SUMMARY - Future of Cybersecurity

A security operations center deploys artificial intelligence that monitors network traffic, identifies anomalies, and responds to threats in milliseconds, detecting and containing an intrusion that human analysts would have missed entirely or discovered only after extensive damage. Across the globe, attackers deploy their own AI that probes defenses, generates convincing phishing campaigns personalized to each target, and adapts in real time to evade detection, the same technology that enables defense enabling offense in an escalating technological arms race. A nation-state actor harvests encrypted communications today, storing data that current computers cannot decrypt, waiting for quantum computers that will break the encryption protecting state secrets, financial transactions, and personal communications, rendering retrospectively vulnerable everything transmitted before quantum-resistant cryptography was implemented. International negotiators attempt to establish norms for responsible state behavior in cyberspace, but agreements collapse as nations pursue strategic advantage, conduct operations they deny, and exploit the attribution challenges that make accountability nearly impossible. A critical infrastructure operator wonders whether to invest in defenses against current threats or future ones, whether the AI and quantum technologies being developed will ultimately favor attackers or defenders, and whether international cooperation will constrain threats or prove illusory while adversaries exploit good faith. The future of cybersecurity is being shaped by technological developments and geopolitical dynamics whose trajectories remain uncertain but whose consequences will determine whether digital systems can be secured or whether permanent vulnerability becomes accepted condition of modern life.

The Case for Technological Optimism

Advocates argue that emerging technologies, particularly artificial intelligence and eventually quantum computing, will ultimately favor defenders over attackers, and that the trajectory of cybersecurity points toward improvement despite current challenges. From this view, the same innovation that creates new threats also creates more powerful defenses.

AI transforms defense capabilities in fundamental ways. Machine learning systems that analyze vast data streams identify threats that human analysts could never detect. Pattern recognition that learns from millions of attacks spots anomalies that rule-based systems miss. Automated response that acts in milliseconds contains threats before they spread. The scale and speed advantages that AI provides match the scale and speed challenges that modern threats create. Human analysts augmented by AI can defend networks that human analysts alone could never secure.

The asymmetry that has favored attackers may be reversing. Traditional wisdom held that attackers need find only one vulnerability while defenders must protect everything. But AI-powered defense that monitors continuously, learns constantly, and responds instantly changes this calculus. Defenders with comprehensive visibility and rapid response may be able to detect and contain attacks faster than attackers can exploit access. The technological advantage may be shifting toward those who can deploy AI most effectively for defense.

Quantum computing, while creating threats through its ability to break current encryption, also enables quantum-resistant cryptography that will be stronger than what it replaces. The transition to post-quantum cryptography is already underway, with standards being developed and implementations beginning. Organizations that complete this transition before quantum computers become capable of breaking current encryption will be protected. The quantum threat, while serious, is addressable through cryptographic evolution.

Security architectures are evolving to assume breach rather than prevent it. Zero trust frameworks that verify every access request, microsegmentation that limits lateral movement, and defense in depth that provides multiple layers of protection create resilience that does not depend on perimeter security alone. These architectural improvements reduce the impact of successful attacks even when attacks cannot be prevented entirely.

From this perspective, the future of cybersecurity, while challenging, is manageable through: continued AI investment that improves defensive capabilities faster than offensive ones; timely transition to quantum-resistant cryptography before quantum computing threatens current encryption; architectural evolution that builds resilience against threats that cannot be prevented; and recognition that technological progress has historically enabled security improvement despite evolving threats.

The Case for Technological Concern

Others argue that emerging technologies will favor attackers over defenders, that the arms race between offensive and defensive AI will be won by offense, and that quantum computing and other developments will create threats that current approaches cannot address. From this view, technological optimism ignores structural advantages that attackers possess.

AI empowers attackers at least as much as defenders. The same machine learning that enables threat detection enables threat generation. AI that creates convincing phishing content, that automates vulnerability discovery, that adapts attacks in real time, and that scales operations beyond what human attackers could manage amplifies offensive capability. Attackers who need only succeed occasionally can use AI to generate unlimited attempts. Defenders who must stop every attack face AI-powered adversaries whose capabilities grow alongside their own.

The attacker advantage persists in the AI era. Attackers choose when, where, and how to attack. They can probe defenses, learn from failures, and optimize approaches over time. They can target the gaps between AI-monitored systems. They can use AI to generate novel attacks that defensive AI has not seen. The asymmetry that has always favored attackers does not disappear because both sides have AI.

