Cyberwar
The active digital battlespace nobody declares. State actors, ransomware crews, supply-chain attacks, and the question of whether deterrence works in cyberspace.
(Cybersecurity Ventures; figures contested but in this order of magnitude across estimates)
(Russian-attributed wiper malware; a reference case for cyber spillover)
(skewed toward Western reporting; non-Western incidents are systematically under-counted)
A note on framing. "Cyberwar" is a contested term. Some serious analysts argue that what is happening is not war in any traditional sense, just a sustained campaign of espionage, sabotage, theft, and harassment short of armed conflict. Others argue that the cumulative effects on civilian infrastructure, critical services, and political processes have moved beyond espionage to something that warrants the label. This page tries to walk through what is actually happening, who is doing it, and where the structural patterns are stable enough to describe with confidence.
Who is operating in the cyber battlespace
The cast is now well-defined enough that a structural picture is possible. Several distinct actor types operate with different objectives and methods.
State signals-intelligence services. The most capable actors. The US National Security Agency, UK GCHQ, Russian GRU and FSB, Chinese Ministry of State Security and PLA cyber units, Israeli Unit 8200, North Korea's Reconnaissance General Bureau, Iran's IRGC cyber units. These services operate with substantial budgets, long time horizons, and willingness to invest in zero-day exploit development. Their primary mission is intelligence collection rather than disruption, but several have demonstrated significant offensive capability.
State-aligned offensive units. Specialised teams within state structures whose mission is offensive cyber operations: sabotage, deniable disruption, influence operations, and pre-positioning for potential conflict. The most studied include Russia's GRU Unit 26165 and Unit 74455 (the latter known publicly as Sandworm), several Chinese PLA and MSS units identified by Western indictments and reporting, North Korea's Lazarus Group, and Iranian APT groups. Western states operate equivalent units: US Cyber Command's offensive arm and the NSA's Tailored Access Operations group (renamed Computer Network Operations), the UK's National Cyber Force, and Israeli offensive units inside Unit 8200 and adjacent structures. The Western units are less frequently discussed in Western media because their operations are typically classified rather than indicted, but the capability and tempo are at the top of the global league. These are the units that conduct the actually-disruptive operations, sometimes through deniable proxies.
Ransomware gangs. Organised criminal groups, predominantly based in Russia and parts of the post-Soviet space, that operate ransomware-as-a-service platforms. Major recent operators include LockBit (substantially disrupted in 2024 but partly reconstituted), Conti (rebranded after internal documents leaked in 2022), BlackCat/ALPHV, Cl0p, RansomHub, and dozens of smaller operations. The economics depend on cryptocurrency payment, which has been substantially constrained by Western enforcement but continues to function. The relationship to Russian state services is intermittent and intentionally ambiguous.
Hacktivists. Politically motivated groups that conduct attacks for ideological reasons. The category overlaps with state-aligned activity (some "hacktivists" are deniable state instruments) and with criminal groups (some operate for both reasons). Groups like Anonymous, KillNet, and various Ukraine-aligned and Russia-aligned hacker collectives have been visible since 2022.
Cybercriminals beyond ransomware. The broader criminal economy includes business email compromise (the largest single category of reported financial loss), banking trojans, identity theft operations, romance and investment scam compounds (large operations in Cambodia, Myanmar, Laos), and cryptocurrency theft operations. The "pig-butchering" scam compounds run from Southeast Asia by transnational organised crime have stolen tens of billions from victims globally.
Insider threats and ordinary mistakes. A consistently underweighted category. A substantial share of incidents start with insiders (malicious or negligent) or with ordinary configuration errors that expose data. The defender's worst day is often Tuesday afternoon, not a state-actor operation.
The reference incidents
A handful of specific cases anchor the structural picture and recur in the analytical literature.
Stuxnet / Operation Olympic Games (discovered 2010). US-and-Israeli operation against Iranian uranium centrifuges at Natanz, part of the broader Operation Olympic Games campaign begun under the Bush administration and expanded under Obama. The first widely documented case of a nation-state using cyber capabilities to physically destroy industrial equipment. Set the precedent that critical infrastructure could be a target. Triggered substantial Iranian investment in offensive cyber capability in response.
Equation Group / Shadow Brokers (revealed 2015-2017). Kaspersky's 2015 reports documented a long-running, technically extraordinary cyber-espionage operation widely understood to be the NSA's Tailored Access Operations group, with toolsets active since at least 2001 targeting governments, telecommunications, energy, and finance globally. The 2016-17 Shadow Brokers leaks then released a substantial portion of the actual NSA exploit toolkit publicly, including EternalBlue (later weaponised into WannaCry). The reference case for the scale and sophistication of US offensive cyber capability, and for the harm that follows when state offensive tooling escapes state control.
