Cyber Conflicts and the Erosion of Institutional Trust: the Impacts on Citizens

• Commentary
  by Claudia Schettini
• whatsapp

State-sponsored cyber operations have become a structural feature of contemporary geopolitics. Cyberspace is no longer merely a technical domain but a strategic environment in which states pursue intelligence collection, coercion, disruption, and influence. Policy debates and academic literature have traditionally framed state hacking through the lenses of national security, military doctrine, and great-power competition. While these perspectives remain central, they only partially capture the breadth of the phenomenon.

The societal consequences of state-sponsored cyber activity remain comparatively underexplored, despite their growing strategic relevance. State hacking increasingly affects citizens directly, exposing personal data, disrupting essential services, and altering patterns of political participation. In doing so, the realm of cybersecurity, from a narrow security issue becomes a governance challenge that touches upon fundamental rights, institutional legitimacy, and democratic resilience. Hence the importance of examining the effects of state-sponsored cyber operations on citizens' rights and privacy, their impact on social trust and democratic institutions, and the role of international governance frameworks in constraining state behaviour in cyberspace.

Citizens' Rights, Data Exposure, and Privacy in the Age of State Hacking

State-sponsored cyber operations have progressively shifted from narrowly defined espionage activities toward large-scale intrusions into civilian data ecosystems. Public administrations, such as and above all healthcare systems and national registries, possess vast amounts of personal information, making them attractive targets for foreign intelligence services. The 2015 breach of the United States Office of Personnel Management represents a critical turning point in this evolution. The exposure of sensitive personal data of over 20 million federal employees, including biometric identifiers and security clearance records, demonstrated how citizens' data can be weaponized as long-term strategic assets. These datasets enable, in effect, adversarial states to conduct profiling, counterintelligence operations, and coercive activities well beyond the immediate context of the intrusion.

Other large-scale cyber incidents further illustrate the systemic exposure of civilians' data and security. The WannaCry ransomware attack in 2017, attributed to North Korean actors, and the NotPetya attack attributed to Russian military intelligence caused widespread disruption to hospitals, logistics networks, and public administrations across dozens of countries. Although these operations were not primarily designed to target individuals, their (unintended) consequences were borne by citizens, who experienced disrupted medical services, economic losses, and prolonged insecurity regarding the integrity of their personal data. In Europe, several intrusions into the German Bundestag and the Finnish Parliament exposed vulnerabilities in governmental systems that hold sensitive information on millions of individuals, reinforcing the notion that a single successful intrusion can generate long-lasting societal harm.

These dynamics raise profound challenges for privacy and data protection regimes. In the European Union (EU), privacy is enshrined as a fundamental right, as stated in articles 7-8 of the EU Charter of Fundamental Rights, and the GDPR - the EU General Data Protection Regulation - which provides one of the most advanced regulatory frameworks globally. Yet when violations originate from foreign state actors operating beyond domestic jurisdiction, enforcement becomes largely symbolic. State-sponsored cyber operations frequently involve the mass exfiltration of data, the manipulation of digital records, and targeted surveillance against journalists, activists, and political opponents. The growing market for advanced spyware tools, such as Pegasus and Predator, highlights how surveillance capabilities have become increasingly accessible to state actors across regime types. Investigations by civil society organizations and EU institutions have revealed that even democratic governments have deployed these tools in ways that stretch or violate legal safeguards, eroding the normative distinction between legitimate intelligence practices and unlawful intrusion.

The consequences of such practices extend beyond legal violations. Persistent exposure to state-sponsored cyber threats generates psychological effects that reshape civic behaviour. Citizens who perceive themselves as potential targets of surveillance or data exploitation are more likely to engage in self-censorship and withdraw from political participation. This phenomenon, often described as a "chilling effect", has traditionally been associated with authoritarian surveillance systems, yet it is increasingly observable in democratic contexts as well. In this sense, state hacking does not merely compromise data; it alters the conditions under which democratic citizenship is exercised.

Cyber Incidents, Public Trust, and Democratic Resilience

The societal impact of state-sponsored cyber operations is closely linked to public trust in state institutions. Trust is a foundational component of democratic governance, rooted in perceptions of competence, transparency, and reliability of the governmental institutions. When cyberattacks disrupt essential public services or expose sensitive citizen data, they directly undermine these perceptions. The ransomware attack against Ireland's Health Service Executive in 2021 provides a revealing example. The incident severely disrupted healthcare delivery and exposed weaknesses in digital governance, leading to a measurable decline in public confidence in the state's capacity to manage and secure critical infrastructure.

Similar dynamics were observed following the 2007 cyberattacks against Estonia. Despite the country's advanced digital ecosystem and subsequent emergence as a global leader in cybersecurity policy, the initial attacks generated widespread uncertainty among citizens regarding the state's ability to defend its digital sovereignty. These cases illustrate that even highly capable states are vulnerable to trust erosion when cyber incidents reveal systemic weaknesses or communication failures.

