Incidents of hybrid attacks have spiked across the EU since Russia invaded Ukraine, with at least 100 being recorded in 2024 alone.⁽¹⁾ In March 2024, several French ministries have been victims of DDoS cyberattacks of increasing intensity. The responsibility has been claimed by Anonymous Sudan, pro-Kremlin hackers.⁽²⁾ In April–May 2024, the University of French Guiana was targeted by ransomware attacks. Local authorities suspected that the infiltration was carried out for the purpose of Russian propaganda.⁽³⁾ During the summer of 2025, multiple territories in the Dutch Caribbean, specifically Aruba, Curaçao, and Sint Maarten⁽⁴⁾ experienced waves of cyberattack within days of each other.⁽⁵⁾ On July 23^rd, the Joint Court of Justice, serving the Dutch Caribbean, suffered a cyberattack disrupting email systems. On July 24, Curaçao’s Tax Office was attacked leading to days of service outages impacting the Dutch Tax and Customs Administration. On August 5^th, the Aruban Parliament launched a phishing prevention campaign prompting public warnings not to open suspicious email, after one of its official email accounts was compromised. Targeting such territories offers offenders multidimensional gains, from exploiting local tensions to causing direct repercussions on the parent state. While these incidents in the Dutch Caribbean attracted little coverage in the media, the perpetrators of these attacks remain the usual suspects. Often, isolated “random” and “non-critical” actions targeting small states turn out to be part of more intricate cyber-operations. Even seemingly minor cyberattacks can trigger cascading effects across interdependent Critical Infrastructures (CIs) disrupting entire supply networks in small ecosystems with severe consequences.

This article argues that small states, particularly overseas territories, are especially attractive soft targets for cyber offenders. It presents preliminary findings from an embedded case study conducted within Aruba. Aruba, a former Dutch colony and autonomous member of the Kingdom of the Netherlands, sits at a strategic crossroads near South America and hosts a U.S. Forward Operating Location. These geopolitical ties, combined with its colonial legacy and limited human and technological resources (brain drain, lack of specialized units, budget limitation) heighten its exposure to cyber threats in times of global tension. The study highlights challenges of fragmentation and scarce capacity, and explores strategies to strengthen cross-sector collaboration and build cohesive defensive networks through Unity of Effort (UoE). Data was collected from letters of intent on cyber CI protection, institutional documents, recovery and continuity plans, also from confidential conversations, interviews (four principles of UoE) with members of operational-level cybersecurity institutions, CEOs and CISOs.

Literature Overview

Security issues have been reported throughout history as a greater threat for smaller than for larger states (Sutton and Payne, 1993). Their economic dependence, geopolitical importance, and the often fragile state of their digital infrastructure make them more vulnerable to cyberattacks. Small-states studies span three main traditions of research approach: the legal one focus on neutrality; the political one focus on dominance and submission; and the rational choice approach focus on military security (Knudsen, 1996). From the two first approaches, smaller states are often left isolated during a cyberattack and seek cooperation with “dominant” institutions and international rules to secure their safety (Bartmann, 2002). Small states will choose peace over war, aiming to remain neutral as market trade is essential to their survival. This historical rational choice is common fact to most small-states and it relates to the key concept of deterrence (Bjøl, 1968). Three strategic preconditions must be present for effective deterrence: a real capability must exist to effectuate actions toward an adversary; the threat must be credible; and one must be able to communicate effectively (Kristiansen and Hoem, 2022). Small and isolated states struggle with all three. Human and technical resources, policies and legal frameworks, as well as strategies are painfully lacking (Ang, 2022). Indeed, small states often possess fewer capacities to devote to security, hence affecting their capabilities to rapidly defend and credibly threaten attackers. Moreover, small states usually are reluctant to attribute the attacks. The cyber forensic capability to gather enough evidences to substantiate geopolitical sensitive attribution is often lacking. As a result, they face dual-resource constraints. On one hand, small states lack resources to reach a sufficient level of security maturity. On the other hand, they must entertain several lines of operations to achieve more robust deterrence in cyberspace. Consequently, opportunistic offenders perceived them as soft targets. In such context, it is crucial to understand and enact network level crisis response integration to mitigate ripple effects of cyberattacks.