| SecurityWeek’s Cyber Insights 2026 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we explore cyberwar – what it is, and whether it will worsen in 2026 |
Entering the cyber world is stepping into a warzone.
Cyber is considered a war zone, and what happens there is described as cyberwar. But it’s not that simple. War is conducted by nations (political), not undertaken by criminals (financial). Both are increasing in this war zone we call cyber, but the political threat is growing fast.
Cyberwar is a complex subject, and a formal definition is difficult. Opinions vary over whether there is any effective difference between common cybercriminal and nation state aggression – and, if there is, whether defenders need to understand or act upon that difference.
This complexity is aggravated by the common and understandable perception that to enter the cyber world is to step into a warzone, regardless of the adversary.
We’re going to try to understand cyberwar – what it is, whether it will worsen in 2026, and how we should respond to it.
To help us navigate the complexity, we’ll start with an arbitrary definition that has no provenance outside this article. We suggest that ‘cyberwar’ is the conflict between criminals and business, while ‘cyberwarfare’ is the conflict between nations. (Note that this is our distinction and not one in general use. The experts quoted in this discussion do not necessarily make such a distinction.)
But it is important. While both cyberwar and cyberwarfare will increase through 2026, cyberwarfare is likely to increase more dramatically.
The difference between the two should not be gauged by damage, but by primary intent. This difference is important because criminal activity can harm a business or industry, while nation state activity can damage whole countries. It is the primary intent or motivation that separates the two.
Cyberwar is primarily motivated by financial gain. Cyberwarfare is primarily motivated by political gain, which means it could be a nation or an ideologically motivated group. This definition jars with the usual national red line: a country will only consider a cyberattack to be an act of war if it causes loss of life. On its own, this is still problematic, since financial gain criminality can cause loss of life. Motivation remains the most reliable decider.
We will purposely exclude the ‘steal now, decrypt later’ issue from our discussion. Both criminals and nation states are involved under their different motivations, but since it can be classified as cyber espionage, which is not technically illegal under international law as classified in the Tallinn Manual, we won’t discuss it here. Instead, we refer you to the quantum-focused article in this series.
The difference between cyberwar and cyberwarfare
There is a strong body of opinion that suggests defenders needn’t worry about any distinction between criminal and nation state activity in cyber.
“A formal definition of cyberwar remains elusive and largely irrelevant for organizations managing private data exchanges under frameworks like CMMC (Cybersecurity Maturity Model Certification). The distinction between nation-state attacks and criminal activity collapses in practice,” says Dario Perfettibile, VP and GM of European operations at Kiteworks.
“Ransomware gangs operating with state approval can simultaneously pursue profit and geopolitical objectives, as seen with Russian groups targeting defense contractors,” he continues. “For CMMC-compliant organizations handling controlled unclassified information (CUI) in defense supply chains, the threat actor’s motivation matters far less than their capabilities and your defensive posture.”
Casey Ellis, the founder of Bugcrowd, describes the current situation. “There is a blurring of lines between state and cybercrime activity which creates a more unpredictable and complex threat landscape. When nation states leverage cybercrime tools, co-opt groups, or allow moonlighting, it introduces a hybrid threat model where motivations and tactics can shift rapidly.”
This, he says, makes it harder to predict attacker behavior and increases the risk of collateral damage. “For example, a ransomware attack might initially appear financially motivated but could later reveal geopolitical intent. CISOs must now account for a broader range of adversaries, each with varying levels of sophistication, resources, and objectives. On top of this, cybercriminal groups and government offense teams have very different equities around what they will or won’t do, which adds to the overall unpredictability.”
But we do have a definition of cyberwarfare. “The Tallinn Manual provides a great definition of aggression in cyberspace, explains what is permitted and what is not, and addresses both pre-emptive measures and response to the act of aggression in cyberspace by state actors,” explains Ilia Kolochenko, CEO at Immuniweb, and a cybersecurity partner at Platt Law LLP.