Public trust tends to deteriorate most sharply when governments delay disclosure, provide inconsistent information, or appear unprepared. Cyber incidents also interact with domestic political dynamics, as they are often manipulated within polarized political environments. Claims of negligence, disinformation campaigns, and partisan narratives can amplify the societal impact of cyberattacks, transforming technical failures into broader crises of legitimacy. In politically fragile systems, these dynamics can contribute to democratic backsliding or institutional instability.

State-sponsored cyber operations also pose direct risks to societal resilience by targeting critical infrastructure sectors. Attacks on healthcare systems, energy grids, and public administration networks generate tangible harm for citizens, ranging from cancelled medical procedures to interruptions in electricity and welfare distribution. The economic consequences are significant, with international institutions estimating that sustained cyber disruption can reduce national economic output by up to one percent annually. These costs are unevenly distributed, disproportionately affecting vulnerable populations who rely most heavily on public services.

The democratic implications of state hacking extend further when cyber operations target electoral processes and information environments. Activities attributed to Russian actors during recent U.S. election cycles illustrate how cyber tools can be used to undermine confidence in democratic institutions without directly altering voting outcomes. By exploiting information asymmetries, amplifying disinformation, and exposing institutional vulnerabilities, such operations weaken the perceived legitimacy of democratic systems and create incentives for expanded surveillance or executive authority in the name of security.

International Governance and the Limits of Norm-Building

Despite growing awareness of the societal risks associated with state-sponsored cyber operations, international governance frameworks remain underdeveloped. Over the past two decades, multilateral processes such as the United Nations Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security and the Open-Ended Working Group on Security have articulated a set of non-binding norms aimed at promoting responsible state behaviour in cyberspace. These include commitments to protect critical civilian infrastructure and to cooperate in mitigating malicious cyber activity. However, the absence of enforcement mechanisms and the persistence of geopolitical rivalry have limited their practical impact.

Disagreements among major cyber powers over concepts such as sovereignty, due diligence, and the threshold for the use of force continue to impede progress toward binding legal instruments. As a result, governance efforts have increasingly shifted toward regional and plurilateral initiatives. The European Union's Cyber Diplomacy Toolbox, NATO's recognition of cyberspace as "an operational domain" during the 2016 Warsaw Summit, and the work of the Tallinn Manual have contributed to greater doctrinal clarity and coordination among like-minded states. Nevertheless, these mechanisms remain selective and uneven, reflecting broader power asymmetries in the international system.

Attribution represents a particularly contentious aspect of cyber governance. While technical evidence plays a crucial role, public attribution decisions are inherently political, shaped by strategic considerations and escalation risks. This reality limits the deterrent effect of attribution and sanctions, especially when applied inconsistently.

Addressing the societal dimension of state hacking, therefore, requires a more integrated approach to governance. Sector-specific agreements focusing on the protection of healthcare systems, electoral infrastructure, and humanitarian operations may offer more realistic pathways than comprehensive cyber treaties. At the same time, strengthening cyber capacity-building efforts, particularly in developing states, is essential to reducing global asymmetries and reinforcing norm adherence. International organizations such as the OECD, OSCE, and the Global Forum on Cyber Expertise have increasingly emphasized the importance of aligning technical resilience with democratic governance and human rights protection.

From Cybersecurity to Democratic Security

State-sponsored cyber operations force a redefinition of what security means in the digital age. When citizens' data become strategic assets, when essential services are disrupted through geopolitical confrontation, and when surveillance practices blur legal and normative boundaries, cybersecurity can no longer be treated as a purely technical or military domain. It becomes a matter of democratic security, shaping the relationship between the state, the individual, and political authority.

The strategic risk is not limited to immediate disruption or economic loss but lies in the cumulative erosion of institutional legitimacy and civic agency. Persistent exposure to cyber threats, coupled with opaque state responses, weakens trust and normalises exceptional measures, including expanded surveillance and executive discretion. Over time, the main risk of this dynamic is to transform cyber resilience into a trade-off between security and democratic accountability, rather than a condition for preserving both.

At the international level, existing norm-building efforts need to move beyond abstract principles and focus on concrete protections for civilian data and critical public services. Sector-specific commitments, confidence-building measures, and shared standards for responsible state behaviour can offer pragmatic pathways in a fragmented geopolitical environment. Crucially, international cyber governance should incorporate the societal impact of cyber operations as a criterion for responsibility, alongside strategic stability and escalation control.

Without such a shift, the risk is that cyberspace governance will stabilise state competition while leaving citizens increasingly exposed. A policy approach that places democratic integrity and public trust at its core is therefore not only normatively desirable, but strategically necessary in an era where geopolitical confrontation is increasingly mediated through digital means.