emerge at the federal level, but the AI Risk Management Framework issued by the National Institute of Standards and Technology (NIST) provides a blueprint for integrating AI safety and security into enterprise operations. In the European Union, the EU AI Act focuses on high-risk AI systems and requires incident reporting, data governance, and security measures.

Quantum computing poses a threat to encryption itself. Current public key cryptography may become vulnerable once quantum systems mature, which could undermine a critical element of today’s digital cybersecurity infrastructure. Intelligence agencies warn of “harvest now, decrypt later” operations, in which adversaries exfiltrate encrypted data today so they can decrypt it when quantum capabilities enable such decryption in the future. The White House issued Executive Order 14306 directing federal agencies to migrate to post-quantum cryptography (PQC) standards, with the National Security Agency (NSA) and the Cybersecurity and Infrastructure Security Agency (CISA) establishing compliance timelines.

Private industry is mobilizing as well. Initiatives such as Microsoft’s Quantum Safe Program aim to facilitate enterprise migration to PQC algorithms ahead of government deadlines. The transition, however, will be complex, requiring inventorying cryptographic assets, updating protocols, and coordinating across global supply chains. Forward-looking organizations are already beginning this journey to ensure data confidentiality, integrity, and availability in the quantum era.

Legal: Cybersecurity as Contractual and Compliance Failure

The U.S. Department of Justice (DOJ) has transformed how the federal government pursues cybersecurity accountability. Its Civil Cyber-Fraud Initiative, launched in 2021, uses the False Claims Act (FCA) — traditionally applied to financial fraud — to target contractors that misrepresent their cybersecurity practices or fail to meet contractual security obligations.

The FCA carries penalties of up to three times actual damages, plus statutory penalties, per false claim. Recent settlements have been substantial, with various organizations paying millions in fines throughout 2025. These cases involved contractors that allegedly misrepresented compliance with cybersecurity requirements or sold software containing vulnerabilities without adequate security infrastructure. Many of these types of cases originate from whistleblower complaints.

This approach (using existing, broad-based laws to pursue cybersecurity shortcomings) is on the rise — and it’s just one example of a broader trend toward treating cybersecurity as a matter of legal compliance and contractual integrity. Companies working with the federal government, or even within critical supply chains, should expect increased scrutiny of how they represent and implement their cybersecurity programs.

Geopolitical: When Employees and Data Become Security Threats

Cyber threats have become instruments of state power, creating new dynamics in cyber warfare, espionage, data transfers, and national security.

North Korean IT workers have successfully infiltrated Western companies by posing as legitimate remote software developers. These operatives use stolen identities, deepfake videos for interviews, and real-time translation tools to mask language barriers. They have obtained positions in sectors ranging from finance to defense.

The risks are multifaceted. Beyond intellectual property theft, employing these workers can expose companies to sanctions violations under U.S. Department of the Treasury rules, given that proceeds often fund North Korea’s weapons programs. Companies face potential reputational damage and regulatory scrutiny even when deceived.

This threat highlights the difficulty of verifying digital identities when AI can convincingly fabricate human presence. Traditional background checks may validate fake credentials without detecting underlying deception. Companies must integrate enhanced verification procedures into hiring processes for remote workers in sensitive roles.

Data flows present a parallel geopolitical challenge. The DOJ’s Data Security Program, effective April 2025, restricts transactions involving access to bulk US sensitive personal data by countries of concern, including China, Russia, North Korea, Iran, Cuba, and Venezuela. The rule reflects concerns that foreign governments could exploit US health, genomic, or financial data for intelligence purposes. Even routine datasets can trigger compliance obligations.

The Federal Trade Commission has begun oversight under the Protecting Americans’ Data from Foreign Adversaries Act of 2024, while the Committee on Foreign Investment in the United States (CFIUS) scrutinizes data-linked investments. For companies operating globally, these developments transform cross-border data transfers from a privacy compliance matter into a national security issue.

Companies must reassess vendor and employee relationships, enhance due diligence for offshore data processing, and integrate sanctions, export control, and cybersecurity risk frameworks into a unified compliance strategy.

What to Watch

Several developments will shape how these converging forces evolve.

First, observe how DOJ enforcement under the Civil Cyber-Fraud Initiative expands. Early cases targeted defense contractors. If enforcement extends to critical infrastructure providers or companies in regulated industries with less direct government relationships, the liability landscape will broaden. Watch for cases involving the healthcare, financial services, or energy sector.

Second, monitor AI regulation. Current guidance is fragmented, in line with the patchwork of state-level laws and regulations that have become characteristic of privacy and cybersecurity regulation in the US. A proliferation of AI regulations across states could generate compliance challenges and liability exposure.

Third, track quantum computing timelines. Government migration to post-quantum cryptography is underway, but commercial adoption lags. Companies should watch for updates to NIST standards and shifts in government compliance deadlines.

Fourth, watch enforcement actions related to sanctions violations involving remote workers or data transfers. The first major penalties for inadvertently employing North Korean IT workers or violating the Data Security Program will signal how aggressively regulators pursue these violations.

*  *  *

Check out the next article, “Antitrust Authorities Rethink Coordination for the Digital Age,” explore our full collection of insights into legal dynamics disrupting modern business strategy, or subscribe to Forces of Law to receive our latest publications.