In June 2025, at the Paris Air Show, AMIAD and Dassault Aviation signed an R&D agreement on the integration of AI into air combat. A few months earlier, the agency launched Pendragon: by 2027, a force of robots coordinated by a collective AI will be deployed within the Army. Behind these announcements lies an issue that the armies cannot ignore. Because if the cybersecurity of military information systems has been the subject of a structured doctrine for several years, what happens when it is the AI system itself, whether it is its model, its training data or its inferences in time real who is attacked? This question invites us to rethink military cybersecurity in its depth. No longer just as the protection of networks and infrastructures, but as the guarantee of the integrity, reliability and robustness of intelligent systems which inform, assist and sometimes condition the decision in combat.
Cyberspace: a new field of confrontation
In 2010, the United States Department of Defense defined cyberspace as “a global domain within the information environment, consisting of the interdependent network of information technology infrastructures and resident data, including the Internet, telecommunications, computer systems, as well as integrated processors and controllers. However, only three years later, in 2013, the French Ministry of the Armed Forces explained that this cyberspace “ is now a field of confrontation in its own right HAS”. Why such a development? Because it is also a privileged area for invisible attacks: cyberattacks.
According to the National Information Systems Security Agency (ANSSI), a cyberattack is a “ event aimed at compromising one or more computer systems with the aim of serving malicious interests HAS”. In other words, an action designed to weaken, undermine or divert a digital device for hostile purposes. And potential targets abound. Military infrastructures are particularly vulnerable: computers, servers, peripherals, but also smartphones, tablets and connected objects, whether they are connected to the Internet or isolated from the network. The attack vectors are just as diverse. They range from malware to human manipulation called social engineering to targeted physical actions. An easy to understand example is plugging an infected USB key into a secure computer.
Cyber attacks come in many forms. Some consist of denial of service (DDoS) attacks to paralyze critical systems. Others go through the supply chain to introduce backdoors or malware. Still others rely on the interception of sensitive communications, typical of so-called attacks. man-in-the-middle. The spectrum is wide. Some attacks aim to falsify data in order to mislead the decision-making chain, which amounts, neither more nor less, to directly influencing the course of operations. Others, more offensive, work to take control of weapons systems, with the aim of neutralizing them or, even worse, turning them against their owner.
We understand here that cyberspace does not just accompany modern conflicts, it redraws their contours. It becomes a full-fledged theater of confrontation, a space where operational advantage can be gained or lost without noise, without fanfare, but with very real effects on the ground. In short, it is indeed establishing itself as a new field of confrontation, with still uncertain rules and often shifting limits. A unique field where operational advantage can be conquered without a single shot being fired.
Defense AI: between strategic advances and new vulnerabilities
However, this field of confrontation continues to expand. And its most recent extension consists of two letters: AI. Because artificial intelligence is not only entering the theater of operations, it is reconfiguring its very foundations.
Emmanuel Chiva, General Delegate for Armaments in France from July 2022 to November 2025, puts his finger on a key issue: AI should allow machines not only to analyze situations of great complexity, but also to make decisions in real time and, in doing so, to unload human tasks deemed either too dangerous or with low added value. That being said, for armies, AI is firing on all cylinders in several crucial areas. Command assistance, on the one hand. Surveillance and reconnaissance, on the other hand. Not to mention the deployment of autonomous robotic systems, the real workhorse of tomorrow, as well as the training of the armed forces. In short, the spectrum of applications is not lacking in scope. What’s more, the list grows as AI research pushes the boundaries of what is possible. Ultimately, mastering AI in the theater of operations is no longer just an ace up your sleeve. It is a categorical imperative for any country which has the legitimate ambition to stay one step ahead and, in turn, to preserve a decisive operational advantage against the adversary.
However, the integration of AI systems also introduces new vulnerabilities for their users. As early as 2019, the Minister of the Armed Forces at the time, Madame Florence Parly, highlighted the potential risks linked to AI, emphasizing the various dangers to be taken into account from the design phase: “ The manipulation of learning data, cognitive biases transmitted by humans to algorithms, systems disoriented and faulted by a simple piece of tape, systems that can be hacked remotely: the risk factors that we must evaluate and control from the design stage are extremely numerous HAS”. These warnings, formulated several years ago, have lost none of their sharpness. Quite the contrary: they have taken on a new resonance as military AI has been deployed.
