ISF Voices 2025: Embedding AI-Powered Insight in Conflict Recovery
In this special edition of SCSP’s newsletter, we continue our ISF Voices series. Launched earlier this year, ISF Voices showcases writing by current fellows in SCSP’s International Strategy Forum (ISF) program. Each piece reflects the unique vantage points of emerging leaders from around the world working to shape the future of geopolitics, technology, and democracy.
Today’s piece is by Maya Lahav, a DPhil researcher in Criminology at the University of Oxford and former cybersecurity official at the Danish Ministry of Defense, and Anton Tarasyuk, the Co-Founder and Expertise Lead of Mantis Analytics, an AI-powered intelligence start-up. In their article, Maya and Anton argue that post-conflict recovery must prioritize intelligence and AI-enabled threat monitoring to counter cyber-enabled conflict. Drawing on lessons from Ukraine, they propose a new model for securing peace in the age of AI.
The views expressed in this article are those of the authors and do not necessarily reflect those of the Special Competitive Studies Project (SCSP), the International Strategy Forum (ISF), or any affiliated persons and institutions.
From Battlefield to Peace: Protecting Ukraine’s Recovery Against the Gray Zone After a Ceasefire
Even if a ceasefire or some kind of peace settlement is reached in Ukraine, Russian gray zone actions will continue to undermine Kyiv’s security and sovereignty. Protecting against these persistent threats must therefore be a central element of Ukraine’s recovery strategy. To succeed, Ukraine must once again leverage the innovative digital, cyber, and AI capabilities that proved decisive during the war.
Today, post-conflict recovery environments are characterized by complex challenges that blend physical and digital domains, long after traditional combat operations have ended. We define ‘cyber-enabled conflict’ as the use of digital means, such as cyberattacks, influence campaigns, and data manipulation, to disrupt societies, governments, or economies. In such spaces, both state and non-state actors work to influence outcomes, targeting essential infrastructure, critical institutions, and the very public trust that is fundamental for recovery and rebuilding.
Additionally, psychological operations, foreign information manipulation and interference (FIMI) campaigns can fracture social fabrics and obstruct peacebuilding. The ongoing conflict in Ukraine has underscored a critical lesson: the outcome of the military battle is only one part of the equation. Winning the peace, and thus securing a future, requires a robust, AI-enabled recovery strategy, which we describe in four objectives below. If this transition does not occur, conflicts are at risk of evolving into “forever wars”, where adversaries achieve through bytes what bullets could not.
Objective 1: Embed Intelligence Architecture into Recovery Efforts
The conflict in Ukraine has unveiled a new operational paradigm: recovery is not merely a post-conflict pause but a continuation of strategic competition. Adversaries of the West, including Russia, leverage post-conflict environments through hybrid threats, gray zone aggression, irregular tactics, and narrative warfare, thereby destabilizing without initiating open warfare. While recovery initiatives remain aligned with traditional frameworks, focusing on infrastructure and institutional restoration, they often neglect the contested space between war and peace where contemporary threats operate.
In hybrid threat scenarios, multiple actors, both state and non-state, may concurrently engage in military, cyber, and information warfare, rendering attribution difficult and responses complex. In such environments, rebuilding efforts risk becoming the next target. To sustain strategic advantage, the United States and its allies must proactively integrate intelligence capabilities, cyber resilience, and information defense from their inception, thereby establishing the foundation for a modern security architecture in fragile regions. To realize this vision, recovery must be treated not as a return to normalcy, but as an opportunity to institutionalize forward-deployed capabilities built for 21st-century security. Just as NATO and the CIA emerged from the upheaval of World War II, the reconstruction of regions like Ukraine presents a chance to shape the next generation of security infrastructure. While the precise form of these institutions will vary, they must build on what is already functioning, leveraging local expertise, distributed networks, and field-tested tools born out of necessity.
One promising prototype is Ukraine’s unplanned but thriving open-source intelligence (OSINT) ecosystem. Years of living in the face of hybrid threats have turned journalists, researchers, and civil society actors into de facto intelligence practitioners, now increasingly augmented by AI tools that accelerate verification, pattern detection, and situational awareness. This demonstrates how recovery zones can foster intelligence frameworks that integrate public-private data access, AI-enabled analysis, and operational threat monitoring, closing the gaps created by outdated systems.
