Digital, new tech and cybersecurity nexus

Written by Isa Rask and Julie Heng from Stanford Law

The weekend before the Tallinn Cyber Diplomacy Summer School opened in June 2026, one of the tools on the forefront of many attendees’ minds was abruptly shut down. Anthropic suspended public access to Fable, its newest public frontier model with significant cybersecurity capabilities, just three days after its public release after receiving a letter from the U.S. Commerce Department threatening export controls.

For many diplomats and researchers arriving in Tallinn that Monday, the Fable pause — as well as G7 leaders’ subsequent talks to acquire greater access — was a clean demonstration of something that’s increasingly on their radar: that the private sector now plays a role in cyber diplomacy that can’t be untangled from geopolitical risk or the stability of the infrastructure everyone depends on.

In fact, as Prof. Lucas Kello, Director of the Academic Centre of Excellence in Cyber Security Research at Oxford University says, the private sector is arguably now more important to national security than at any other time of history.

Lucas Kello

Consider how Microsoft found and reported a novel piece of malware aimed at Ukrainian organizations in January 2022, then helped evacuate critical government data to the public cloud. Or its more recent European Security Program, which offers AI-powered threat intelligence sharing and cross-border collaboration across the continent. A single company like Starlink can shape the communications of a war zone, while private analysts at Google Threat Intelligence can drive significant attribution behind state-sponsored campaigns.

It’s no wonder that dozens of countries now run diplomatic outreach in technology hubs like San Francisco: it’s becoming clear that for cyber diplomacy is no longer just treaties, but terms of service.

 

AI as force multiplier for both attacks and defenses

Many worry that AI development, and especially the rise of AI agents, widen the reach of cybercrime-as-a-service. Indeed, AI can enable an attacker to run reconnaissance against thousands of targets in parallel, generate convincing phishing emails in any language, and rewrite malware in real time when defenders block it. Faster turnaround, automatic responses – that’s more speed, more scale, and more stealth. State and non-state threat actors alike have already started using AI to conduct malicious operations, including social engineering and code assistance. Of course, increased capabilities can also serve defenders. Frontier models can help triage alerts and red-team new vulnerabilities.

 

Strong Cybersecurity Requires AI Diffusion Capability

Navigating this new threat landscape requires an integrated lens with technology at the front — and through that lens, advantage depends less on innovation or access than on diffusion: who can actually use, interpret, adopt, and govern tools like AI.

AI is already diffusing faster than almost any prior general-purpose technology: global usage rose to 17.8% of the working-age population in the first quarter of 2026. 

For a cyber diplomat, this doesn’t mean abandoning the traditional capacity-building tools like incident response, CERT coordination, and training programs. It means incident response, CERT coordination, and training with AI in mind. A CERT running alerts through an AI triage layer might be able to absorb more volume, but it can only do so effectively if its analysts can understand and verify the output.

But using tools like Fable raises harder questions of dependence and sovereignty, and what this means for future cybersecurity infrastructure. What happens if core cybersecurity functions rely on frontier AI tools like Fable, which are owned by a company in another country subject to that country’s export controls and company decisions?

If we picture dependency as a stack – for example, the application a government runs, the model integrated beneath it, the cloud compute that model runs on, the chips beneath that, and the rare earths and energy – then it becomes clear that not all the layers are under any one country’s control. Then, control over these layers becomes an extension of state power. Note how the US and China together control more than 90% of global AI data-centre compute capacity, for example.

Luukas Ilves on AI
Luukas Kristjan Ilves

So what does this mean for a cyber diplomat trying to help their country defend itself, grow its economy, and deliver public services? It raises a set of key questions, with no one-size-fits-all solution: where do you build your own capacity, and how do you negotiate dependency with strategic partners?

Recent reports from the Tony Blair Institute and the European Commission reach convergent conclusions: while full self-sufficiency is too slow and too expensive for almost everyone, building sovereignty also looks like interoperability and sustained investment in talent and state capacity. With partners, it can be equally important to continue to create joint frameworks for attribution, share resources, and make unified announcements. An emerging best practice is to develop a “trust stack” across the different layers of technology.

As the summer school wound down in Tallinn, the day was just beginning in San Francisco, where Fable was still offline. Plenty of questions hadn’t been answered — when the model would return, what negotiations, what this would mean for the next round of attackers. But one thing was already clear to the 2026 class of Cyber Diplomats: cyber diplomacy can no longer be practiced at arm’s length from the companies that now define so much of the stack. As Helen Popp, Estonia’s Ambassador-at-Large for Cyber Diplomacy, put it at the Summer School: “Technology is now eating foreign policy.” The treaties still matter, but now, so do the terms of service. 

Helen Popp (right)

  • At the Next Ten Years conference in fall 2024, Professor Alondra Nelson, director of the Science, Technology, and Social Values Lab at Princeton’s Institute for Advanced Study and acting director of the White House Office of Science and Technology Policy, remarked that “All policy is tech policy.”