An attack now travels at the speed of light and arrives unattributed. State-sponsored hackers have switched off a Ukrainian power grid (the 2015 BlackEnergy strike that darkened ~230,000 homes), wiped 30,000 of Saudi Aramco's computers (Shamoon, 2012), dumped Sony Pictures' internals (2014), interfered in the American election (2016), destroyed Iran's centrifuges through Stuxnet (~2010), ransomed Colonial Pipeline into shutting the U.S. East Coast's fuel artery (2021), and exfiltrated the security-clearance files of 22 million U.S. federal personnel (the OPM breach, 2014–15). The damage is strategically meaningful; the responses are muted. Cyberwarfare is the grey zone where most great-power competition is now actually being fought — below the threshold of war, above the threshold of peace.
The strategic peculiarity of cyberattacks is that they sit in a domain where deterrence is hard. Attribution is slow and contested; retaliation without clear attribution is destabilizing; and the legal threshold for what counts as "an attack" is ambiguous — is data theft an act of war? Is election interference? The result is a domain in which state-sponsored offensive operations are constant, mostly unattributed, and mostly calibrated to stay below the line that would trigger a conventional response. Russia, China, North Korea, Iran, the United States, the United Kingdom, Israel, and France all run significant offensive cyber programmes — North Korea's, uniquely, also functions as a revenue stream, with the Lazarus Group stealing billions in cryptocurrency to fund the regime. The defensive challenge is fundamentally asymmetric: the attacker needs to find one vulnerability, the defender must close all of them, and the attack surface has exploded with cloud computing, the Internet of Things, and software supply chains (the 2020 SolarWinds compromise reached ~18,000 organizations through a single trusted update). The economics tilt the same way — an exploit may cost months to develop but pennies to deploy a millionth time, and the same code, once used, can be captured, reverse-engineered, and turned back on its author, as happened when NSA tools leaked and resurfaced inside the 2017 WannaCry and NotPetya worms, the latter inflicting some $10 billion in global damage. Critical infrastructure — power grids, water systems, financial clearing, hospitals — is now the primary target category, with the Ukrainian theatre since 2014 serving as a live laboratory for what civilian-target cyber operations look like at scale.
AI-enabled offensive cyber — automated vulnerability discovery, large-scale spear-phishing, deepfake-based social engineering — is the next inflection, lowering the skill floor for sophisticated attacks even as it raises the ceiling. Every major intelligence service is investing heavily; every major target is racing to keep its defenses ahead of the tooling. Whether cyber norms — a Geneva Convention for cyberspace, a no-first-use commitment for power-grid attacks, a credible attribution regime — emerge before a major incident forces one, or whether the domain remains a Wild West indefinitely, is one of the more consequential governance questions of the next decade.