The problem, he suggests, is that international law has been eroded by the number of countries who prefer to ignore it. “While legal scholars and law professors can provide a well-defined and precise assessment of the legality of state offensive or counter-offensive activities and acts in cyberspace, the key question here is: What next?”
To answer this, we need to understand the perpetrator and purpose of the attack – cybercriminal or nation actor. So far, nation state actors have caused little damage. More harm has come from criminal ransomware attacks against critical industries. But the world is changing rapidly. Geopolitical tensions are increasing around the world, and the threat of kinetic warfare is growing.
The ultimate purpose of nation state cyberwarfare is to prepare the battlefield for kinetic war. We saw this with increased Russian activity against Ukraine immediately before the 2022 invasion. Other nations are not yet (at least we hope not) generally using cyber to prepare the battlefield. But they are increasingly pre-positioning themselves within critical industries to be able to do so.
This geopolitical incentive together with the cyberattack and cyber stealth capabilities afforded by advanced AI, suggests that nation state pre-positioning attacks will increase dramatically over the next few years. Pre-positioning is not new, but it will increase.
“By 2026, the world will see the consequences of a decade of pre-positioning: a cyber battlefield already built inside global infrastructure,” warns Steve Stone, SVP of threat discovery and response at SentinelOne. “Communications outages, semiconductor shocks, and AI-driven disinformation will define the first phase of any conflict. For governments and enterprises alike, resilience must be built before the storm, not after it starts.”
A discernible difference between cybercriminals and nation state actors is their respective need for ROI. Criminals want an immediate financial return on their efforts. Nation state actors can, and do, play a low and slow game, taking more time and effort to slip in quietly and stay hidden for years until and unless battlefield preparation becomes necessary.
We will need to increase our ability to detect stealth.
“In 2026, we’ll see more nation state cyberattacks against critical infrastructure, in which adversaries will have embedded themselves in systems for extended periods, possibly months or even years,” explains Stephen Gorham, chief strategy officer at OPSWAT. “Unlike criminal groups driven by the goal to collect ransom or cause disruption, nation states aim to stay hidden, gather intelligence, and position themselves for future operations.”
It follows that for national security, governments will need to improve their ability to detect and understand the motivation of a nation state attacker. This is complicated by the long-standing practice of all nations to use their own actors for cyber espionage, which is not technically illegal.
Attribution and assignment of intent
“In traditional warfare, the distinction between a soldier and a civilian is relatively clear, but in cyberspace, these boundaries are increasingly porous,” says Ashley Jess, senior intelligence analyst at Intel 471. “A cyberattack could be nation-state sponsored, or it could be carried out by financially motivated criminals; but more and more often, the two overlap. This raises the question: can we clearly separate cybercrime from cyberwarfare? The answer is nuanced.”
It is nuanced for several reasons, often focused on the concept of plausible deniability. Adversarial states continually muddy the water by intermingling the tools they use and often the perpetrators with the criminal fraternity.
“By 2026, cyber conflict will be a constant and hybrid domain. Nation-states will increasingly leverage criminal groups to carry out ransomware, data theft, and disruption, achieving strategic goals while retaining plausible deniability. Traditional definitions of ‘cyberwar’ will become obsolete,” says Andrew Lintell, GM EMEA at Claroty.
This can be seen in the Colonial Pipeline attack. If this had been undertaken by Russian state actors for the Russian government, it would have been an act of cyberwarfare that would require a government response. But it involved ransomware and was conducted by a known ransomware gang: Darkside. This enabled Putin to deny any state involvement, going so far as to suggest to NBC News that the attack may have been conducted by patriotic Russian citizens with no affiliation to the Russian state but motivated by their own political beliefs.
Plausible deniability in action, regardless of any Russian state knowledge or involvement. The US intelligence services may know the truth, but the general population does not. Darkside abruptly shut down shortly afterward, saying its infrastructure had been seized by an unknown third party and it was losing access to its funds. Again, nobody outside of Russian or American government agencies knows the truth of precisely what happened.
