In any walk of life, during times of hardship, you look towards the senior leaders for direction. Your line manager at work, your older sibling or parents at home, or when it’s an issue of national security, your nation’s governing body.
There’s no point beating around the bush, when it comes to cybersecurity the world finds itself at boiling point. There’s no telling when the next large-scale attack may land, or where, or just how many people might have their lives impacted. What we can infer with a large degree of confidence is the likelihood of more crippling attacks taking place, be it in the UK, US or anywhere else in the world, there is a sense of inevitability about it.
While nations may compete economically and politically, cyber threats have been and will continue to be something best faced together. Cooperation alone can’t eliminate risk, but it can ensure that when the ground shifted, organisations were not standing alone.
That consensus is now being pulled in opposite directions.
Recent moves by the US to step back from aspects of global cyber cooperation, alongside the EU’s decision to tighten regulation around cybersecurity and supply chain resilience, signal the start of a metaphorical tug of war. Yes, each move isn’t directly related or in response to one another, however each side is pulling in a different direction, driven by different priorities and philosophies. But as the distance between them widens, perhaps it’s time to start asking more challenging questions, does the US disagree with the EU’s move to enhance supply chain security? Would the EU prefer the US to remain involved in Global Cyber? Who, if anyone, wins when two global powerhouses seek different things? And what happens to cyber resilience if the rope finally gives?
Two directions, one shared risk
In any tug of war, strength is of course a key factor in determining which side gets its way, however it doesn’t necessarily result in a positive outcome. When both sides pull in alignment, progress is possible. When they pull away from one another, there is a lot of energy being used up and strain builds rapidly.
The EU’s approach reflects a belief that firmer regulation, deeper accountability and broader oversight will force better security outcomes. By extending responsibility across supply chains and third parties, policymakers are attempting to reduce systemic risk through control and transparency.
The US shift, by contrast, prioritises autonomy and national discretion, reducing reliance on multinational frameworks and shared commitments. The underlying message that they are sending is one of self-determination rather than collective defence. Quite the contrary to that of the EU.
The positive news is that both stances have the fundamental aim of reducing risk, just in am antithetical way. We live in an increasingly small world, with more people and organisations operating across both regions where this combative message and opposing views on collaboration can only lead to confusion. They are pulling in opposite directions against a threat landscape that is global, fluid and deeply interconnected.
When governance pulls harder than collaboration
When you watch a tug of war take place, there is often a great amount of effort being used by both sides, yet often with very little movement as both sides cancel each other out, causing the contest itself consumes more energy than the problem it was meant to solve. The ultimate outcome from this combative scenario is stifled progress and even more gaps for threat actors to exploit.
As governance models diverge, organisations operating across borders are the ones being forced to absorb the tension. Security teams must reconcile overlapping regulatory demands, inconsistent expectations and varying definitions of resilience. Suppliers are subjected to different rules depending on where they operate, even though the technology and risks remain the same.
In this environment, collaboration becomes collateral damage, information sharing slows, joint response frameworks weaken and trust is replaced by compliance. The irony is that while regulation tightens and sovereignty is reinforced, attackers continue to cooperate freely under the surface, sharing techniques and exploiting the gaps left by confusion between jurisdictions.
The rope is under strain
Cyber resilience depends on visibility across systems, suppliers and geographies, yet a fragmented governance landscape stretches that visibility thin.
Each new political move or regulation introduction is without collective thorough thought is just another grunt and tug in another direction. More reporting requirements. More controls. More assurance activities without true impact just add to the workload for IT teams already swamped by compliance needs that are often duplicated.
Yet resilience does not scale linearly with effort. At some point, additional strain reduces flexibility, slows response and increases the risk of failure.
By pulling in different directions we’re already failing by leaving vulnerabilities for attackers to exploit. If the rope were to snap altogether, the implications will be catastrophic.
Businesses are already facing greater volume and velocity of threats, meaning higher costs, slower recovery and greater uncertainty all of which leave economies with increased systemic risk. Policymakers are all too often discovering the impacts too late, taking a reactive approach rather than gathering key groups together ahead of time to limit attacks altogether.
True cyber resilience is about recognising interdependence. Strong domestic frameworks are essential, but they need alignment and shared intelligence to truly work, even the most robust national posture will have blind spots. The most resilient organisations meet regulatory obligations while actively collaborating through supplier transparency and shared learning. That knowledge sharing shouldn’t just take place within isolated groups or immediate networks, it would be far more impactful if it involved collaboration between industries, with government in different jurisdictions giving their full backing.
A moment to stop pulling and start aligning
The good news is this metaphorical game of tug of war is still in its early stages and it’s not too late to get on the same side and change the dynamics before the strain becomes irreversible. In a change that stems from the Government, what is needed now is not a stronger pull from either side, but a recalibration that encourages collaboration on a global scale, in doing so recognising how nations working together can be supported by effective regulatory models that enable information sharing rather than discourage it. Now more than ever the world needs leadership that accepts that cyber resilience is a collective outcome, not a competitive one.
If jurisdictions, policies, or other collective groups continue to pull against each other, the rope will break. And when it does, it will not matter which side thought it was winning, the only winners will be the hackers, leaving us all face down in the mud.
Join our LinkedIn group Information Security Community!
