Automate or fail national defence in view of the fragility of manual processes

That more than half of national security organizations continue to rely on manual processes to move sensitive information is news that should turn all alerts on ministers, heads of defence and cyber security officials. Hand-made transfers are not just slow: they are exploitable failure points and in a geopolitical context where speed and certainty define the operational advantage, this fragility can be translated into wrong decisions or committed operations.

The incidents of the last decade, from complex attacks on the supply chain to leaks from inconsistent procedures, have made it clear that the adversaries seek and take advantage of the seams of the process. The measures that were adopted as palliative - printing documents, authorizing e-mail transfers or manually validating each exchange - have become risk vectors because they introduce variability, delays and audit gaps that are difficult to correct when a chain of custody is to be rebuilt.

The reasons why the manual persists are multiple and very human. First, the inherited platforms that support much of the government and defence networks were not designed to interoperate with automated policy engines or modern encryption schemes, and their replacement involves costs and disruptions that many organizations cannot afford from day to day. The procurement process itself aggravates the delay: controls, certifications and deadlines that in practice make any modernization a multi-year project, while the threat advances in real time. Finally, institutional culture plays its role: in areas where personal responsibility is heavy, human supervision is perceived as the safest option, although data show that human error is one of the main sources of incidents.

This mix of old technology, bureaucracy and confidence in the tangible creates a dangerous cocktail: replicating errors, interpretation-sensitive policies and fragmented records that complicate the response to a gap. It is not just that operational efficiency is lost; it is that the ability itself to demonstrate what happened, when and by whom it is compromised, which weakens both technical response and accountability.

The good news is that there is a pragmatic working framework to transform that fragility into resilience. It is not about automating by automating, but about articulating three pillars that, combined, offer a coherent approach to protecting identities, data and operational borders. The first is Zero Trust's model: to continuously verify the identity and context of each user, device and action to avoid implicit trust. The technical guides and official frameworks already point to this as a priority route for critical environments; NIST Special Publication 800-207 explains how this architecture reconfigures controls and privileges to reduce internal risk.

The second pillar puts data in the center: to protect information where it is located and in transit, by classification, robust encryption and policies that accompany the archive regardless of the network that transports it. This approach, known as data-centric security, minimizes the impact of network commitments because the value of information is protected by direct control, not by perimeter limits that are permeable today. Agencies such as United Kingdom NCSC recommend this guidance as an essential complement to traditional network defenses.

The third pillar addresses a very specific challenge of defence environments: safe transfer between domains with different levels of classification. Cross-domain solutions automate inspection, application of release authorizations and sanitization of content, allowing to share intelligence with allies without turning each shipment into an operational bottle neck. When these tools are integrated with data-focused identity and protection controls, the opportunity window for a malicious actor is significantly reduced.

Applying this triad is not just a technical decision, it is an organizational design decision. In multinational contexts and coalitions, the keys go through federating identities and agreeing interoperable standards for policies to be applied in a uniform way between partners. In the tactical field you have to think of light agents and resilient synchronizations that work with limited bandwidth. And in the supply chain, automation should be extended to contractors and suppliers through stricter verifications and traceability; CISA has focused much of its warnings on the need to secure that attack area because incidents such as SolarWinds showed how a chain failure impacts critical systems. (see CISA analysis).

We must not lose sight of the human dimension: automating does not mean disunderstanding the human factor, but freeing it from repetitive tasks so that talent focuses on designing policies, managing exceptions and studying anomalous events. The change requires investments in training, phase adoption processes and transparent communication that explain that automation helps to carry out the mission, not to monitor the team. Controlled pilots in low-risk flows, continuous feedback and visible examples of operational improvement are strategies that help overcome resistance and turn novelty into stable practice.

If there is an urgent lesson is that modernization is not optional: in the current environment, every minute counts and every hesitation can be exploited. Making automation a strategic priority - supported by Zero Trust, data protection and cross-domain solutions - is to protect decision-making capacity and operational integrity. Start with the most impact processes, translate policies into enforceable rules, measure results and ensure staff training are concrete and achievable steps. It is not necessary to wait to replace the entire technology park; prudent and planned integration can reduce exposure while systems are modernized.

The CYBER360: Defending the Digital Battlespace report highlights this urgency and provides data that should drive action today; available in full. For those who lead decisions in defence and public administration, the question is no longer whether to automate, but how to do it correctly, safely and quickly: the next incident will not wait for long procurement processes to be completed.

Acting means hardening flows, accelerating the maturity of controls and converting automation into force multiplier. In environments where certainty saves missions, maintaining confidence in manual is no longer a viable option.