“Attribution is difficult and slow,” says Peter Connolly, CEO and founder at Toro Solutions. “Businesses may see the activity, but proving who is behind it often requires classified intelligence and corroboration from other sources that private firms simply do not have access to. That lack of visibility fuels much of the uncertainty around response and responsibility.”
Marie Wilcox, VP of market strategy at Binalyze, adds. “What clouds the picture is knowing who was attacking, and what they targeted. The attack on JLR that took billions out of the UK economy was apparently performed by private actors, but it fits the profile of cyberwarfare much more closely than North Korean hackers raising funds by holding businesses to ransom.”
Cyberwar and cyberwarfare are no longer a theoretical escalation, it’s a simmering, distributed, and asymmetric reality, suggests Ensar Seker, CISO at SOCRadar. “Nation-state proxies now mix with financially motivated APTs, blurring the line between espionage, sabotage, and profit. Attribution has become a diplomatic tool as much as a forensic one, and soft power, including disinformation and supply chain manipulation, often hits harder than kinetic strikes. In 2026, we’re not waiting for the ‘first’ cyberwar – we’re already navigating a world in perpetual cyber conflict.”
The average business will likely never know whether a cyberattack is pure criminality or state assisted criminality. In such circumstances the business might not need to know, and the cyber defense would be the company’s standard response to a cyberattack. But the average business may never recognize or respond to a pure state attack, and that is a big danger for the company, for the industry vertical, and for the country itself. National security must know and be able to detect cyberwarfare in order to gauge the correct response to the aggressor.
Gauging the correct response to cyberwarfare
There is little doubt that nation state cyberwarfare is happening now and will escalate in 2026 and beyond. “Geopolitics aside, we can expect acts of cyberwar to increase over the coming years in large part thanks to AI,” says Art Gilliand, CEO at Delinea. “In general, AI has made it significantly easier for anyone to execute sophisticated cyberattacks with fewer resources. For smaller nation-state players, who couldn’t compete with the big dogs until now, this effectively levels the playing field and enables them to become a force in the larger geopolitical cyber landscape.”
Nadir Izrael, CTO and co-founder at Armis, adds, “The industry will need to prepare for when hyper-scaled state and non-state actors deploy autonomous AI agents to conduct hybrid warfare, blending cyberattacks, misinformation, and kinetic effects. It is relatively easy, and does not require vast resources while at the same time inflicting maximum damage and disruption. For example, AI could remotely disable transport logistics, simultaneously trigger energy grid failures, and release coordinated disinformation campaigns to sow chaos among populations.”
Like Gilliand, he doesn’t believe the threat is limited to or from superpowers. “Civilian systems, government agencies, and military logistics would all face synchronized pressure from virtually any entity with a little technical knowledge and an internet connection.”
Remember Ukraine, suggests Megha Kumar, CPO and head of geopolitical risk at CyXcel. “Sophisticated cyber campaigns are directly supporting military objectives by preparing the battlefield and backing kinetic action, from destructive wiper malware attacks against Ukrainian government systems and website defacements creating confusion and distrust, to the Viasat breach attempt to disconnect the nation and delay decision-making.”
The much smaller Ukraine has achieved some considerable retaliatory cyberstrikes against Russia.
“The Russian invasion of Ukraine in 2022 started with a concerted wave of cyber operations intended to disrupt command and control systems and cut off Kyiv from outside assistance,” says Joe Saunders, founder and CEO at RunSafe Security. “Taiwan faces millions of cyberattacks every day that target its infrastructure and government.”
Russia has almost certainly been involved in dis-information campaigns around US elections, and is believed to be conducting multiple cyber campaigns throughout Europe to destabilize society, project an image of its own power and strength, and reduce any western support for Ukraine. This is cyberwarfare, but so far it is just short of warranting a publicly-supported kinetic response. What we don’t know is the extent of any separate pre-positioning within either the US or Europe.
