It is a Saturday afternoon. A diplomatic meeting has just concluded where two heads of government have shaken hands, issued a joint statement, and reaffirmed their commitment to each other’s cause. Somewhere across the continent, a group reads the news and begins typing.
A sophisticated cyber campaign against government ministries, banks, and critical infrastructure begins within hours. The Ministry of Foreign Affairs official website goes down. Transport infrastructure falters. Major banking apps stop working. The groups post on Telegram, quoting the communiqué almost verbatim. The attack, they explain, is the answer.
This is not a hypothetical scenario. In January 2025, following Zelensky’s visit to Rome and Meloni’s pledge of full support for Ukraine, the pro-Russia group NoName057(16) launched attacks on Italian government agencies, critical infrastructure, and private organisations. They posted on Telegram, citing the meeting directly, before the first ministry went offline.
The signal was public and any team actively reading that environment would have seen it coming. The question is how many did.
Twenty Years in the Making
Publicly available information has not always had a seat at the top table. For most of the past two decades, open-source data sat in a separate room, handled by a separate team, feeding a separate product. Classified reporting arrived by one route. Public information, if it arrived at all, came by another. The two rarely met in the same brief.
That model has not kept pace with the threat environment. Not because classified systems have declined in value; they have not. But because the world now generates an enormous volume of consequential signals in public. Those signals often arrive faster, cover more ground, and cross more languages than any single closed system can match.
I led those siloed teams, and eventually brought them together.
Today, in serious government security environments on every continent, publicly available information sits alongside classified reporting as a routine input at the executive level. Not beneath it. Alongside it. That shift is visible in crisis coordination centres in Europe, North America, and the Indo-Pacific. The architecture is different in each place, but the requirements are the same.
Why the First Signal Is Rarely Classified
Speed is part of the reason first signals are rarely classified. While classified channels move within defined architecture, public information does not wait for architecture. A security situation that escalates, a cyber group announcing its next target, a natural disaster hitting a country where your nationals are travelling: all of these appear in the public environment before they appear in any formal reporting chain.
Breadth matters too. The DPRK-linked campaign targeting diplomatic missions between March and July 2025 ran spear-phishing emails across Central European embassies, Western European missions, and government entities on multiple continents. The lures were written in Korean, English, French, Arabic, Russian, and Persian, timed to coincide with real diplomatic events.
No single classified system covers that aperture. I know, because I spent years trying to build one that did. Publicly available threat intelligence, read across the right channels, gets closer than anything else at the speed of relevance. The Italian attack was not secret until it was discovered. The intention was declared, in public, before the damage was done. That is not an exception, it is a pattern.
The Convergence Problem
Cyber events and physical events are no longer usefully separate categories. A diplomatic meeting generates a political signal. Hostile states, seeking to undermine cohesion and decision making, may respond with a mix of proxies, unwitting third parties and national technical means, spread across every domain in an orchestrated but unattributable series of attacks.
- A DDOS campaign gets crowdsourced.
- Sabotage gets delegated.
- Protest gets stirred up by pop-up actors.
- Zero days get exploited.
Each one looks like a separate event. But what you see is unconnected events and loss of initiative. Treating these events as separate disciplines with separate reporting chains means the picture never assembles in time.
The Israel-Iran conflict of June 2025 made this visible at scale. As airstrikes hit nuclear facilities and military infrastructure, cyber operations ran in parallel. Iranian state media was hacked, with anti-regime messages appearing on the front page of the official news agency timed to the moment the physical strikes landed. Foreign ministries in London, Washington, Ottawa, and Canberra were simultaneously managing the same threat picture from different angles, issuing warnings that Iran might seek to respond on their own soil. The public signal and the diplomatic response were inseparable.
Any team briefing a minister, a national security adviser, or a head of government needs to be reading across all of those domains together, in real time. That is as true in Canberra as it is in Ottawa or Washington.
The NATO Summit as a Signal Environment
The NATO Summit in Ankara, Turkey on July 7–8, 2026, is a good test of everything above, the kind of event where public signal and hybrid threat activity both spike at once. When heads of state and defence leaders gather, the event becomes a global focal point for public sentiment, logistical movements, and, more frequently, orchestrated hybrid threats. For security operations in the host city and across member capitals, such a meeting is more than a diplomatic fixture; it is a high-intensity environment where the sheer volume of noise is overwhelming. To rely only on formal reporting channels to get through it is a genuine gap in coverage.
Real-time situational awareness demands the capacity to integrate public signals, ranging from the first signs of physical disruption to shifting disinformation narratives, directly into the classified picture. In this arena, the summit confirms that distilling public data into actionable truth is not a secondary capability. It is a foundational requirement for protecting the room where decisions are made and to ensure critical Allied security outcomes are the story, not the accompanying hybrid activity.
The Discipline Behind It
Access to public information is not the same as the ability to use it well. The tradecraft matters. I spent two decades learning that the hard way.
Volume is the first challenge. The public environment is vast and most of what it contains is noise. Identifying genuine signals, validating them quickly, and surfacing them in a form useful to a senior decision-maker is a discipline in its own right. It requires the same intellectual rigour as any other form of intelligence work.
Speed creates its own pressures. Early reporting is often incomplete or conflicting. The temptation to brief on partial information, because the room is waiting, is real. The teams that use public information well have learned to distinguish between what is confirmed, what is probable, and what is not yet known, and they say so explicitly in the brief.
That campaign against diplomatic missions is instructive. The lures were crafted to reference real events, using official signatures and diplomatic terminology to appear legitimate. A foreign ministry awareness team that understands the threat environment around its own diplomatic calendar is better placed to spot the pattern, brief upwards, and alert posts before the lure lands.
What It Looks Like in Practice
The best executive and situational awareness operations treat public information as the early warning layer that tells you where to look, not a supplement to the classified picture.
The events of 28 February 2026 illustrated this with unusual clarity. As strikes began hitting targets across Iran, the first accounts came not from official channels but from social media, open-source video, and public reporting. Iranian state communications were heavily disrupted. For government teams around the world, the public environment was, in those early hours, the primary source of ground truth. Foreign ministries from Wellington to Ottawa to Washington were updating travel advisories and issuing warnings in real time, drawing on the same open picture.
There is a less obvious advantage too. A foreign ministry running posts across dozens of countries faces a language problem no translation team can fully solve. When something happens in a regional language, at speed, the centre often finds out last. Real-time alerts drawn from local-language sources mean the desk in the capital can sometimes read a developing situation faster than the post itself can. The centre, properly equipped, knows more than the regions assumed it would.
That capability is no longer aspirational. It is operational, at the centre of government, across every major democratic region. I have seen what it looks like when it works, and what it costs when it does not.
The Wider Picture
The difference in government is the stakes. A minister being briefed on a fast-moving situation, a permanent secretary deciding whether to escalate, a head of government managing the first hour of a breaking event: these are not moments that tolerate gaps between the classified picture and the public one.
The teams that close that gap have not done it by replacing one system with another. They have done it by treating publicly available information as a serious input, investing in the tradecraft to use it well, and placing it, properly validated, alongside the other reporting that reaches the room where decisions are made. I have been in that room. The difference between having the signal early and not having it at all is not a technical question, it is an operational one.
The quietest source in the room is not quiet because it lacks signal. It was quiet because, for a long time, people were not sure whether to trust it. That changed.

Dataminr First Alert
Increase speed of decision making with Dataminr First Alert, a real-time critical event discovery solution. Maintain situational awareness and make decisions with confidence.
Learn More