Cyber-pandemic: What’s Not Being Discussed in Policy Circles

The Cyber Threat Landscape is missing its most critical variable. Who’s deciding who’s safe, who isn’t? When the WEF has already completed a cyber-pandemic scenario as a war-gamed simulation, why has it not made it to the insight reports or threat trend lists? It’s not even mentioned as a footnote.

Two years in a row, the World Economic Forum’s Global Cybersecurity Outlook showcased that resilient organisations would advance while ones that are still catching up are facing systemic failures and geopolitical fragmentation, while promoting AI adoption acceleration. IBM maps agentic AI and shadow systems, and Palo Alto leads with identity. These reports widen the cyber inequity by reshaping risk for organisations and governments. These institutional recommendations exclude the civilians whose banking, healthcare, energy, and food supply run on the same infrastructure that are under threat.

KEY INSIGHTS:

• Cyber pandemic risk is not a future scenario but an urgent risk with conditions present, and it competes with climate response for the same finite compute resource–these are not separate crises
• Every 2026 cybersecurity framework is written for institutions; the civilian outside the enterprise perimeter does not exist in any of them
• Citizens are not the weakest link, rather are unprotected infrastructure, a CVSS 10.0 with no patch and no recovery budget
• Midpower nations have enough infrastructure to be devastated and not enough coordination to respond

Multiple strategies that look great on paper remain weakly connected to execution but it’s easier to shift focus to something that’s executable to defend the market share. That’s a risk and it extends beyond security. It includes the climate and resource demands of large-scale compute and the long-term implications of reliance on foreign-owned cloud and data infrastructure. Under these conditions, cyber risk becomes less about isolated breaches and more about systemic exposure.

WHY THESE INSIGHTS ARE NOT ENOUGH TO PREVENT A CYBER-PANDEMIC

Such systemic exposure creates a cyber-pandemic scenario, where proactive and reactive risk mitigation consumes compute, and when middle-power nations depend on tech giants, it not only puts data at risk, but also agency, security, resources, and civility.

A cyber-pandemic is not a single catastrophic attack, but a cascading digital failure that spreads rapidly across borders, sectors, and societies, overwhelming institutional response capacity. It is a self-propagating disruption of digital systems that produces widespread societal, economic, cultural, and geopolitical harm across multiple regions simultaneously. A growing interdependence is pushing the global system toward a new class of systemic risk. Unlike conventional cyber crises, the defining feature is not sophistication, but scale plus speed.

Even when these insights are written for organisations, enterprises, governments, and CISOs and humans are acknowledged as the weakest link where one human error could put a whole system at risk, and the solution proposed is employee awareness training and AI-powered monitoring. What about citizen, the person outside the enterprise perimeter? The 60 year old, the small business owner, the non-profits and the civilians who run on the same interconnected infrastructure and become vulnerabilities.

THE HUMAN DIGNITY MATTERS: CITIZENS ARE MORE THAN JUST DATA OR A PROPAGANDA TOOL

The cyber industry is structurally organised around institutional clients. The citizen is not a stakeholder in the commercial cybersecurity ecosystem, but rather the infrastructure. While the general public is depended upon, exploited as a vulnerability not only for cyberattacks, but for misinformation and propaganda, yet stay entirely absent from the frameworks that claim to address systemic risks.

Unfortunately, not only generative AI, but agentic AI is already deployed at scale across civilian infrastructure. Agentic systems are operating with minimal human oversight. While the focus of conversation is operational resilience, it doesn’t include the civil society. The question is not whether a cyber pandemic will occur or not but whether the countries will have civilian resilience frameworks in place when it does. Based on current trajectory, they will not.

The civilians experience collapse as civic unrest becomes a layer of the cascade impact. Not everyone is equipped for 0-day patches, SOC, incident response plan or even a budget for recovery. That’s a CVSS 10.0. This is not an oversight. It is a structural design failure.

THE MIDPOWERS’ RESILIENCE OPPORTUNITY

The focus of this article is on midpowers. Large powers have cyber commands, national security apparatus, and the budget to protect state infrastructure. While midpower nations especially EU/UK and Canada are great at regulations, they still struggle with compute sovereignty, making them the easiest target because they have enough infrastructure to be devastated but not enough coordination to respond. A cyber pandemic hits them differently than it hits the US or China.

It’s great that the midpowers are trying to understand the compute sovereignty but aren’t considering the gap with a potential massive impact if it goes unchecked: a cascading AI-enabled incident requires emergency compute for response, detection, containment, and recovery. That emergency compute demand arrives at exactly the moment when compute is most constrained, especially after years of reckless expansion have depleted green options. The cyber pandemic does not just attack digital systems. It competes with climate response for the same finite resource.

