A municipality discovers that its network has been breached. For weeks, no one notices. Until a supplier tells you that confidential documents were leaked. A court receives a credible threat minutes after a staffer's credentials are compromised. A legislator finds his identity used to distribute disinformation with artificial intelligence.
This is already happening.
And if it doesn't happen more often, it is because there are still criminals learning to climb. Not because the state is more protected than before.
The new economy of crime is digital
The recent Europol report, "Steal, Deal and Repeat - IOCTA 2025".The "Cybercrime" campaign offers a worrying snapshot of the present: the theft and trade of personal and governmental data is already the fuel of global cybercrime.
This data is not stolen for a single crime. It is are stolen, traded, exchanged, accumulated, stolen, traded, traded, exchanged, accumulated. And then they are reused, over and over again.
We are facing a criminal economic model that works as a clandestine supermarket, where you can buy access to a municipal network, credentials of a judicial employee or the digital identity of an official.
Who are the people behind it?
We are no longer talking only about "computer criminals". The criminal ecosystem has become professionalized. Today there are criminal service providers in mode Crime-as-a-Service (CaaS):
- IABs (Initial Access Brokers) that sell access to internal networks.
- Data brokers trading millions of data stolen from public and private organizations.
- Malware developers as a servicewho rent customized viruses.
- Ransomware groups that hijack information and negotiate with the logic of a company.
- Experts in social engineering using manipulation techniques, deepfakes and bots with artificial intelligence.
This machinery moves in encrypted forums, anonymous networks and private channels where anonymity is the norm.
State data no longer safe by default
In many public agencies, people still think that "this is not going to happen to us". But that is a dangerous illusion.
A judicial system that cannot guarantee the integrity of its digital records or the identity of its operators is a vulnerable system. A municipality without adequate protection of its databases is an easy target for ransomware attacks. A legislator without dual authentication or basic cybersecurity training is an open door to blackmail, impersonation and manipulation.
This is no longer a technical issue. It is a political, structural and governance issues.
The State cannot play defensively
Most threats are not seen coming. They don't generate alerts. They don't explode. They just seep in, move below the surface, consolidate... and strike when it's too late.
Therefore, thinking about the cybersecurity for the State requires a shift from a reactive to a reactive approach preventive and intelligent.
It is no longer enough to have an antivirus or a firewall. You need:
- Real-time anomaly monitoring systems.
- Permanent audit of access and credentials.
- Continuous training for officials and technical teams.
- Protocols for political and legal action in the event of incidents.
- And, above all, an institutional digital culture that understands security as a public duty.
Crime has modernized. The State too?
Digitalization is here to stay. But without a fundamental cybersecurity policy, every technological advance made by the State can be turned against it..
How long are we going to keep thinking that this is an "IT" problem?
When will we understand that what is at stake is trust, stability and institutional legitimacy?
Cybersecurity is not an expense. It is critical infrastructure.
And like all critical infrastructure, can't wait for the problem to explode before starting to build it.