The United States and its partners should help Ukraine refine and scale these capacities (standardizing and integrating AI-driven threat monitoring, secure data systems, and OSINT practices) to build long-term resilience.
Objective 2: Leverage AI to Mitigate Emerging Threats
What has set Ukraine apart during the Russia–Ukraine war, and what future recovery efforts must emulate, was the speed and decentralization of AI adoption. Its military and dual-use AI ecosystem emerged, as clearly demonstrated in the drone domain, not from rigid planning but through direct collaboration between frontline operators and engineers. This decentralized combat innovation loop enabled rapid deployment of AI tools at a pace that traditional defense
structures rarely match. However, this decentralization also produced fragmentation—a “zoo” of overlapping platforms and uneven quality.
For Western policymakers, the lesson is to separate wartime improvisation from what can be institutionalized for long-term competition. The tech race continues, and adversaries will exploit digital, cognitive, and logistical vulnerabilities—making AI indispensable for maintaining strategic advantage.
Ukraine’s wartime deployments demonstrated how fusing satellite, drone, and sensor data enabled real-time detection of tampered infrastructure, illicit troop movements, and dual-use construction. These tools should be modularized and embedded in mission architectures from day one, securing both physical and digital terrain. The threats are not abstract: reconstruction sites will remain vulnerable to sabotage, critical supply routes may be disrupted through illicit tampering or infiltration, and adversaries can exploit dual-use construction to conceal military build-ups. Geospatial AI, fused with satellite, drone, and sensor data, enables early detection of such activities as well as the mapping of mines and unexploded ordnance along logistics corridors. Formalizing such capabilities within recovery architectures will strengthen resilience and situational awareness.
Furthermore, Ukrainian civil society and technical teams pioneered systems for monitoring foreign information manipulation (FIMI), detecting narrative shifts, and exposing coordinated campaigns that undermine government legitimacy and social cohesion. Integrating these into recovery frameworks can provide early warning and help align civilian, military, and international actors around a shared picture of risk.
But FIMI during recovery is not simply a military or national security concern: the experience of 2014–2022 shows that humanitarian relief missions were targeted by smear campaigns, donor programs subjected to influence operations aimed at questioning their credibility, and international projects attacked with corruption-related narratives. This is not to suggest that corruption is an invented threat; at the start of the active phase of the war, Ukraine ranked 122nd out of 180 countries in the Corruption Perceptions Index, a vulnerability that made corruption-focused influence campaigns particularly effective, as they resonated with an already skeptical public.
All of these dynamics are shaped by persistent competition in the gray zone. Recognizing this reality ensures that both security and aid communities treat recovery as a strategic phase, where integrated intelligence can set the terms of stability and influence.
Objective 3: Shift Recovery Funding Models to Real-Time Threat Visibility
Legacy funding models—slow, centralized, and static—cannot match the speed of evolving threats. Recovery mechanisms must move from one-off assessments to continuous intelligence-driven visibility. Local monitors, private firms, and civil society often detect vulnerabilities long before formal reports do.
Funding structures should therefore be adaptive, enabling rapid response to verified risks across digital, logistical, and informational domains. Infrastructure might remain intact, but trust, logistics, and digital governance systems are often compromised before kinetic attacks, and recovery frameworks must be prepared to act on such signals. Continuous, intelligence-driven monitoring will safeguard both investments and governance. Donors can draw on models like the EU’s Critical Entities Resilience Directive as a blueprint for proactive resilience, real-time awareness, and transparent response.
Objective 4: Secure Recovery Through Multilateral Cooperation and U.S. Leverage
Conflicts with regional spillovers, like Ukraine, show that intelligence must operate across borders. Regional neighbors—from Moldova to the South Caucasus—face interconnected risks. Multilateral platforms, whether existing or purpose-built, must share responsibilities for intelligence, cybersecurity, and information defense with transparent governance.
