Highlighting findings from the World Economic Forum’s Global Cybersecurity Outlook 2025 report that showed 72 percent of businesses see rising cyber risks and nearly half cite the malicious use of generative AI as a top concern, Fredrik Heiding, a research fellow at Harvard University, noted that AI-driven threats are accelerating. This comes as national cybersecurity strategies reveal a fragmented global response. While some countries emerge as leaders, there is no universal roadmap to achieving cyber resilience.
Recent operations by state-linked group Salt Typhoon targeting U.S. critical infrastructure, and the Lazarus Group’s US$1.5 billion crypto theft, underscore the evolving threat landscape. As cyberattacks become strategic policy tools in an increasingly volatile geopolitical climate, threat actors are also adopting stealthier tactics, including living-off-the-land malware.
Heiding also noted that the evolving threat landscape forces nations to rethink their cybersecurity strategies. The WEF data reveals that nearly 60 percent of organizations have adjusted their cybersecurity approach due to geopolitical tensions. Meanwhile, 72 percent of survey respondents report rising cyber risks, with ransomware continuing to top the list of concerns.
Additionally, nearly half of the respondents cite the malicious use of generative AI as a leading concern. Meanwhile, new research comparing global cyber strategies finds no universal model for effective policy, underscoring the fragmented nature of today’s cybersecurity defenses.
“Nearly half of global organizations now cite the malicious use of generative AI as their top cybersecurity concern, and over 40% have already suffered successful social engineering attacks in the past year,” Heiding wrote in a post published by the WEF last week. “One in three CEOs now cites cyber espionage and intellectual property theft as top concerns, while 45% of cyber leaders worry about operational disruption. These concerns are no longer theoretical; they’re baked into strategic planning at the highest levels of government and industry.”
Heiding explained that to better understand how nations are responding, Harvard’s Belfer Center developed the Cybersecurity Strategy Scorecard. It evaluates the national cybersecurity strategies of seven leading cyber powers, including Australia, Germany, Japan, Singapore, South Korea, the U.K., and the U.S., to identify effective and innovative policies that could shape global standards. The findings show there is no universal blueprint for cybersecurity strategy; success depends on tailoring approaches to each country’s unique threats, resources, and political dynamics.
The post added that certain technical best practices remain universal. Effective cybersecurity strategies typically rest on five pillars – protecting infrastructure and people; building cyber capacity through workforce development and R&D; fostering public-private and international partnerships; establishing clear accountability and enforcement; and maintaining adaptive, well-communicated policies that evolve regularly.
Heiding noted that most countries show a strong commitment to growing their technical workforce by investing in upskilling and expanding education to close the cyber talent gap. Defending critical infrastructure and strengthening international cooperation, inter-agency coordination, and public-private collaboration, such as the U.K.’s i100 and the U.S.’s JCDC initiatives that grant security clearances to industry professionals, are also key priorities.
Heiding noted that regulatory approaches to data privacy and accountability vary widely, especially across the U.S. More critically, most lack teeth. Few strategies include enforceable accountability measures, defined outcomes, or ways to quantify risk. Without stronger incentives and clearer enforcement, many strategies risk being little more than well-meaning rhetoric.
“Naturally, a healthy strategic posture doesn’t always equal strong real-world capabilities. Though most national strategies highlight the importance of strengthening the cyber workforce and outline practical policy actions, the GCO finds that the cyber skills gap has worsened, rising by 8% since 2024,” he added. “Today, two out of three organizations report moderate-to-critical talent shortages, including a lack of essential skills to meet core security needs. Alarmingly, just 14% of organizations are confident they currently have the people and capabilities required.”
According to the WEF data, the proportion of large organizations reporting inadequate cyber resilience has nearly halved since 2022, highlighting a widening gap in preparedness between enterprise-scale firms and smaller, more vulnerable organizations.
Heiding recognizes that governments widely recognize the private sector’s role in national cyber resilience, yet most still lack strategic frameworks to guide or incentivize their security efforts. Regulation remains a primary driver, but navigating global compliance is costly and complex. Two-thirds of organizations report that navigating an increasingly fragmented global compliance landscape adds costly complexity. Many strategies discuss cyber-related subsidies; governments should not rely solely on financial aid, but facilitate a better understanding of returns on investment for cybersecurity solutions, including a stronger quantification of cyber risk, accountability, and best practices.
He noted that initiatives like the U.S. Cybersecurity Apprenticeship Program and secure-by-design proposals (shifting liability toward producers of insecure products) attempt to create incentives to foster healthy, long-term cybersecurity cultures and workforces. “Ultimately, cybersecurity ought not to be viewed as a compliance requirement, but as a business enabler that builds trust, protects innovation, and enhances market competitiveness. For that to be true, we must create clear, quantified incentives that show business leaders how and why their cyber investments will translate into net positive financial savings,” he added.
Highlighting that regulators are beginning to act, such as the EU’s Cyber Resilience Act, which sets baseline security requirements for digital products, Heiding observed that the window for reactive policy-making is closing. “Governments must urgently modernize their cybersecurity strategies, invest in measurable and adaptive defence structures, and lead with actionable and measurable policies. Anything less risks leaving critical systems exposed in an era when cyberattacks are bound to proliferate,” he added.
Heiding also wrote that cyber threats are evolving at an alarming pace, with ransomware, state-sponsored intrusions, and AI-powered attacks now posing serious risks to national security, economic stability, and public trust. At the same time, emerging technologies are expanding the attack surface: AI is enabling adversaries to automate spear phishing, generate convincing deepfakes, and identify software vulnerabilities at scale, while advances in quantum computing threaten to break existing encryption standards.
In a recent post for The Lawfare Institute, Heiding and Alex O’Neill, a researcher at the Harvard Kennedy School’s Belfer Center for Science and International Affairs, recognized that emerging AI technologies like LLMs promise to supercharge malicious actors’ capacity to conduct social engineering cyberattacks.
“Unlike technical systems, the human brain cannot be easily patched to recognize deceptively realistic spear phishing emails and deepfake videos,” they added. “By simultaneously boosting the quality and reducing the cost of these types of operations, LLMs will deliver a dangerous advantage to cyberattackers, the effects of which will deepen a number of existing challenges in cyberspace and the physical world. While the rise of AI-enhanced social engineering attacks is inevitable, responsible actors can take steps to prepare for its arrival—before it is too late.”