Because the vulnerabilities pointed out by the minister are not accidents – they are structural. And they echo, in a disturbing way, the cyber threats already mentioned. The emergence of the use of AI by the armies is expanding, and in a way considerable, this new cyber field of confrontation, already abundant. Indeed, an attack directed against a defense AI model can, rightly, be considered as a cyber attack. Why? more traditional computer intrusions. In other words, the enemy does not need to reinvent its methods: it just needs to adapt its practices to new tools and we quickly understand that AI, supposed to strengthen operational resilience, can just as easily become an Achilles heel.
All cybersecurity threats can be transposed here. Data theft, disruption of services, manipulation of sensitive information: nothing escapes the spectrum of risks. And the attacker’s motivations, far from being new, are modeled on those observed when faced with a traditional IT infrastructure. It will seek to compromise the confidentiality, integrity or availability of data, but also, more worryingly, the AI model itself. The purposes of such offensives are multiple and sometimes particularly devious. This may involve hijacking the decisions of an algorithm in order to sow confusion within the chain of command, stealing critical information to fuel its own power, or even rendering a model completely unusable, with the direct effect of paralyzing a defense system. In other words, these attacks exploit the flaws in a system with formidable efficiency, just like a so-called classic cyberattack would do. The entire operational balance can falter, sometimes over a seemingly insignificant detail.
Overview of attacks: a taxonomy for understanding threats
To anticipate these threats, it is first necessary to name and classify them precisely. The National Commission for Information Technology and Liberties (CNIL) distinguishes three main families of attacks targeting AI models: infections, manipulations and, finally, exfiltrations. Three words, almost clinical, behind which hide much more worrying realities. However, civil and military AI systems very often share a common technological base, sometimes even strictly identical, or at least convergent: this taxonomy therefore fully applies to the military field.
Infection attacks are attacks that target the training phase of AI models. By intervening at this key moment in the system’s life cycle, attackers can significantly modify the behavior of the algorithm to control it in a covert manner or to deteriorate its operation later. The attack can take several forms: sometimes by inserting incorrect data, sometimes by surreptitiously modifying those that already exist, with the direct consequence of causing the model to learn erroneous patterns. However, in such a context, the so-called attack par infection acts like a real Trojan horse: it pushes the model to misclassify the data, to generate inaccurate, biased, or even deliberately malicious results. Thus, the system becomes less efficient, unreliable, or even more worrying, vulnerable to critical errors. In practice, let’s imagine, for example, that an attacker injects deliberately altered data into the training algorithm: the AI, supposed to recognize enemy targets with precision, then begins to confuse friend and foe. And we can easily guess the consequences: operational security is put at risk.
Manipulation attacks, better known by the English term adversarial attack, aim to deceive AI systems not during learning, but during their use phase, once it is completed. In other words, they arise at the moment when we believe, wrongly, that the model is stabilized and reliable. The principle, seemingly harmless, is formidable: it involves introducing slight disturbances into the model’s input data, disturbances which give rise to ” contradictory examples HAS”. To the human eye, everything seems normal, nothing is out of place. But for the algorithm, these distorted signals are so many traps, and prediction errors multiply. Here, the illusion is total, comparable to a mirage on the road which deceives the most trained eye. These subtle modifications, which exploit the flaws in the system as we drives a wedge into a crack, is enough to induce incorrect decisions: an erroneous classification, a distorted evaluation, a biased judgment. This is where the danger lies Because, in practice, the consequences can be significant. Let us imagine, for example, an attacker introducing almost invisible disturbances into the images. processed by the sensors of a military platform, nothing to report. For the AI, however, everything changes: an enemy missile can suddenly be interpreted as an innocuous civilian aircraft, or, conversely, a perfectly harmless airliner be perceived as a threat to be shot down. The border between reality and the artifact becomes dangerously porous.
