The Fog Moved
In 2022, a Portuguese airline suffered a significant data breach. The criminal group behind it claimed they had accessed an unprotected server. The airline's CEO went on record framing the outcome as proof of resilience: the data ended up on the dark web, which she presented as evidence that the company had refused to negotiate with criminals. Intransigent. Principled.
I work in cyber risk. I read that and saw something different. The data appearing publicly was not a badge of honour. It was the consequence of failure. And the framing revealed something worse than the breach itself: the organisation did not understand the difference between being a custodian of personal data and being its owner. It had no standing to make that trade on behalf of its customers.
I filed a complaint with the Portuguese data protection authority. That was September 2022. As of today, I have received no substantive response. Three and a half years of silence from the mechanism that exists specifically to hold organisations accountable for exactly this kind of failure.
I bring this up not to relitigate one airline's bad week, but because it illustrates something anyone working in cyber learns early and never forgets: the first confident narrative after an incident is almost always wrong, or at best incomplete. Attribution is messy. Signals are partial. Motives are layered. Adversaries shape perception as deliberately as they compromise systems. And by the time the slow, careful, unglamorous work of establishing what actually happened catches up, the story has usually settled in people's minds.
That dynamic used to feel like a cyber problem. It is not any more.
Most people now encounter conflict through clips, screenshots, maps, threads, official statements, eyewitness accounts, recycled footage, AI-enhanced certainty, and algorithmic outrage. The information arrives fast and feels authoritative. Verification, if it comes at all, arrives much later. By then, narratives have hardened and loyalties have attached themselves to versions of events that may still be badly understood.
From where I sit, this looks structurally familiar. Not identical, but familiar in the ways that matter. The same gap between the speed of claims and the speed of understanding. The same exploitation of that gap by people with something to gain from confusion. The same pressure on ordinary people to choose a side before the evidence is in.
OSINT is usually discussed through its military or intelligence value, and that framing is fair. But there is another dimension that gets less attention. Open-source techniques, used carefully and honestly, can serve the public interest. They can help people move from passively consuming information to actively inspecting it. Not perfectly, not without effort, and certainly not without the risk of getting things wrong. But that shift from consumption to inspection matters.
In cyber, we talk about resilience as a function of visibility, detection, and informed response. You cannot defend what you cannot see. You cannot respond well if you have not learned to reason under uncertainty. I wonder whether part of civic resilience in conflict could be framed in similar terms. Not as a guarantee of truth, but as a discipline of resisting the first confident claim and holding several possibilities in mind while the slower work continues.
Better public tools and better public habits will not eliminate propaganda. They will not make truth instant. But they may raise the cost of lying, lower the reward for confusion, and give ordinary people a slightly better chance of seeing past whoever is trying hardest to own the story.
That is not a military ambition. It is a democratic one.