At the time of such an event, we must all be prepared at national, state and citizen level to coordinate and avoid civic unrest.

• National actions: map compute dependencies, identify AI threat vectors, establish minimum cyber posture (procurement/response/sharing).
• Citizen level: a civic cyber baseline encompassing digital footprint practices through digitalpublic infrastructure policy, authentication norms, and resilience to AI-driven misinformation.
• Coordination: public-private-citizen compacts via simulations/tabletops. Benchmarked against not only the NIST standards, but tailored to the national standards.

These pilots aim to operationalise the strategies that build on existing cyber resilience frameworks and international security research, extending them to explicitly include citizens and AI-specific risks.

Midpowers are the only layer positioned to build a citizen-inclusive resilience framework that neither superpowers nor small states can deliver. But frameworks can’t be just awareness training, but rather a civic cyber infrastructure. Not a public policy, or a digital policy, but a digitalpublic infrastructure policy.

This positions midpower nations’ decision making and strategic autonomy as a bridge through shared pilots, tech, and norms for scalable equity by delivering on the advocacy of change and actually building workable, scalable ones for a safer, more equitable and sustainable future that all citizens deserve.

KEY TAKEAWAYS:

• Civilian resilience is not an afterthought but a governance prerequisite
• Digital public infrastructure policy is not the same as digital policy or public policy-it is a new category and midpowers need to build it
• Preparedness requires simultaneous action at national, state, and citizen level through public-private-citizen compacts
• Midpowers have an open window for proactive governance that prepare them for sovereign decision making by choosing their response but execution must precede norm-setting, not follow it

Ultimately, the goal is to manage the risks we face today but also use this information to plan better institutions for tomorrow. The empirical signals generated through such pilots make addressing political legitimacy, human agency, and social cohesion, both actionable and credible. This is an urgent need for governing these catastrophic risks. The decision makers must proceed from execution to inclusive norm-setting: planning for tomorrow, today.

---

references:

1. Cybersecurity Dive. (2026). 5 Cybersecurity Trends in 2026 
2. IBM. (2025). Cybersecurity trends: IBM’s predictions for 2026 
3. Palo Alto Networks. (2026). 6 Predictions for the AI Economy: 2026’s New Rules of Cybersecurity 
4. United States Cybersecurity Institute. (2025). Top 8 Cybersecurity Trends to Watch Out in 2026
5. World Economic Forum. (2026). WEF Global Cybersecurity Outlook 2026 
6. World Economic Forum. (2025).WEF Global Cybersecurity Outlook 2025
7. Pure Cyber. (2026). The Year Ahead in Cyber Security: Predictions, Threats, and Defences for 2026
8. Shostack, A., Dykstra, J. (2024) Handling Pandemic-Scale Cyber Threats: Lessons from COVID-19. https://arxiv.org/pdf/2408.08417v1.
9. Secure World. (2025). Canada Releases 2025 National Cyber Security Strategy.​
10. Canadian SME. (2025). AI-Driven Threats & Defences: Canadian Cybersecurity in 2025.
11. ComplianceHub. (2025). Canada’s national cyber security strategy for 2025.
12. Palo Alto Networks. (2025). Unit 42 global incident response report 2025.
13. Control Risks. (2025). Middle powers’ digital ambitions meet rising cyber risks.
14. Capital Hill Group. (2025, February 8). Canada’s national cyber security strategy.
15. Public Safety Canada. (2025, February 8). Canada’s new national cyber security strategy.
16. Communications Security Establishment Canada. (2025). Annual report 2024–2025.
17. F12.net. (2025, February 12). What recent Canadian cyberattacks reveal about our national security.
18. Solomon, H. (2025, February 14). Canada updates national cybersecurity strategy. Substack.
19. Canadian Cybersecurity Network. (2025). State of cybersecurity report 2025.
20. Murphy, T. J., & Nagy, S. R. (2024). Middle power cybersecurity in the Indo-Pacific: Analysis through the lens of neo-middle power diplomacy. The Journal of Intelligence, Conflict, and Warfare, 7(1), 1–21. ​
21. Small Wars Journal. (2025, October 16). Bridging the geopolitical divide in cyber governance: The role of middle-power cyber diplomacy in advancing global norms for responsible state behavior in cyberspace.​
22. Ifri. (n.d.). Technology policies of digital middle powers.​
23. Australian Institute of International Affairs. (n.d.). The role of middle powers in a changing geopolitical landscape. ​
24. Lee, S-J., Chun, C., Suh, H., & Thomsen, P. (2015). Middle power in action: The evolving nature of diplomacy in the age of multilateralism. East Asia Institute. ​
25. The Network Installers. (n.d.). AI cyber threat statistics.