Quantum computing creates threats that may not be fully addressable. The "harvest now, decrypt later" strategy means that data encrypted today may be vulnerable when quantum computers mature. Transitioning to post-quantum cryptography requires updating billions of devices, systems, and protocols. Organizations that have not completed transition when quantum computing arrives will face instant vulnerability. The transition timeline may not match the threat timeline.

Complexity continues increasing faster than security can address. Every new technology, every new connection, every new capability creates attack surface. The Internet of Things adds billions of devices with minimal security. Cloud computing creates shared infrastructure where one tenant's vulnerability affects others. AI systems themselves become attack targets whose compromise could be catastrophic. The expanding attack surface may exceed defensive capacity regardless of technological improvement.

From this perspective, realistic assessment requires: acknowledging that offensive AI may advance faster than defensive AI; recognizing that quantum computing creates risks that cryptographic transition may not fully address; accepting that complexity growth outpaces security improvement; and preparing for a future where significant compromise becomes normal rather than exceptional.

The AI Arms Race Dynamic

Artificial intelligence is being deployed for both offensive and defensive cybersecurity, creating an arms race whose outcome will shape the future threat landscape.

From one view, defenders have structural advantages in the AI arms race. Defenders operate within controlled environments where they can deploy AI with comprehensive visibility. They can train AI on their own systems, establish baselines, and detect deviations. They face fewer constraints than attackers who must operate covertly. Defensive AI that sees everything on a network has advantages over offensive AI that must work with limited visibility.

From another view, attackers have their own advantages. They can target the weakest points while defenders must protect everything. They can train AI on successful attacks across many targets while defenders learn only from their own experience. They can use AI to generate novel attacks that defensive AI has never encountered. The adversarial machine learning problem, where attackers deliberately craft inputs to fool defensive AI, remains unsolved.

Whether AI ultimately favors offense or defense may depend on factors beyond the technology itself, including how rapidly each side adopts and adapts, how effectively AI is integrated with human judgment, and whether defenders can share intelligence that attackers cannot.

The Autonomous Response Question

AI enables security systems that detect and respond to threats without human intervention. Whether autonomous response improves security or creates new risks is contested.

From one perspective, autonomous response is necessary given attack speed. Human analysts cannot respond quickly enough to prevent damage from fast-moving attacks. Automated containment that isolates compromised systems, blocks malicious traffic, and terminates suspicious processes within milliseconds addresses threats at machine speed.

From another perspective, autonomous response creates risks of false positives, unintended consequences, and adversary manipulation. Systems that take action without human judgment may disrupt legitimate activity. Attackers who understand automated defenses may trigger responses that cause more harm than the attacks themselves. Removing humans from the loop eliminates judgment that may be essential.

Whether the benefits of autonomous response outweigh its risks, and how to design systems that balance speed with judgment, shapes defensive architecture.

The Explainability Challenge

AI security systems often operate as black boxes, detecting threats through processes that humans cannot fully understand or verify.

From one view, explainability is essential for trust and improvement. Security teams that cannot understand why AI flagged certain activity cannot evaluate whether the flag was appropriate. Unexplainable AI may embed biases or blind spots that remain undetected. Human oversight requires human understanding.

From another view, explainability requirements may constrain AI effectiveness. The most accurate detection methods may be inherently unexplainable. Requiring explainability may force use of less capable approaches. The alternative to unexplainable AI may be no AI rather than explainable AI of equal capability.

Whether explainability should be required for security AI or whether accuracy should take precedence shapes system design.

The Quantum Computing Timeline Uncertainty

Quantum computers capable of breaking current encryption do not yet exist, but their development timeline remains uncertain. Estimates range from years to decades, with significant consequences for planning.

From one perspective, the uncertain timeline requires immediate action. Organizations cannot know when quantum computers will threaten current encryption but can know that transition to quantum-resistant cryptography takes years. Waiting for certainty about the threat timeline may mean waiting too long. Prudent planning requires beginning transition now.

From another perspective, premature transition wastes resources. Quantum-resistant cryptography is less mature than current approaches. Early adoption may require later replacement as standards evolve. Organizations that transition too early may face additional transitions as the field matures.

Whether organizations should transition to quantum-resistant cryptography now or wait for greater certainty shapes investment timing.

