Nato “narrowly” beating a Russia-style cyber enemy in a simulation is not the flex people think it is. If anything, it reads like a quiet warning: we’re practicing for something we’re not sure we can actually handle when it’s real, messy, and political.
Based on what’s been shared publicly, Nato ran a readiness exercise that mixed cyber attacks and disinformation. The story they acted out is simple: a hostile state hits a fictional country’s energy grid, chaos follows, and the defenders scramble to keep the lights on and the public calm. The fictional countries have fictional names, but nobody is confused about the inspiration. It mirrors what Ukraine has faced since 2022.
Here’s the part that matters to me: Ukrainian officials played the attacker team, and they used AI-generated disinformation to push the scenario. That’s smart. That’s also depressing. Because it’s basically saying, “The people who have been living through this are now teaching everyone else how it’s done.”
I’m glad Nato is doing this. I’m also not comforted.
A narrow win in a simulation can mean a lot of things. Maybe the defenders were genuinely under pressure and still held. Great. Or it could mean the rules of the exercise made the problem “winnable” in ways the real world never will. Simulations need boundaries, otherwise you can’t learn. But boundaries also create a dangerous vibe: you start to believe you can manage something that, in real life, doesn’t sit still.
In real life, a cyber attack on an energy grid isn’t just a tech problem. It’s a human problem. People wake up cold. Elevators stop. Card readers don’t work. Hospitals switch to backups and pray those backups last. Parents get one vague message from a school and then nothing. Meanwhile, a flood of posts and videos tells everyone a different story about what’s happening and who’s to blame. You’re not only fixing systems. You’re trying to stop panic from becoming policy.
And that’s where disinformation is so nasty. It doesn’t have to convince everyone. It just has to create enough confusion that leaders hesitate, teams argue, and the public stops trusting updates. AI-generated content makes that easier because it scales. Not “perfectly,” but fast, cheap, and constant. Even if each piece is sloppy, the volume does work. People get tired. They start guessing. They share things “just in case.” That’s how you lose time, and in crises, time is oxygen.
Nato’s training center—Jatec—wants to improve how Ukraine and the alliance work together, sharing knowledge and resources. On paper, obvious win. Ukraine has hard-earned experience. Nato has reach, money, and structure. Put them together and everyone improves.
But there’s a tension here that we shouldn’t pretend away: interoperability is a nice word for a very hard problem. Different countries have different legal limits, different politics, different appetite for risk, different thresholds for what counts as “attack.” In a real incident, someone will want to respond fast and loudly, someone else will want to verify and stay quiet, and a third will be worried about escalation. The attacker doesn’t have that committee problem. The attacker just presses.
Imagine you’re running a power company in that fictional country. Your engineers are trying to restore systems. Your PR team is begging for confirmed facts. A minister wants a statement in ten minutes. And online, a convincing video appears of a “whistleblower” claiming the outage is an inside job. Another clip says refugees are sabotaging power stations. Another says Nato forces are taking control. None of it has to be true. It just has to be sticky enough to cause backlash against the very actions needed to fix the situation.
Now imagine you’re a normal person. You’re staring at a dark phone, low battery, maybe no heat, maybe kids in the house. You don’t care about “resilience frameworks.” You care if someone is lying to you. You care if anyone is in charge. If the official updates are slow and careful, they feel fake. If they’re fast and wrong, trust breaks. That’s the trap.
So yes, I like that Nato is testing disinformation alongside cyber attacks, not treating it as a separate “comms issue.” I like that Ukraine is in the room, not as a sad case study but as a contributor. That’s reality: they’ve been forced to learn at a level most countries haven’t.
But I don’t love the vibe of “we narrowly won.” That framing risks teaching the wrong lesson. The goal isn’t to win a round. The goal is to build habits that hold up when the story is uglier, the evidence is unclear, and your own public is already mad about something else.
Also, there’s an uncomfortable moral angle: training on AI disinformation is necessary, but it can slide into normalizing it. Once everyone gets familiar with these tools, the line between “defense practice” and “offense capability” can blur. Countries don’t just learn techniques and forget them. They store them. They adapt them. And someday, someone decides it’s justified to use them.
The scariest part is that none of this requires genius attackers. It requires persistence. If defenders “narrowly” beat a realistic attacker in a controlled exercise, what happens when the attacker isn’t controlled, the targets are multiple countries at once, and the public is already primed to distrust anything that sounds official?
If Nato is serious about this, I want less victory language and more honesty about fragility: how quickly trust breaks, how slow coordination gets, and how hard it is to keep basic services running while information is being poisoned in real time.
What do we actually want leaders to optimize for in a real cyber-and-disinformation crisis: speed, accuracy, or public trust?