CYBERWARFARE Cyber Insights 2026: Cyberwar and Rising Nation State Threats While both cyberwar and cyberwarfare will increase through 2026, cyberwarfare is likely to increase more dramatically. We hope it will never boil over – but we should be aware of the possibility and its consequences. By Kevin Townsend February 4, 2026 (8:00 AM ET) Flipboard Reddit Whatsapp Email SecurityWeek’s Cyber Insights 2026 examines expert opinions on the expected evolution of more than a dozen areas of cybersecurity interest over the next 12 months. We spoke to hundreds of individual experts to gain their expert opinions. Here we explore cyberwar – what it is, and whether it will worsen in 2026 Entering the cyber world is stepping into a warzone. Cyber is considered a war zone, and what happens there is described as cyberwar. But it’s not that simple. War is conducted by nations (political), not undertaken by criminals (financial). Both are increasing in this war zone we call cyber, but the political threat is growing fast. Cyberwar is a complex subject, and a formal definition is difficult. Opinions vary over whether there is any effective difference between common cybercriminal and nation state aggression – and, if there is, whether defenders need to understand or act upon that difference. This complexity is aggravated by the common and understandable perception that to enter the cyber world is to step into a warzone, regardless of the adversary. We’re going to try to understand cyberwar – what it is, whether it will worsen in 2026, and how we should respond to it. To help us navigate the complexity, we’ll start with an arbitrary definition that has no provenance outside this article. We suggest that ‘cyberwar’ is the conflict between criminals and business, while ‘cyberwarfare’ is the conflict between nations. (Note that this is our distinction and not one in general use. The experts quoted in this discussion do not necessarily make such a distinction.) ADVERTISEMENT. SCROLL TO CONTINUE READING. But it is important. While both cyberwar and cyberwarfare will increase through 2026, cyberwarfare is likely to increase more dramatically. The difference between the two should not be gauged by damage, but by primary intent. This difference is important because criminal activity can harm a business or industry, while nation state activity can damage whole countries. It is the primary intent or motivation that separates the two. Cyberwar is primarily motivated by financial gain. Cyberwarfare is primarily motivated by political gain, which means it could be a nation or an ideologically motivated group. This definition jars with the usual national red line: a country will only consider a cyberattack to be an act of war if it causes loss of life. On its own, this is still problematic, since financial gain criminality can cause loss of life. Motivation remains the most reliable decider. We will purposely exclude the ‘steal now, decrypt later’ issue from our discussion. Both criminals and nation states are involved under their different motivations, but since it can be classified as cyber espionage, which is not technically illegal under international law as classified in the Tallinn Manual, we won’t discuss it here. Instead, we refer you to the quantum-focused article in this series. The difference between cyberwar and cyberwarfare There is a strong body of opinion that suggests defenders needn’t worry about any distinction between criminal and nation state activity in cyber. “A formal definition of cyberwar remains elusive and largely irrelevant for organizations managing private data exchanges under frameworks like CMMC (Cybersecurity Maturity Model Certification). The distinction between nation-state attacks and criminal activity collapses in practice,” says Dario Perfettibile, VP and GM of European operations at Kiteworks. “Ransomware gangs operating with state approval can simultaneously pursue profit and geopolitical objectives, as seen with Russian groups targeting defense contractors,” he continues. “For CMMC-compliant organizations handling controlled unclassified information (CUI) in defense supply chains, the threat actor’s motivation matters far less than their capabilities and your defensive posture.” Casey Ellis, the founder of Bugcrowd, describes the current situation. “There is a blurring of lines between state and cybercrime activity which creates a more unpredictable and complex threat landscape. When nation states leverage cybercrime tools, co-opt groups, or allow moonlighting, it introduces a hybrid threat model where motivations and tactics can shift rapidly.” Casey Ellis, founder of Bugcrowd. This, he says, makes it harder to predict attacker behavior and increases the risk of collateral damage. “For example, a ransomware attack might initially appear financially motivated but could later reveal geopolitical intent. CISOs must now account for a broader range of adversaries, each with varying levels of