The Harvest Now, Decrypt Later Threat

Adversaries may be collecting encrypted communications today, storing them until quantum computers can break the encryption. This "harvest now, decrypt later" strategy means that data transmitted today may become vulnerable years from now.

From one view, this threat is serious for information with long-term sensitivity. State secrets, strategic plans, and personal information that will remain sensitive for decades are vulnerable to future decryption. Even if quantum computers are years away, information transmitted today will be exposed when they arrive.

From another view, much data loses value quickly. Encrypted communications about current operations may be irrelevant by the time they can be decrypted. The harvest now, decrypt later threat applies primarily to limited categories of information with enduring sensitivity.

Whether the harvest now, decrypt later threat justifies urgent action or whether it is overstated for most information shapes response prioritization.

The Cryptographic Transition Challenge

Transitioning to quantum-resistant cryptography requires updating vast numbers of systems, devices, and protocols. The complexity and scale of this transition creates implementation challenges.

From one perspective, the transition is manageable with adequate planning. Standards are being developed. Implementation is proceeding. Organizations that begin planning now can complete transition before quantum computers threaten current encryption. The transition is significant but achievable.

From another perspective, the transition may be more difficult than optimists assume. Legacy systems that cannot be updated will remain vulnerable. Embedded devices with long operational lives may not support new cryptography. Protocol changes require coordination among parties who may not move at the same pace. Some systems may never complete transition.

Whether cryptographic transition can be completed in time or whether significant vulnerability will persist shapes risk assessment.

The International Cooperation Aspiration

International cooperation on cybersecurity could establish norms, enable collective defense, and reduce threats that cross borders. Whether meaningful cooperation is achievable is contested.

From one view, international cooperation is essential and achievable. Cyber threats affect all nations, creating shared interest in addressing them. Norms against certain attacks, information sharing about threats, and coordinated response to incidents serve collective interest. International frameworks for other domains provide models that cybersecurity could follow.

From another view, international cooperation is illusory given divergent interests. Nations that benefit from offensive cyber operations will not agree to meaningful constraints. Attribution challenges enable deniability that undermines accountability. Agreements without verification and enforcement are meaningless. Expecting cooperation to constrain threats ignores the strategic value that nations derive from cyber operations.

Whether international cooperation can meaningfully improve cybersecurity or whether it is futile given competing national interests shapes diplomatic engagement.

The Attribution Problem Persistence

Identifying who is responsible for cyber attacks remains technically and politically challenging. Attribution uncertainty affects deterrence, response, and international accountability.

From one perspective, attribution is improving. Forensic capabilities, intelligence collection, and pattern analysis enable attribution that was previously impossible. Major attacks have been attributed with confidence, supporting diplomatic and legal responses.

From another perspective, attribution remains fundamentally problematic. Attackers deliberately obscure origins. Technical evidence can be manipulated. Political considerations influence what attributions governments make public. Even confident attribution may not support legal standards of proof. The attribution problem may be inherent rather than solvable.

Whether attribution can become reliable enough to support accountability or whether it will remain contested shapes deterrence and response strategies.

The Norms Development Effort

International efforts have attempted to develop norms for responsible state behavior in cyberspace. The UN Group of Governmental Experts and other forums have produced frameworks that remain contested in implementation.

From one view, norms development represents progress. Agreement that international law applies to cyberspace, that certain targets like hospitals should be protected, and that states bear responsibility for operations from their territory establishes foundation for accountability. Norms that shape expectations can influence behavior even without enforcement.

From another view, norms without enforcement are ineffective. States that agree to norms in diplomatic settings violate them operationally. The gap between stated norms and actual behavior demonstrates that norms do not constrain conduct. Resources invested in norms development produce documents rather than security improvement.

Whether norms can meaningfully influence state behavior or whether they are diplomatic exercise without operational impact shapes engagement with international processes.

The Collective Defense Model

Some propose collective defense arrangements where nations commit to mutual support against cyber attacks, analogous to collective security arrangements for physical defense.

From one perspective, collective defense could change attacker calculations. Attackers who know that targeting one nation triggers response from many may be deterred. Collective capabilities that exceed individual nation capacity could address threats that no nation can handle alone.

From another perspective, collective defense faces obstacles in cyber context. Speed of cyber operations may not allow consultation before response. Attribution uncertainty complicates determining when collective response is triggered. Nations may be unwilling to commit to defending others against cyber attacks. The analogy to physical collective defense may not transfer.