Alex Mosher, president and chief revenue officer at Armis, warns. “A large-scale ‘black swan’ cyber event could see multiple critical systems attacked simultaneously. Imagine a coordinated strike targeting the power grid, telecommunications, and water infrastructure across a single nation or region. The result would be cascading failures that paralyze economies, disrupt emergency services, and endanger lives. Whether driven by a state actor or an ideologically motivated group, such an attack could merge digital and physical warfare, inflicting real-world harm on a massive scale.”
Yet there is little direct government attribution of clear cyberwarfare attacks. The reason is simple: acknowledgement would require a response. That response must be proportionate and based on 100% guaranteed attribution – which we have already seen is difficult to ascertain.
The wrong response could lead to retaliatory action, which could then begin to escalate, and lead to full-scale cyberwarfare. Since the purpose of the quiet cyberwarfare that has been ongoing for years is to prepare the battlefield, cyberwarfare could easily and rapidly escalate into a kinetic war – and it is difficult to see any end other than a nuclear conflict if it involves two nuclear-armed superpower protagonists.
That is why we must be completely accurate in attribution and proportionate in response.
A kinetic end game to cyberwarfare is not far-fetched. “The response is already clear which is why there has been an informally understood calculus deterring the extent of destructive operations. The US response will be the US military conducting kinetic operations,” explains Bryson Bort, CEO and founder at SCYTHE.
As long ago as 2018, the UK made it clear it believed a kinetic armed response to an act of cyberwarfare that caused loss of life would be legal. The inclusion of ‘loss of life’ as the final red line makes it seem that this was primarily an act of verbal deterrence against potential aggressors; but notably and more recently the UK Ministry of Defense (MoD) announced a reshaping of its Cyber and Specialist Operations Command (CSOC) on September 1, 2025.
“This change reflects the ambition of the 2025 Strategic Defense Review, which sets out a bold vision to make Britain safer, secure at home, and strong abroad. CSOC is at the heart of this vision, driving a landmark shift in deterrence and supporting the move of the Armed Forces towards warfighting readiness,” announced the MoD.
The MoD “has launched a new cyber warfare command in charge of defending UK military networks from rising cyber-attacks and coordinating offensive cyber operations,” says Sam Peters, Chief Product Officer at compliance platform, IO.
Both the US and the UK are ready and able to respond to cyberwarfare with their own cyber offensive capabilities – and / or military action.
This, incidentally, is why private industry hack-back is not and should never be allowed or attempted. One mistake from a private citizen could escalate out of control.
Final thoughts
True cyberwarfare is the reality we rarely discuss. We know it is already happening, but we hope it is contained. We liken it to the western / USSR Cold War from years ago. “I would term that we’re in a Cyber Cold War,” says SCYTHE’s Bort. “Adversaries walk up to the line of conflict without risking it boiling over into war.”
This offers some reassurance – the original Cold War never boiled over into a hot war.
Gary Barlet, public sector CTO at Illumio, adds, “A definition for cyberwar has now passed. It is more akin to The Cold War – ongoing, undeclared, and interpreted differently by all sides. Actions and responses happen quietly, often with nation-state involvement unclear – and without established rules or detente.”
He adds, “Cyberwarfare is a central element of today’s geopolitics. By 2026, as nations grow ever more dependent on digital systems, cyber conflict will become increasingly consequential. The opportunities digital infrastructure provides to nation-states also create major targets for those seeking to cause harm.”
As geopolitics worsen, so cyberwarfare will increase. We hope it will never boil over – but we should be aware of the possibility and its consequences. Enterprise cybersecurity defenders are not directly involved, but are nevertheless an important part of the equation. The more secure we keep our systems, the less likely it is that adversarial nation states can turn our own cyber dependence against us.
The battle against cyberwarfare is down to everyone: government agencies and private industry – and increased cooperation between the two.
Related: What is Cyberwar?
Related: The UK Brings Cyberwarfare Out of the Closet
Related: Countries Shore Up Digital Defenses as Tensions Raise the Threat of Cyberwarfare
Related: Merck Settles NotPetya Insurance Claim, Leaving Cyberwar Definition Unresolved
