A hard truth in Munich: Cyber defense runs through Silicon Valley

MUNICH, Germany — At the Munich Cyber Security Conference on Thursday, amid the usual talk of deterrence and digital battlefields, something quieter, and more revealing, slipped into the room. The next arena of political conflict, the speakers suggested, won’t be defined by borders or territory. It will be written in code. And much of that code isn’t controlled by governments at all — it belongs to American companies.

Onstage were two men who have spent their careers thinking about power in its most muscular forms: Paul Nakasone, the former head of U.S. Cyber Command and the National Security Agency, and Dag Baehr of Germany’s foreign intelligence service, the Bundesnachrichtendienst.

Although the panel was billed as a discussion about cyber as the “future arena of political conflicts,” it quickly became something more candid: an admission that traditional ideas of national sovereignty are running up against a simple reality — increasingly, governments depend on technology they neither invented nor control.

“We’re at a structural inflection point, I would say, because most of the technologies in the near future, even in the present, are not owned by government agencies,” Mr. Baehr told the gathering. Intelligence services, he noted, are constrained by bureaucracy, funding cycles and limited scale. 

“Most of the technology stacks, whether I like it or not, are owned by the US… and you have to come to terms with that particular, very simple fact,” he said.

The remark was striking not because it was controversial, but because it was obvious. 

The global cloud infrastructure that underpins digital life, the artificial intelligence systems racing ahead of regulators, and the quantum research that promises to upend encryption standards are largely developed and controlled by American firms.

Governments do not own the platforms where data flows. They do not control the networks where malicious code travels. And increasingly, they do not have the same visibility into global traffic that large technology companies like Amazon, Microsoft and Google possess. Nakasone acknowledged that the imbalance exists but he tried to frame it as an opportunity — and a necessity.

“Working together doesn’t just mean governments and armies and militaries working together,” he said. “It also means working with the private sector, working with academia, working with others that are… every single day, operating in cyberspace.”

Things private companies see

There are things, he added, that private companies see that governments do not — sometimes because intelligence agencies lack the legal authorities to collect that information themselves. 

“Wouldn’t it be nice to understand what’s going on and have them say, this is what we’re seeing as well?” he asked.

For European officials who have long spoken of “digital sovereignty” — the desire to keep data and infrastructure under domestic control — the implication was clear. Decoupling from American technology may be politically attractive but it may not be strategically feasible.

“As we look at artificial intelligence and quantum computing, like it or not, you’re going to be working with American companies,” Mr. Nakasone said. “The idea of decoupling technology and decoupling information sharing is something I am very concerned about.”

If sovereignty in the 20th century meant territorial control, sovereignty in the 21st may mean negotiating influence over systems you do not own.

The conversation in Munich comes as the Trump administration signals a sharp turn in American cyberstrategy. The administration has outlined its plans for closer collaboration with private companies, including assistance with offensive cyber operations. 

A bigger private role

The government can already hire companies to help build cyber tools. But the Trump administration’s latest proposal would give private firms a much bigger role in carrying out cyber operations themselves. That would blur the line between what the government does and what companies do — and raise difficult questions about who is responsible, who is in charge, and what happens if something goes wrong.

The issue is likely to come up again as President Trump’s nominee to lead U.S. Cyber Command and the National Security Agency, Lt. Gen. Joshua M. Rudd speeds toward confirmation. His leadership would come at a moment when the boundary between Silicon Valley and Fort Meade appears thinner than ever.

On Tuesday, the Senate Intelligence Committee took a procedural step that underscores just how unsettled the cyber landscape has become. Lawmakers voted 14–3 to advance Rudd, sending his nomination to the full Senate. 

Baehr, of Germany’s foreign intelligence service, warned that Western democracies are not adapting quickly enough to technological change and said he was “always puzzled that we don’t talk timelines very much.”

In cyberconflict, time is not an abstraction. Speed is leverage. Delay is exposure.

Deterrence itself is changing shape. “Part of deterrence is creating ambiguity,” Baehr said. “I would say it is not desirable having red lines discussed in public, especially when those red lines only apply to your own actions. So, if you publicly state what you’re not doing, it’s not very deterrent.”

Yet for all the talk of ambiguity, one fact was stated plainly: the infrastructure that underpins the modern battlefield — cloud platforms, software stacks, artificial intelligence systems — is largely in private hands.

For U.S. allies, that reality cuts two ways. American companies offer reach, scale and technical sophistication that few governments could hope to replicate. But reliance on them also creates a new kind of vulnerability — a dependency that sits uneasily alongside calls for digital sovereignty.

The message in Munich was less ideological than practical. Cooperation with American technology firms is not, the speakers implied, simply a choice. It is a condition of operating in the digital age.

Sovereignty, in this telling, may no longer mean standing apart. It may mean shaping systems you do not own — and securing a voice in the rooms where the companies that run the networks decide what is seen, and what is not.