Whether collective cyber defense is achievable and effective shapes alliance and partnership approaches.

The Public-Private Partnership Evolution

Cybersecurity increasingly depends on cooperation between governments and private sector organizations that own most infrastructure and develop most technology.

From one view, public-private partnership is essential and evolving positively. Government threat intelligence benefits private defenders. Private sector visibility into attacks informs government understanding. Shared interests in security enable cooperation despite different perspectives.

From another view, public-private partnership remains inadequate. Information sharing is uneven and delayed. Competing interests limit genuine cooperation. Government classification constrains threat intelligence sharing. Private sector concerns about liability and reputation limit incident sharing. Partnership rhetoric exceeds partnership reality.

Whether public-private partnership can be improved sufficiently to address shared threats shapes governance models.

The Critical Infrastructure Protection Challenge

Protecting critical infrastructure from future cyber threats requires investment and evolution whose direction depends on threat trajectory.

From one perspective, infrastructure protection must anticipate future threats. Investments made today determine vulnerability years from now. Infrastructure with decades-long operational life must be designed with quantum threats, AI-powered attacks, and unknown future challenges in mind.

From another perspective, overinvestment against speculative future threats wastes resources. Infrastructure protection should address demonstrable current threats while maintaining flexibility to adapt as future threats materialize. Attempting to protect against every imagined future threat is neither affordable nor sensible.

Whether infrastructure protection should anticipate future threats or focus on current ones shapes investment prioritization.

The Workforce Evolution

Cybersecurity workforce requirements will evolve as AI transforms security operations. The skills needed in future may differ substantially from those needed today.

From one view, AI will augment rather than replace human security professionals. AI handles routine detection and response while humans provide judgment, creativity, and strategic thinking. The human role shifts to higher-level functions that AI cannot perform. Workforce development should prepare professionals for this augmented future.

From another view, AI may reduce workforce requirements overall. Automation that handles more security functions requires fewer human professionals. The workforce shortage that defines current cybersecurity may ease as AI capabilities grow. Workforce planning should account for potential reduction in human-dependent functions.

Whether AI will increase or decrease cybersecurity workforce needs shapes educational and career development.

The Small and Medium Business Future

Small and medium businesses face current cybersecurity challenges with limited resources. Whether future developments will improve or worsen their situation is uncertain.

From one perspective, technology commoditization will improve small business security. AI-powered security tools will become affordable and accessible. Managed services will provide enterprise-grade protection at small business prices. The same technology that creates threats will become available for defense.

From another perspective, sophistication requirements may exceed small business capacity regardless of technology availability. Tools require expertise to deploy and operate. Attacks that AI enables may overwhelm defenses that small businesses can afford. The gap between what small businesses need and what they can achieve may widen.

Whether future developments will improve or worsen small business security shapes service models and policy support.

The Privacy and Security Tension Evolution

Security measures often require surveillance and monitoring that privacy values counsel against. How this tension evolves will shape acceptable security approaches.

From one perspective, security will require accepting reduced privacy. Effective defense against sophisticated threats requires visibility that privacy preferences would restrict. Societies will accept greater monitoring as the cost of security that cannot otherwise be achieved.

From another perspective, privacy-preserving security will become more feasible. Techniques that enable threat detection without revealing underlying data, that provide security without surveillance, and that protect privacy while enabling defense will mature. The trade-off between privacy and security is not fixed.

Whether privacy and security must remain in tension or whether technology can reconcile them shapes what security approaches are acceptable.

The Resilience Versus Prevention Shift

Future security strategy may shift emphasis from preventing attacks to ensuring resilience when attacks succeed.

From one view, resilience focus is appropriate given the impossibility of prevention. Organizations that accept breach as inevitable and focus on limiting impact, maintaining operations, and recovering quickly will be better positioned than those pursuing impossible prevention goals.

From another view, resilience emphasis may enable security neglect. Organizations that accept breach as inevitable may underinvest in prevention. The goal should remain preventing as much as possible while preparing for what cannot be prevented. Resilience should not become excuse for inadequate prevention.

Whether future cybersecurity should emphasize resilience over prevention or maintain balanced investment shapes strategic orientation.

The Regulatory Evolution

Cybersecurity regulation will evolve in response to threats, incidents, and technology development. The direction of regulatory evolution shapes organizational requirements.