sophistication, resources, and objectives. On top of this, cybercriminal groups and government offense teams have very different equities around what they will or won’t do, which adds to the overall unpredictability.” But we do have a definition of cyberwarfare. “The Tallinn Manual provides a great definition of aggression in cyberspace, explains what is permitted and what is not, and addresses both pre-emptive measures and response to the act of aggression in cyberspace by state actors,” explains Ilia Kolochenko, CEO at Immuniweb, and a cybersecurity partner at Platt Law LLP. The problem, he suggests, is that international law has been eroded by the number of countries who prefer to ignore it. “While legal scholars and law professors can provide a well-defined and precise assessment of the legality of state offensive or counter-offensive activities and acts in cyberspace, the key question here is: What next?” To answer this, we need to understand the perpetrator and purpose of the attack – cybercriminal or nation actor. So far, nation state actors have caused little damage. More harm has come from criminal ransomware attacks against critical industries. But the world is changing rapidly. Geopolitical tensions are increasing around the world, and the threat of kinetic warfare is growing. The ultimate purpose of nation state cyberwarfare is to prepare the battlefield for kinetic war. We saw this with increased Russian activity against Ukraine immediately before the 2022 invasion. Other nations are not yet (at least we hope not) generally using cyber to prepare the battlefield. But they are increasingly pre-positioning themselves within critical industries to be able to do so. This geopolitical incentive together with the cyberattack and cyber stealth capabilities afforded by advanced AI, suggests that nation state pre-positioning attacks will increase dramatically over the next few years. Pre-positioning is not new, but it will increase. “By 2026, the world will see the consequences of a decade of pre-positioning: a cyber battlefield already built inside global infrastructure,” warns Steve Stone, SVP of threat discovery and response at SentinelOne. “Communications outages, semiconductor shocks, and AI-driven disinformation will define the first phase of any conflict. For governments and enterprises alike, resilience must be built before the storm, not after it starts.” A discernible difference between cybercriminals and nation state actors is their respective need for ROI. Criminals want an immediate financial return on their efforts. Nation state actors can, and do, play a low and slow game, taking more time and effort to slip in quietly and stay hidden for years until and unless battlefield preparation becomes necessary. We will need to increase our ability to detect stealth. “In 2026, we’ll see more nation state cyberattacks against critical infrastructure, in which adversaries will have embedded themselves in systems for extended periods, possibly months or even years,” explains Stephen Gorham, chief strategy officer at OPSWAT. “Unlike criminal groups driven by the goal to collect ransom or cause disruption, nation states aim to stay hidden, gather intelligence, and position themselves for future operations.” It follows that for national security, governments will need to improve their ability to detect and understand the motivation of a nation state attacker. This is complicated by the long-standing practice of all nations to use their own actors for cyber espionage, which is not technically illegal. Attribution and assignment of intent “In traditional warfare, the distinction between a soldier and a civilian is relatively clear, but in cyberspace, these boundaries are increasingly porous,” says Ashley Jess, senior intelligence analyst at Intel 471. “A cyberattack could be nation-state sponsored, or it could be carried out by financially motivated criminals; but more and more often, the two overlap. This raises the question: can we clearly separate cybercrime from cyberwarfare? The answer is nuanced.” It is nuanced for several reasons, often focused on the concept of plausible deniability. Adversarial states continually muddy the water by intermingling the tools they use and often the perpetrators with the criminal fraternity. “By 2026, cyber conflict will be a constant and hybrid domain. Nation-states will increasingly leverage criminal groups to carry out ransomware, data theft, and disruption, achieving strategic goals while retaining plausible deniability. Traditional definitions of ‘cyberwar’ will become obsolete,” says Andrew Lintell, GM EMEA at Claroty. This can be seen in the Colonial Pipeline attack. If this had been undertaken by Russian state actors for the Russian government, it would have been an act of cyberwarfare that would require a government response. But it involved ransomware and was conducted by a known ransomware gang: Darkside. This enabled Putin to deny any state involvement, going so far as