By the end of 2024, Amazon reported detecting approximately 750 million cyberthreat or intrusion attempts per day, which was up from 100 million over the past six or seven months, according to a WSJ interview with CJ Moses, chief information security officer at Amazon.
Moses, who previously ran security for Amazon Web Services (AWS) following a career investigating cybercrime for both the FBI and Air Force Office of Special Investigations, speaks to what those in the security trenches suspect: AI is expanding the attack surface and creating new vulnerabilities for security teams.
Today’s risks aren’t just about DDoS attacks or misconfigured S3 buckets. They’re about subsea cable sabotage, identity system compromises, and geopolitically motivated infrastructure disruption—all hallmarks of a new era: hybrid warfare.
Hybrid warfare isn’t theoretical. It’s not up to governments, alone, to fix. It’s happening, and it’s reshaping how private sector security leaders think about resilience.
Every security team must plan for the scenario when the cloud goes dark.
The physical backbone is now a target
Hybrid warfare blends cyberattacks, physical sabotage, disinformation, and economic coercion to disrupt or destabilize its targets. And that includes the infrastructure that powers cloud services.
Some recent examples:
- Flax Typhoon (2025): Infected over 260,000 globally distributed, internet-connected devices—positioning itself across the cloud’s edge.
- Recent sabotage of undersea cables between Estonia, Finland, and Sweden—attributed to Russia-linked actors—highlighted just how vulnerable physical infrastructure remains. These incidents are active tests of our resilience, exposing weak points in the systems that underpin global connectivity.
- Volt Typhoon infiltration (2022-2023): A China-linked campaign that embedded itself in U.S. critical infrastructure by exploiting Microsoft identity systems and cloud-based management tools.
- SolarWinds supply-chain attack (2020–2021): Malicious code inserted into software updates compromised thousands of organizations, including U.S. government agencies, exposing the risks of trusted management tools becoming a Trojan horse for adversaries.
- State-sponsored sabotage and espionage campaigns: From compromised identity systems to insider threats, these operations aim not just to disrupt but to persist undetected—gathering intelligence, undermining trust, and eroding the stability of critical networks.
The limits of cloud resilience
Many organizations assume the cloud is inherently resilient because of its geographic redundancy. However, most backup solutions still rely on hyperscalers like AWS, Azure, and GCP. That means your backup is in the cloud, not necessarily under your control.
When a cable is cut or a DNS service is targeted, even multi-region failover can become irrelevant. Identity federation may break. SaaS logins may fail. Backups may be unreachable.
The result: Teams can’t recover because they can’t reach the systems that hold business-critical data.
Why sovereign, isolated storage matters
Sovereign backup providers deliver a solution for fast uptime by maintaining local storage, eliminating cross-border data replication, minimizing cloud dependency, and ensuring all company data is in close proximity.
That means even if DNS goes down, even if cloud access is compromised, your organization retains local access to mission-critical data.
This best practice has become a regulatory necessity. Under DORA and NIS2, organizations in critical sectors must prove that they can recover from information and communication (ICT) disruptions with minimal reliance on third-party connectivity.
Rethink resilience: From disaster recovery to operational continuity
Disaster recovery isn’t a switch you flip. It’s a phased, risk-informed process that must account for human, operational, and communication variables.
Rather than focusing on bulk restore, organizations should prioritize object-based restoration, which allows for:
- Recovery of the most critical users, mailboxes, and access controls first.
- Restoration of systems needed to communicate, coordinate, and report.
- Preservation of audit trails and compliance logs.
When your teams lose access to Microsoft 365, Google Workspace, Salesforce, or any of your cloud-native tools, local access to the right data becomes the difference between extended downtime and sustained operations.
Build your hybrid warfare resilience plan
Security teams should regularly prepare for a cloud blackout scenario. Begin with the following steps:
- Inventory mission-critical data. Map what your team needs to operate, communicate, and recover. Prioritize by risk.
- Identify infrastructure dependencies. Know which systems are hosted, which are federated, and which rely on cloud storage or ID resolution.
- Map geopolitical exposure. Which countries host your providers? Which regions carry your traffic? How many hops do you control?
- Simulate no-cloud conditions. What happens when identity federation fails? When DNS doesn’t resolve? When the cloud is unreachable?
- Test local recovery. Run drills where recovery workflows don’t assume cloud access. Assess friction, clarity, and time to restore.
If your security organization hasn’t planned for a dark-cloud scenario, now is the time. The true test of resilience isn’t how fast you can restore from backup.
It’s whether your business can keep operating when the world goes offline.
About the Author
Kim Larsen is Chief Information Security Officer at Keepit and has more than 20 years of leadership experience in IT and cybersecurity from government and the private sector. Areas of expertise include business driven security, aligning corporate, digital and security strategies, risk management and threat mitigation adequate to business needs, developing and implementing security strategies, leading through communication, and coaching. Kim Larsen is an experienced keynote speaker, negotiator, and board advisor on cyber and general security topics, with experience from a wide range of organizations, including NATO, EU, Verizon, Systematic, and a number of industry security boards.
Kim can be reached online on LinkedIn.