From one perspective, regulation will become more prescriptive as threats increase and incidents demonstrate inadequacy of current approaches. Mandatory security standards, required incident reporting, and liability for failures will create accountability that voluntary approaches have not achieved.

From another perspective, prescriptive regulation cannot keep pace with evolving threats and may constrain adaptive response. Principles-based regulation that establishes goals without dictating means allows organizations to address threats in context-appropriate ways. Regulatory evolution should favor flexibility over prescription.

Whether regulation will become more prescriptive or remain principles-based shapes compliance requirements and organizational flexibility.

The Insurance Market Evolution

Cyber insurance will evolve as threat landscape changes and market experience accumulates. The future of cyber insurance shapes risk management options.

From one view, insurance markets will mature and stabilize. Actuarial understanding will improve as data accumulates. Coverage will become more standardized and predictable. Insurance will become routine risk management tool rather than emerging and volatile market.

From another view, cyber risk may prove fundamentally uninsurable at scale. Correlated losses from systemic events could exceed market capacity. Evolving threats defeat actuarial models. Coverage restrictions may continue until insurance provides limited value. The market may contract rather than mature.

Whether cyber insurance will mature into reliable risk management tool or remain problematic shapes organizational planning.

The Geopolitical Dimension

Cybersecurity is increasingly intertwined with geopolitical competition. Major power rivalry shapes threat landscape, international cooperation prospects, and technology development.

From one perspective, geopolitical competition will dominate cybersecurity for the foreseeable future. Nation-state threats will remain primary concern. Technology development will be shaped by strategic competition. International cooperation will be limited to areas where interests align.

From another perspective, shared threats may create cooperation opportunities despite competition. Ransomware, criminal networks, and infrastructure vulnerabilities affect all nations. Common interests in addressing shared threats may enable cooperation even amid broader competition.

Whether geopolitical competition precludes cybersecurity cooperation or whether shared threats enable it shapes international engagement.

The Technology Sovereignty Movement

Nations increasingly seek technology sovereignty, developing indigenous capabilities and reducing dependence on foreign technology. This movement affects cybersecurity through supply chain, cooperation, and competition dimensions.

From one view, technology sovereignty improves security by reducing supply chain vulnerabilities and foreign dependencies. Nations that control their own technology can secure it more effectively than nations dependent on foreign suppliers whose security they cannot verify.

From another view, technology sovereignty fragments the global technology ecosystem. Duplicated development wastes resources. Incompatible systems complicate cooperation. Nationalism dressed as security may harm more than help.

Whether technology sovereignty improves or harms cybersecurity depends on implementation and context.

The Emerging Technology Intersection

Cybersecurity intersects with numerous emerging technologies beyond AI and quantum computing. Internet of Things, 5G and future networks, autonomous systems, brain-computer interfaces, and technologies not yet developed will create both threats and defenses.

From one perspective, each emerging technology will require cybersecurity attention. The history of deploying insecure technology and then struggling to secure it should not be repeated. Security must be built into emerging technologies from the beginning.

From another perspective, innovation requires freedom to experiment that security requirements constrain. Technologies that prove valuable can be secured after their value is demonstrated. Requiring security before deployment may prevent beneficial development.

Whether security should be required before emerging technology deployment or whether it can be added later shapes innovation governance.

The Existential and Catastrophic Risk Consideration

Some argue that cybersecurity failures could produce existential or catastrophic outcomes through attacks on critical infrastructure, nuclear systems, or AI systems. Whether such risks are realistic shapes investment and governance.

From one view, catastrophic cyber risks deserve serious attention. Attacks that cause widespread infrastructure failure, trigger military escalation, or compromise advanced AI systems could produce outcomes far exceeding historical cyber incidents. Low-probability, high-consequence scenarios warrant significant investment.

From another view, catastrophic framing is speculative and may distort priorities. Resources directed at unlikely scenarios are unavailable for addressing demonstrable current threats. Focus should be on probable harms rather than imagined catastrophes.

Whether catastrophic cyber risks warrant priority attention or whether focus should remain on current threats shapes investment allocation.

The Defender Community Evolution

The community of cybersecurity defenders, including researchers, practitioners, and organizations, continues evolving. How this community develops shapes collective defense capability.

From one perspective, defender community coordination is improving. Information sharing organizations, threat intelligence platforms, and coordinated disclosure practices demonstrate growing cooperation. The defender community's ability to share knowledge and coordinate response exceeds what existed years ago.