Exfiltration attacks aim, as their name suggests, to steal critical data from AI systems. Three main categories stand out: membership inference, model inversion and model extraction, each exploiting the flaws in machine learning in their own way. First, the membership inference attack: it makes it possible to determine whether specific data was used during training. In practice, the attacker plays on the differences in confidence and precision that the model displays depending on the data submitted. If the model displays an abnormally high level of certainty for a given example, this suggests, half-heartedly, that this data was indeed part of the training set. An attacker could thus seek to check whether sensitive information, for example on a particular type of vehicle, weapon or platform, appears in the system’s memory. Second, the model inversion attack. Here, the principle is that from the model outputs alone, the adversary attempts to reconstruct the input data which was used for training. In other words, it seeks to extract an average representation, a sort of statistical fingerprint, of each category learned. And one thing leads to another, this process can lead to the reconstruction of sensitive data, which we thought inaccessible. Finally, model extraction is undoubtedly the most insidious form. It’s nothing more and nothing less than stealing an entire model by treating the system as a “ black box »: no direct access to the code, no access to the data, but a patient question-and-answer strategy. By multiplying the inputs and scrupulously analyzing the outputs, the attacker manages to create a faithful copy, almost a clone. In doing so, it steals not only the overall architecture, but also the parameters (weight, bias etc.) and even hyperparameters, such as the number of layers of a neural network. This situation could obviously only happen on the condition that an enemy succeeds in capturing a platform equipped with an AI model in order to interrogate it at its leisure, question after question.
Concrete implications on the battlefield under the conditions of controlled deployment
Attacks on AI will pose a considerable threat to military vehicles, because instead of seeking to destroy them directly, enemy armies could exploit vulnerabilities in their AI models or their data to neutralize their operational capabilities. For example, air combat is a field mastered by few countries and where hitting the target remains particularly complex. However, if a fighter plane becomes blind following a cyberattack targeting its AI-enabled sensors, the pilot loses his decision-making capacity on the weapons and piloting systems, which directly puts his life in danger. As Will Roper, former deputy secretary of the US Air Force, pointed out, modern aircraft have millions of lines of code. If any of them are vulnerable or faulty, even a country without the means to develop a fighter jet could “knock that plane out of action with just a few strikes,” simply by exploiting those flaws via targeted cyberattacks. This demonstrates that the threat to vehicles using AI models will not only come from missiles or direct combat, but also from computer attacks aimed at vital systems in order to neutralize them.
Faced with these threats, it appears essential to think about the means to put in place to anticipate and counter these attacks. Because if artificial intelligence gradually becomes a centerpiece of the battlefield, it becomes, ipso facto, a target of choice. And to be deployed on a battlefield, an AI must be explainable, reliable and robust. These three qualities are not simple technical criteria: they establish the necessary trust which becomes a real condition of operational cybersecurity.
The opacity of artificial intelligence systems, often referred to as the “black box effect”, constitutes a major obstacle to their military use. An AI that generates results without its reasoning being able to be understood immediately becomes suspect in the eyes of operators. Worse still, it becomes a target of choice, particularly in the face of attacks by infection or manipulation, known asadversarial attack. In the first case, the attack consists of poisoning the learning data in order to alter, insidiously and in the long term, the future behavior of the model. In the second, more devious, adversarial attack tackle the use phase: simple disturbances, invisible to the naked eye but carefully introduced into the input data, are enough to cause classification errors. A detail that seems trivial to a human can, in reality, tip over an entire system. Ensuring explainability therefore becomes a real question of cybersecurity. It is this which guarantees the traceability and auditability of decisions, making it possible not only to validate the legitimacy of a military action, but also to identify its deviations. Think, for example, of fratricidal fire or damage. collaterals: without explainability, the analysis of the causes remains in the fog. With it, on the contrary, we have a verification and warning tool. Ultimately, explainability acts as a digital shield. It illuminates the gray areas, reduces the space that can be exploited by the enemy. global resilience of military AI systems This is a cardinal issue, because in this unprecedented field of confrontation, understanding the why of decisions is not a luxury but indeed a strategic necessity.
Trust in AI also requires that it be reliable and robust. Reliability assumes that the performance of a system remains constant, whatever the deployment conditions. In other words, a reliable model must produce the same results in a perfectly controlled laboratory as in a theater of operations where uncertainty, stress and the unexpected reign. Robustness, for its part, refers to another requirement, just as crucial: the ability to resist disturbances, to operate in degraded environments, or to withstand attacks intended to hijack its results. In other words, it is not enough for a model to be precise in normal times, it must also hold up when headwinds arise. As Admiral Pierre Vandier points out, robustness must “guarantee to political decision-makers that when they take a decision on the basis of AI processing of our data, then this decision will be controlled. This notion is therefore closely linked to the development of cybersecurity of defense AI systems.
