This kind of cyber “war game” sounds reassuring right up until you notice the quiet part: Nato only narrowly beat the bad guys.

That’s not a fun headline if you live in a world where the “bad guys” aren’t fictional, the power grid isn’t pretend, and the public panic isn’t something you can reset with a debrief. If a practice run is close, the real thing probably isn’t going to be.

Based on what’s been shared publicly, Nato ran a simulation built around a made-up country called Perantsa getting hit in the energy grid by a hostile state called Karti. The scenario wasn’t subtle. It mirrored what Ukraine has been living with since 2022: cyber attacks mixed with disinformation, aiming to break systems and morale at the same time. Ukrainian officials even played the attacker side in the exercise, and they used AI-generated disinformation to see how Perantsa would handle the information chaos along with the technical damage.

That detail matters. Cybersecurity people love to talk about “resilience,” but resilience isn’t a software feature. It’s whether regular people keep trusting what they’re told when their lights flicker, their phone fills with rumors, and someone starts whispering that their leaders are lying. A power outage is scary. A power outage plus believable fake stories about “who did it” and “who’s hiding what” is how you get a country arguing with itself while the attacker keeps pushing.

So yes, I’m glad Nato is practicing. But I also think these simulations can become a comforting ritual if we treat “we trained” as the same thing as “we’re ready.”

The uncomfortable truth is that the attacker often has an easier job than the defender. The attacker needs one good opening. The defender needs dozens of things to go right: good detection, fast coordination, clear public messages, and leaders who don’t freeze. And when you add AI-generated disinformation, the attacker’s work gets cheaper. They can flood the zone with convincing junk at a speed humans can’t match. Even if each fake is sloppy, the volume alone can exhaust the people trying to correct it.

Imagine you’re a mayor in a midsize city in “Perantsa.” The grid is unstable. A message starts spreading saying the national government is hiding a bigger collapse. Another claims the outage is “planned” to distract from corruption. A third says a neighboring country is about to invade. Your residents want answers now, not a careful statement after you verify facts. If you speak too early and you’re wrong, you lose trust. If you wait, the rumors win. That’s a brutal choice, and it’s exactly where disinformation aims to put you.

Or say you run a hospital. Your backup power is on, but only for so long. Staff are seeing posts claiming the hospital is being told to turn people away. Families show up angry. Someone records a tense moment and it spreads, stripped of context. Even if your IT team is doing everything right, you’re still fighting a social problem with physical consequences.

This is why “narrowly beating” the attacker in a simulation should bother people. It suggests the response is still fragile: coordination is hard, messaging is hard, and acting under pressure is hard. It also suggests something else: we keep building our security plans around systems, when the real target is often confidence.

Now, to be fair, involving Ukrainians as the attacker team is smart. They’ve seen what actually works in the real world. And there’s a practical goal here too: Nato’s Jatec is trying to improve how Ukraine and the alliance work together and share knowledge and resources. That’s not just “training”; it’s about being able to operate together when things are messy.

But I don’t want to pretend the politics aren’t part of this. Training for “Russia-style” attacks is also a signal. It says: we see you, we’re planning, and we’re aligning closer with Ukraine. That can deter. It can also provoke. Some readers will argue that doing this more loudly increases risk. Others will argue the risk is already here, and quiet preparation is just denial with better manners. I lean toward the second view. If an attacker thinks you’re unprepared, that’s an invitation.

The bigger risk, though, is internal. If Nato countries treat this as a military-only problem, they’ll miss what actually breaks first: public trust, local decision-making, and basic communication. A good response plan isn’t just “restore the grid.” It’s “keep people calm enough that restoring the grid is possible.”

And I’m not fully sure the alliance has that muscle. Militaries are good at command chains. Democracies are messy by design. During a fast-moving information attack, that mess can look like weakness. The irony is that the openness we value—free debate, multiple voices, no single state narrative—can be used against us if we don’t build better habits around verification and public updates.

So I’m left with a question that doesn’t have a comfortable answer: if Nato is only narrowly winning in a controlled simulation, what makes us confident we can win when the lights are actually out and the lies are coming in faster than the truth?