|

Virtual Routes STW examines the future of commercial cyber proliferation

On 9 June 2026, Virtual Routes convened a group of leading experts from government, industry, and academia at Ironmonger House in London for a scenario testing workshop as part of the REMIT project.

Participants examined potential developments over multiple time horizons, assessing the technological, political, legal, economic, and military factors likely to shape the future of commercial cyber proliferation. This workshop built on the project’s previous methodological foundations, specifically following the workshops held in Rotterdam and Helsinki in 2025, and in Rome earlier in 2026. 

Five observations stood out.

1. Experts were pessimistic about the ability of governance to shape the market

Participants struggled to identify any plausible scenario in which current international governance initiatives significantly altered the long-term trajectory of commercial cyber proliferation. Even widespread adoption of voluntary frameworks, such as those emerging from the Pall Mall Process, was generally viewed as having limited impact on market dynamics. More restrictive measures, such as comprehensive bans on spyware sale and use, were considered potentially effective—but politically unlikely.

The implication is sobering: experts increasingly appear to view commercial cyber proliferation not as a governance problem waiting to be solved, but as a structural feature of the international system. This insight builds on prior REMIT research that unpacks the structural nature of the interaction between technology and multilateralism.

2. The most plausible AI future was not better cyber capabilities—but many more cyber capabilities

Participants broadly agreed that advances in frontier AI models will fundamentally reshape vulnerability discovery, exploit development, and cyber operations.

However, the most important effect may not be that cyber capabilities become more sophisticated. Rather, it may be that they become available to many more actors.

The most convincing long-term scenario discussed was one in which highly capable AI systems dramatically lower barriers to entry across the cyber ecosystem, leading to a substantial expansion of commercial cyber capabilities among states, companies, and individuals alike. In this future, today’s commercial spyware market may ultimately prove to be only an early manifestation of a much broader proliferation challenge.

3. Commercial cyber markets may increasingly fragment along geopolitical lines

Participants repeatedly returned to the possibility that the market for commercial cyber capabilities may become less global and more geopolitical.

Rather than a single international marketplace, distinct ecosystems could emerge around major geopolitical blocs, including the United States and Five Eyes partners, Europe, Russia, and China. Commercial providers may increasingly need to choose not only customers, but geopolitical affiliations.

Such a development would represent a profound shift: commercial cyber capabilities would remain commercial, but become deeply embedded within the broader patterns of geopolitical competition and strategic alignment examined by REMIT.

4. Artificial intelligence may benefit technological latecomers more than established cyber powers

One of the more counterintuitive observations concerned the distribution of cyber power.

Participants noted that technologically advanced states face an enormous challenge in adapting legacy digital infrastructure to machine-speed vulnerability discovery and patching cycles. States with less accumulated technical debt, by contrast, may be able to adapt more rapidly to AI-enabled cyber environments.

If this assessment proves correct, artificial intelligence may not simply reinforce existing cyber hierarchies. Instead, it could partially redistribute cyber advantage.

5. The greatest long-term consequence of commercial cyber proliferation may not be cyber conflict, but democratic erosion

Finally, participants reflected that discussions of commercial cyber proliferation often focus too heavily on interstate competition and military conflict.

Many of the most significant harms associated with commercial cyber capabilities already occur within states: surveillance of journalists, political opponents, activists, civil society organizations, and private citizens. Over time, the cumulative effect of these practices may be to weaken democratic accountability, erode public trust, and reshape the relationship between citizens and the state.

If so, the most important strategic consequence of commercial cyber proliferation may not be a future cyber war. It may instead be the gradual normalization of increasingly intrusive forms of digital surveillance and political control.

Commercial Cyber Proliferation as a Structural Feature 

Forecasting exercises rarely succeed in predicting the future. Their value lies elsewhere: revealing which assumptions experts are increasingly willing to challenge.

At least among the participants in this workshop, one conclusion stood out above all others: commercial cyber proliferation increasingly appears to be not a temporary market failure that can be regulated away, but an enduring characteristic of the emerging technological and geopolitical landscape that REMIT both analyses and seeks to change through policy interventions.

Images by Virtual Routes

Similar Posts