Securing defense AI: from traditional methods to innovative approaches
An AI system essentially relies on two key elements: data and a model. Ensuring the cybersecurity of defense AI therefore means protecting these two aspects throughout their life cycle. Traditional practices from the NIST Cybersecurity Framework constitute a starting point, before new dedicated methods complete the arsenal.
This methodological framework is structured around five key functions: identify, protect, detect, respond and restore. Applied to defense AI, each of these functions covers specific issues detailed below.
Identification would consist of identifying critical assets and analyzing their vulnerabilities. This step would involve mapping sensitive training data from military sensors, as well as AI models deployed in the field. Then, the protection function would aim to ensure the safety and resilience of AI. It would be based on classic cybersecurity measures: authentication, encryption and access management to protect training data against infection for example, but also on secure coding practices, endpoint protection and network security in order to protect the development of models. Next comes detection, which would aim to identify cybersecurity incidents such as an intrusion into learning data or an attack on an AI model. This function would be ensured by continuous supervision via intrusion detection systems (IDS) and/or event management solutions (SIEM). It would be supplemented by specific tests carried out by red teamswhich will for example simulate adversarial attackin order to spot any manipulation attempt before it compromises a mission. In the event of an incident, the response could come from SOCs specialized in defense AI monitoring who would be able to distinguish a technical anomaly from a targeted attack and deploy appropriate countermeasures. Finally, restoration would guarantee the continuity of operations thanks to recovery plans and backups, but also by providing for the reconstitution of compromised models or their retraining on reliable data, an essential condition for maintaining confidence and the effectiveness of AI systems in a military context. Ultimately, the NIST Cybersecurity Framework would offer a valuable basis for securing defense AI, but it would remain insufficient given the dynamic and evolving nature of the models. In a military context, where the adversary would actively seek to exploit these vulnerabilities, it would therefore be appropriate to supplement this framework with new mechanisms dedicated to making AI more cybersecure.
Securing data, essential for learning, represents a major strategic challenge, both during the development and deployment phase of defense AI models.
During the development phase, two methods seem to emerge as particularly promising. The first is homomorphic encryption which allows data to be processed and analyzed without ever decrypting it, thus ensuring their confidentiality even during calculation operations. The second is the Federated Learning (“Federated Learning” in French) which involves decentralizing model training by allowing multiple devices to learn locally from their own data, while only sharing the learning results with the central system. Thus, raw data is never centralized, which considerably limits the risks of attack or data exfiltration during development.
During the deployment phase of a model, several complementary approaches could be particularly relevant to strengthen the security of the data it uses. The first is the Poison Controla method of detecting infection attacks. It is based on continuous monitoring of data sets, in order to identify any anomaly suggesting the injection of falsified data. In a military context, such a method would make it possible, for example, to identify whether an adversary is trying to slip false satellite images into a geospatial analysis system. The second approach, called Input Controlfocuses its action on filtering user input in order to counter possible attacks. It is based on the validation of formats, the analysis of semantic coherence and, when necessary, the application of stricter statistical rules. Finally, the third approach, called Transform Inputs (« transformation of inputs » in French), consists of slightly modifying the data before it is processed by the model, for example by introducing random noise or rephrasing the prompts. This method would then complicate the task of attackers who seek to interrogate a defense AI model to extract sensitive information (whether training data, internal representations or even a copy of the model itself). In a radar detection system, for example, it could partially jam incoming signals in order to reduce the risk of adverse manipulation. Ultimately, these three methods pursue the same purpose. Limit the impact of malicious inputs, without sacrificing the operational robustness of the model. In other words, combine protection and performance, because on the digital battlefield as elsewhere, it is not enough to resist: we must also continue to act effectively.
Having explored innovative data protection methods, we now need to look at the models themselves. Their design and deployment must integrate new cybersecurity approaches from the outset, according to the principle of security by designthat is to say an approach which integrates security as a fundamental requirement from the design phase rather than as an addition a posteriori. The challenge is to anticipate deviations or attacks, even unknown at the time of development, and to integrate countermeasures in order to guarantee the robustness of defense AI in contested environments.