Vault 7 (2017). WikiLeaks disclosure of CIA cyber-tooling, including malware, zero-day exploits, and techniques targeting iOS, Android, Windows, smart TVs, and vehicle systems. Documented CIA capabilities to impersonate other actors' cyber signatures (the "UMBRAGE" project), which complicates attribution claims more broadly. The reference case for the scope of Western intelligence-community cyber operations beyond what is publicly indicted.
Sony Pictures (2014). North Korean attack in retaliation for the film "The Interview." Combined data theft, public release, and substantial business disruption. The first widely reported example of state-sponsored cyber retaliation against a private company.
Ukraine power grid (2015 and 2016). Russian-attributed attacks that disconnected significant portions of the Ukrainian electricity grid. The first well-documented cases of cyber operations producing physical effects on civilian infrastructure at scale.
NotPetya (2017). Russian-attributed wiper malware initially targeted at Ukrainian organisations through a compromised tax software update. Spread globally, hitting Maersk, Merck, FedEx subsidiaries, and many others. Estimated total damage around $10 billion. The reference case for the spillover problem: targeted state operations that cause civilian damage far beyond their intended targets.
WannaCry (2017). North Korean ransomware that spread globally in days, hitting hospitals, businesses, and infrastructure. Used a leaked NSA exploit. The reference case for the leaked-exploit problem: how state offensive tooling becomes available to other actors when it leaks.
SolarWinds (disclosed 2020). Russian SVR operation that compromised the build process of widely used network-management software, providing access to thousands of enterprise networks including multiple US government agencies. The reference case for supply-chain attacks: compromise the software vendor and reach all of its customers.
Colonial Pipeline (2021). Russian-based DarkSide ransomware against the operator of a major US fuel pipeline. Triggered fuel shortages on the US East Coast. The reference case for ransomware disrupting critical civilian infrastructure.
Viasat KA-SAT (2022). Russian-attributed attack on a satellite communications system at the start of the Ukraine invasion. Disrupted Ukrainian military communications and also several thousand European wind turbines and other civilian customers.
MOVEit (2023). Cl0p ransomware exploitation of a vulnerability in widely used file-transfer software. Hit hundreds of organisations including government agencies, banks, healthcare providers. The reference case for mass exploitation of a single vulnerability across many organisations.
Volt Typhoon (disclosed 2023-24). Chinese operation pre-positioning access in US critical infrastructure (water, energy, communications) for potential disruptive use during a conflict. The reference case for strategic pre-positioning in civilian infrastructure for wartime use. The pattern is not unique to China: Snowden's 2013 disclosures revealed long-standing US pre-positioning in foreign telecommunications and infrastructure systems under the same logic, and Chinese reports of US Cyber Command activity in Chinese networks make parallel claims.
The attribution and deterrence problem
One of the structural features of cyber operations is that attribution is technically difficult and politically contested. Forensic analysis can often identify the broad family of actor (state-aligned, criminal, ideologically motivated), and frequently the specific group, but attribution to a specific state with the certainty needed for political response is harder.
Defenders have improved at attribution over time. Combinations of malware analysis, infrastructure tracking, operational pattern analysis, and intelligence collection have allowed Western agencies to publicly attribute many recent operations with substantial confidence. The 2018 Mueller indictment of GRU officers for the 2016 DNC hack, the multiple Department of Justice indictments of named Chinese MSS officers, and the 2024 attributions of Volt Typhoon to specific Chinese units demonstrate the improvement. Attribution runs both directions: Kaspersky's reporting on the Equation Group (widely understood as NSA) starting in 2015, the Shadow Brokers leaks of NSA tooling in 2016-17, the Vault 7 CIA disclosures in 2017, and Chinese state-media attributions of US operations against Chinese infrastructure make clear that non-Western actors also publicly attribute Western operations when they choose to.
What attribution still does not solve is deterrence. A successful attribution can produce indictments, sanctions, or reciprocal cyber actions, but the costs imposed on state actors have not so far been sufficient to change behaviour at scale. Russian, Chinese, North Korean, and Iranian operations continue at high tempo despite years of attribution and consequences. So do Western operations, under doctrines such as US Cyber Command's "defend forward" and "persistent engagement" that explicitly authorise ongoing offensive operations against foreign networks. The reasons are several: the cost-benefit ratio of cyber operations remains favourable to all major operators; reciprocal cyber action risks escalation that defenders are reluctant to invite; sanctions and indictments do not affect adversaries who do not travel to the sanctioning country or hold its assets; and the "below-the-threshold" nature of most operations falls short of what would justify physical or major economic response.