As principal funder and guarantor, the United States will inevitably shape how post-conflict reconstruction integrates digital security and AI standards. Recovery frameworks must therefore align immediate needs with broader strategic competition over emerging technologies. This includes embedding digital risk assessments alongside physical damage surveys, incorporating cybersecurity in rebuilding plans, and establishing baseline monitoring for intrusion and procurement irregularities. AI tools could flag irregular or high-risk suppliers (including those linked to sanctioned or non-trusted jurisdictions), and influence campaign monitoring (such as tracking narrative spikes about “corrupt recovery funds” or “unsafe foreign contractors”) within governance assistance packages.
Aligning U.S. contributions with European and regional actors strengthens resilience across the wider neighbourhood, even in an environment where transatlantic priorities may not always be perfectly aligned. The private sector adds another layer: many US-based firms already provide cybersecurity, AI tools, and rapid-response capabilities in crisis zones. By linking public funding to proven platforms and partnering with Ukrainian firms for local data and operational expertise, these resources can be channelled into systems that are both adaptable (able to pivot quickly as new threats emerge) and scalable (extending coverage across sectors and borders without prohibitive cost).
Examples from Ukraine show how partnerships between government, technology firms, and civil society actors can produce high-impact outcomes, especially in high-risk environments. The Ministry of Digital Transformation rapidly adapted its citizen-facing Diia platform (originally designed for IDs, payments, and state services) into a wartime tool enabling donations, and reporting from civilians. At the same time, the Brave1 defense-tech cluster opened its “Test in Ukraine” program, allowing companies to trial prototypes such as drones, electronic warfare tools, and AI-driven systems under combat conditions, while its Brave1 Market platform converts verified frontline actions into credits that units can exchange for critical equipment.
Whenever feasible, technical support should combine immediate response capabilities (such as hunt-forward teams or rapid cyber incident response) with longer-term investments in software upgrades, secure data infrastructure, and workforce training. Temporary fixes may plug urgent gaps, but without parallel capacity development, they risk leaving institutions dependent on external actors. Finally, recovery frameworks will need oversight mechanisms to guard against harmful dependencies. This is difficult, since partners often define risk differently, but funding leverage allows the United States and its allies to hardwire transparency and security standards into reconstruction contracts. By embedding these safeguards from the outset, recovery can remain resilient and credible, limiting the space for suppliers whose involvement could compromise long-term sovereignty.
This is not merely technical—it is central to national and regional stability. With reconstruction costs in Ukraine exceeding $524 billion, intelligence and digital security must be treated as declared pillars of recovery, not afterthoughts. Designing recovery instruments that synchronize security and aid functions will prevent the blurred mandates and inefficiencies of past efforts. By comparison, during the Marshall Plan, officials diverted recovery funds to covert intelligence operations.
Here, the United States has an opportunity to lead by example, setting a model for secure reconstruction that meets the realities of modern conflict and democratic governance.
To adopt this intelligence-first strategy, flexible delivery mechanisms are crucial. In politically sensitive settings, the difficulty is not the practical value of activities linked to intelligence capacity (such as monitoring, analysis, and early warning), but the polite pretense that intelligence functions have no place in recovery. Instead of deploying the entire institutional structure of NATO, the EU, or the UN, modular capabilities (such as mobile teams dedicated to situational awareness, digital threat monitoring, or infrastructure risk assessment) should be provided through specialized, politically acceptable channels that operate more swiftly.
These might take the form of regional partnerships (such as Nordic–Baltic cooperation), neutral multilateral facilities (such as the UN Development Programme or World Bank), or joint public–private task forces combining state oversight with private sector capacity. Such formats avoid the sensitivities of overt alliance branding while still delivering timely, credible support. A modular system enables recovery efforts to maintain international credibility while clearly defining mandates, ensuring host-country oversight, and promoting transparent governance.
Conclusion: Architecting Recovery
Reconstruction security is a paramount priority for national security and is essential for sustaining resilient infrastructure. Intelligence and cybersecurity measures must be integrated from the outset as fundamental components of stability, rather than added subsequently. The United States, Ukraine, and their allied partners possess the necessary leverage and resources to establish this as the standard practice: to fund intelligence as critical infrastructure, incorporate digital risk management into aid initiatives, and ensure alignment and cooperation among diverse stakeholders. In the absence of strong leadership, recovery endeavours risk stagnation and the potential for persistent instability. Conversely, with effective leadership, Ukraine has the potential to serve as a model for how democracies can collaboratively rebuild and secure a shared future.