From another perspective, defender fragmentation persists. Competitive dynamics limit sharing. Classification restricts government intelligence. Liability concerns constrain incident disclosure. The defender community operates far below potential coordination levels.

Whether the defender community can achieve greater coordination or whether structural barriers persist shapes collective defense.

The Canadian Context

Canada faces future cybersecurity challenges shaped by its position as middle power, its relationship with major powers particularly the United States, its technology sector, and its critical infrastructure dependencies.

Canadian participation in Five Eyes intelligence sharing provides access to threat intelligence that smaller nations lack. Canadian technology sovereignty is limited given integration with American technology ecosystem. Canadian critical infrastructure faces threats that exceed Canadian capacity to address independently.

From one perspective, Canada should invest in cybersecurity capabilities, contribute to international cooperation, and develop approaches appropriate to Canadian circumstances.

From another perspective, Canada should focus on leveraging alliance relationships rather than developing independent capabilities it cannot afford and that would duplicate ally efforts.

How Canada positions itself for future cybersecurity challenges shapes national strategy and international engagement.

The Uncertainty and Adaptation Imperative

The future of cybersecurity is genuinely uncertain. Predictions about technology development, threat evolution, and geopolitical dynamics are unreliable. Planning must accommodate uncertainty rather than assuming particular futures.

From one view, uncertainty requires flexibility. Organizations that can adapt as the future unfolds will outperform those that committed to particular visions that proved wrong. Investments should maintain options rather than betting on specific outcomes.

From another view, some commitments cannot be deferred. Cryptographic transition, workforce development, and infrastructure protection require decisions now despite uncertainty about exactly what future threats will materialize. Flexibility is valuable but not substitute for necessary current investment.

Whether future uncertainty counsels flexibility or requires commitment despite uncertainty shapes strategic planning.

The Optimism Versus Realism Debate

Fundamental orientation toward cybersecurity's future ranges from optimism that technology and cooperation will improve security to pessimism that structural factors favor attackers and threats will worsen.

From one view, optimism is warranted. Security has improved despite growing threats. Technology provides tools that enable defense. International cooperation, while imperfect, is developing. The trajectory, while challenging, points toward manageable security.

From another view, realism requires acknowledging that significant compromise is likely future condition. Perfect security is impossible. Major incidents will occur. Planning should assume breach and focus on limiting consequences rather than preventing the unpreventable.

Whether optimism or realism should guide future planning shapes expectations and investment.

The Democratic Governance Challenge

Cybersecurity decisions with profound implications for society are often made by technical experts, government officials, and corporate executives with limited public input. Whether democratic governance can effectively address cybersecurity is contested.

From one view, democratic governance is essential for legitimacy. Cybersecurity decisions that affect everyone should involve public deliberation. Technical complexity does not justify excluding public voice from decisions that shape society.

From another view, democratic processes cannot effectively govern cybersecurity. Technical complexity exceeds public comprehension. Speed of threat evolution exceeds democratic deliberation pace. Security requirements may conflict with public preferences. Expert governance within democratic accountability frameworks may be more realistic than direct democratic governance.

Whether democratic governance can effectively address cybersecurity challenges shapes civic engagement and policy process.

The Question

If artificial intelligence is deployed for both offense and defense in an escalating arms race whose outcome will determine whether attackers or defenders gain advantage, can we know whether AI will ultimately improve security or whether it will empower attackers more than defenders, and if we cannot know, how should organizations invest in a future whose trajectory is genuinely uncertain? When quantum computers will eventually break current encryption but their timeline remains unknown, when cryptographic transition requires years while the threat may arrive sooner, and when data encrypted today may be vulnerable to future decryption regardless of when transition occurs, should organizations invest urgently in quantum-resistant cryptography or wait for greater certainty about threats and standards? And if international cooperation could establish norms, enable collective defense, and reduce threats that no nation can address alone, yet geopolitical competition, attribution challenges, and divergent interests have prevented meaningful cooperation despite years of effort, should we continue pursuing cooperation that may be unachievable, accept that nations will compete in cyberspace as they compete in other domains, or recognize that some cooperation on shared threats may be possible even amid broader competition, and if so, which threats might enable cooperation and which will remain subjects of unrestrained competition in a future where cybersecurity is inseparable from the geopolitical dynamics that shape it?