Some analysts argue that this dynamic is stable: cyber is now a permanent feature of great-power competition at a level that does not produce either resolution or escalation. Others argue that the cumulative pressure on civilian infrastructure, the increasing involvement of AI in attack tooling, and the proliferation of capable non-state actors will eventually force a more structural response. The honest position is that this is an actively contested question.
The defensive picture
Cybersecurity as a discipline has improved substantially since 2010 but remains structurally disadvantaged. The defender has to be right always; the attacker only needs to be right once. Most of the practical defensive work consists of making routine attacks expensive enough that attackers move on, while accepting that determined state-level adversaries will eventually succeed against most targets.
The fundamentals of effective defence are well-understood: multi-factor authentication, principle of least privilege, network segmentation, regular patching, incident-response planning, log retention, and practiced backup-and-recovery procedures. The challenge is consistent execution across every system, every user, every quarter, indefinitely. Most major incidents trace back to failures of execution on these fundamentals rather than to exotic attacks.
Specific defensive trends in 2025-26: zero-trust architectures (no implicit trust based on network location) becoming the default for new enterprise deployments; passkeys replacing passwords for ordinary user authentication; endpoint detection and response (EDR) tools maturing rapidly; AI-driven anomaly detection improving but not yet transformative; cyber insurance markets repricing dramatically as ransomware claims rose, then partially stabilising as carriers tightened underwriting; and government information-sharing improving (CISA in the US, NCSC in the UK, ENISA in the EU).
What has not improved much is the security of small and medium organisations. Hospitals, school districts, local governments, small manufacturers, and similar entities continue to be hit hard by ransomware because they cannot afford the security investment required to defend properly. The ransomware payments these organisations make (or refuse to make, with corresponding business disruption) are now a significant tax on the broader economy.
The paths from here
Continued steady-state
Cyber operations remain a permanent feature of great-power competition at roughly current intensity. Defensive technology improves slowly. Attacks rotate among targets. Major sectors learn to absorb the costs as ordinary operating overhead. No major escalation, no major de-escalation.
A high-impact incident triggers structural response
A specific event - mass civilian casualties from infrastructure attack, financial system disruption at scale, election manipulation that clearly altered an outcome - produces sustained political pressure for stronger international norms or harder retaliation. Whether such an event would actually produce structural change is uncertain (previous candidates have not), but the possibility is real.
AI shifts the balance toward attackers
AI-assisted vulnerability discovery, automated exploit development, and AI-generated phishing at scale make routine attacks easier and cheaper. Defenders adopt AI-driven detection in parallel; the competitive equilibrium shifts in ways that are hard to predict in advance. The next 3-5 years could be substantially worse for defenders before defensive AI catches up.
AI shifts the balance toward defenders
AI-driven anomaly detection, automated patching, automated incident response, and AI-assisted code-review reduce the cost and improve the consistency of defence. The long-standing structural advantage of attackers is partially eroded. This is the defensive optimist case; it is plausible on technical grounds and uncertain on execution.
Cryptocurrency restrictions hit ransomware economics
Continued tightening of cryptocurrency exchanges, KYC requirements, and anti-money-laundering rules reduces the share of ransomware payments that successfully convert to spendable funds. The economic model becomes less attractive. Specific ransomware operators move to alternative crime types or wind down. Aggregate cybercrime continues but with shifted composition.
Quantum-resistant cryptography rollout reshapes the security landscape
Standardisation of post-quantum cryptography (NIST process complete in 2024) drives a long migration that will run through the rest of the decade. The "harvest now, decrypt later" attack model creates pressure to migrate sensitive data faster. Some existing cryptographic protections weaken before replacements deploy at scale.
Where serious analysts disagree
Cyber is a permanent low-intensity conflict that doesn't escalate
The structural features of cyberspace - attribution difficulty, asymmetric capability, reversibility of effects - mean that operations stay below thresholds that would trigger major retaliation. The current equilibrium will persist for the foreseeable future. Catastrophic scenarios are overstated; ordinary operational tempo is the durable picture.
Held by: Thomas Rid (Johns Hopkins, "Active Measures"), Erik Gartzke (UCSD), and a strand of academic IR research that has been sceptical of cyber-doom predictions for over a decade. Their case is supported by the actual record: many predictions of cyber Pearl Harbours have not materialised.