During the model development phase, several innovative methods should be able to strengthen the resilience of AI models in the face of threats. One of these techniques is learning by contradictory examples (known as adversarial learning) which consists of exposing the model to deliberately altered data in order to accustom it to recognizing and adding malicious examples to its database in order to increase its resistance to adversarial attack. The Randomized Smoothing would offer another avenue of protection by training an AI to maintain stable predictions, even when the input data to its classification algorithm is disrupted by noise, thus limiting the effectiveness of cyberattacks. Finally, digital twins should represent a strategic advance in the cybersecurity of defense AI by making it possible to simulate realistic and evolving environments to test the robustness of models before their deployment, anticipate vulnerabilities and validate countermeasures in a secure virtual setting.
Once deployed, AI models will also need to be protected by new cybersecurity approaches specifically designed to counter operational threats. “Autoencoders” seem to offer a first line of defense. Placed upstream of the model, they transform malicious inputs in order to limit adversarial attackwhile downstream they reduce the amount of sensitive information disclosed, thereby complicating data extraction attempts. THE Generative Adversarial Networks constitute another promising solution. By generating fictitious data close to the original but stripped of any sensitive elements, and by carefully filtering suspicious entries, these techniques make it possible to both limit information leaks and thwart attacks by infection or manipulation. In other words, they build a sort of intelligent firewall, capable of covering their tracks for the adversary. Finally, an additional avenue deserves attention: the supervision of defense AI by other AI. This approach, which might seem paradoxical at first glance, nevertheless opens the way to a considerable strengthening of security. Thanks to continuous monitoring, these systems would detect the slightest statistical deviations in the predictions, just as we spot a false note in a well-rehearsed score. Result: the early identification of abnormal behavior, the triggering of appropriate countermeasures and, above all, the enrichment of feedback, essential for refining the models. In short, the idea is no longer just to protect AI, but to give it the ability to monitor itself, learn from its flaws and transform each attack attempt into a source of increased resilience.
Integrating AI into our weapons systems and acculturating the military to its use is today a strategic imperative for any country wishing to maintain an advantage over its adversaries. However, using this innovation cannot be done without posing new threats to our armies. AI is vulnerable to digital attacks, through infection, manipulation or exfiltration, which can have devastating consequences on the ground and endanger the lives of our armed forces or even civilians. In this context, the cybersecurity of AI models and data must obviously involve the application of traditional measures but it must also rely on innovative approaches to increase their robustness.
Valentin AUBERT
President of the INAS Dual Innovation Commission
- Braiek, H. B., & Khomh, F. (2024). Machine learning robustness: A primer. arXiv. http://arxiv.org/abs/2404.00897
- Billois, G., Bossuet, R., & Pierre-Louis, C. (2024, March 13). Securing AI: the new cybersecurity challenges. RiskInsight. https://www.riskinsight-wavestone.com/2024/03/securiser-lia-les-nouveaux-enjeux-de-cybersecurite/
- CNIL. (nd). Model evasion attack. CNIL. https://www.cnil.fr/fr/definition/attaque-par-exfiltration-de-modele-model-evasion-attack
- Commission responsible for drawing up the White Paper on defense and national security. (2013). White Paper: Defense and National Security. Presidency of the Republic, Directorate of Legal and Administrative Information. https://www.vie-publique.fr/rapport/34001-livre-blanc-2013
- Department of Defense (DoD). (2010). Joint publication 1-02: Department of Defense dictionary of military and associated terms. https://fas.org/irp/doddir/dod/jp1_02.pdf
- LCP. (2024, June 16). The Defense Journal – Artificial intelligence: the armies are accelerating. LCP. https://lcp.fr/programmes/le-journal-de-la-defense/intelligence-artificielle-les-armees-accelerent-285421
- Meunier, L. (2022). Adversarial attacks: A theoretical journey [Doctoral dissertation, Université Paris Sciences et Lettres]. HAL. https://theses.hal.science/tel-04056444
- National Institute of Standards and Technology (NIST). (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). National Institute of Standards and Technology. https://doi.org/10.6028/NIST.CSWP.29
- Vallet, F. (2022). Small taxonomy of attacks on AI systems. CNIL Digital Innovation Laboratory.