The cumulative pressure on civilian infrastructure is more dangerous than acknowledged
Each individual incident may stay below dramatic thresholds, but the cumulative effect on hospitals, schools, water systems, power grids, and supply chains is producing a steady degradation of civilian resilience. The next major crisis - a war, a pandemic, an economic shock - will hit a society more dependent on systems that are now more compromised than the public realises.
Held by: Bruce Schneier (Harvard), parts of the CISA community, Anne Neuberger (former US Deputy National Security Adviser for Cyber and Emerging Tech), and a substantial part of the practitioner community. The case is supported by sectoral incident data.
AI will fundamentally reshape the attacker-defender balance
The next five years will see AI-assisted attacks scale faster than AI-assisted defence in most domains. Mass exploitation of specific vulnerabilities, automated reconnaissance at scale, and AI-generated social engineering will outpace what most organisations can respond to. The current defensive playbook becomes inadequate before its replacements are ready.
Held by: parts of the AI-safety community, several major security companies' published research, and a strand of operational practitioners. The case is partly contested - defensive AI is also improving - but the timing question is real.
Norms-building will eventually constrain state behaviour
UN-led efforts on cyber norms (the GGE process, the Open-Ended Working Group) and bilateral agreements have produced specific commitments that, while frequently violated, do constrain some state behaviour. Sustained diplomatic effort plus accumulated operational lessons will gradually narrow what states do in cyberspace.
Held by: parts of the US State Department cyber-policy community, the Microsoft Digital Peace effort, and academic IR researchers focused on norms. The case has produced specific results (some norms are observed) and limitations (many are not).
Insurance markets will discipline what governments cannot
The expansion of cyber insurance, post-2020 hardening of underwriting, and legal pressure on cyber-incident handling will create economic incentives for better security that public-policy efforts have not. Private market discipline does what state regulation cannot. The price of being insecure becomes high enough to drive widespread improvement.
Held by: parts of the cybersecurity insurance industry, Chris Wysopal (Veracode), and a strand of market-based cybersecurity advocacy. The case is partly supported by post-2020 underwriting changes; the limits are visible in the smaller-organisation segment.
None of these readings is fully right or wrong. What can be said from the available evidence: cyber operations are a permanent feature of great-power competition and ordinary criminal economy; the cumulative pressure on civilian systems is real and is poorly priced into either policy or markets; AI is shifting the balance in ways that will become clearer over the next five years; deterrence has not worked at the level needed to change state behaviour; and the most consequential vulnerabilities are increasingly in supply-chain infrastructure that small numbers of organisations can compromise to reach many others.
What this means for you
Personal cybersecurity
The fundamentals are well-known and consistently underused. Use a password manager. Enable multi-factor authentication on everything that matters. Keep your devices updated. Do not click on links you did not expect; verify by independent channel. Back up the data you cannot afford to lose. These five practices block a large majority of ordinary attacks. Sophisticated state-actor targeting is hard to defend against; ordinary cybercrime is mostly defeated by the basics.
If you run an organisation
Cyber risk should be treated as an ordinary business risk with a budget, not a one-time project. The consistent execution of fundamentals (segmentation, patching, monitoring, response planning, backups tested by actual restoration) matters more than any specific technology purchase. Cyber insurance is now genuinely useful but has tightened underwriting that requires demonstrable controls. Tabletop exercises that simulate incidents are one of the highest-leverage things smaller organisations can do.
If you have public visibility
Journalists, activists, dissidents, and politically active people in or from authoritarian states face a different threat profile. Specific tools (Signal for messaging, hardware-key authentication, separate devices for sensitive work, professional consultation when at heightened risk) make a real difference. Resources like the Citizen Lab's Security Planner and Access Now's helpline are designed for this audience.
If you read cyber coverage
The discipline has matured enough that reasonable specialised journalism exists. Andy Greenberg at Wired, Kim Zetter at her newsletter, the Krebs on Security blog, Risky Business podcast, and Lawfare's cyber coverage are reliable sources. Mainstream coverage tends to oscillate between dismissiveness and panic. Specific incidents are usually better understood by reading specialised follow-up reporting after the initial wave.
If you vote on cyber-related policy
The most important policy questions are unglamorous: minimum security requirements for critical infrastructure operators, funding for civilian cyber defence agencies, software liability frameworks that align developer incentives with security outcomes, international cooperation on cybercrime extradition, and education investments in the cybersecurity workforce. These do not produce campaign-ad material but matter substantially for the actual security picture.
