The Silent Front: Why Cyber and Infrastructure Warfare Became the New Baseline of Great Power Competition

How Volt Typhoon, Salt Typhoon, and a Year of European Hybrid Attacks Have Made the Border Between Cybersecurity and National Security Disappear

The Munich Security Index 2026, polling over 11,000 respondents across G7 and BICS countries for the Munich Security Conference in February, ranked cyberattacks as the single most serious perceived national security risk in the G7 aggregate—the second consecutive year cyber threats have topped the index. Eurelectric's February 2026 report Battle-Tested Power Systems documented 23 successful cyberattacks against European energy operators in twelve months. The FBI confirmed in February 2026 that Salt Typhoon remains active inside US networks despite eighteen months of remediation. The European Commission itself was breached on 24 March 2026 through a cloud infrastructure intrusion. This is not a cybersecurity conversation anymore. It is a national security conversation that happens to involve servers, routers, and edge devices. The theater runs around the clock. There are no rules of engagement. This is infrastructure warfare conducted continuously below the threshold of armed conflict.

The Threshold Has Already Been Crossed

The doctrinal shift is now legible. The Office of the Director of National Intelligence's 2026 Annual Threat Assessment, published in late March, frames Chinese state-linked actors as deliberately positioning within IT networks to enable lateral movement to operational technology systems. CISA, NSA, and the FBI assess that this positioning is not espionage. This is cyber warfare in its mature form: not data theft, but pre-positioned disruption capability.

Four named Chinese campaigns now structure the threat landscape, each serving a distinct strategic objective.

Volt Typhoon, active since 2021, targets US critical infrastructure for pre-positioning. Communications, manufacturing, utilities, transportation, maritime, government. The IC has stated explicitly that this campaign carries limited espionage value. Its purpose is disruption capability in a Taiwan contingency. A Department of Homeland Security memo declassified in mid-2025 revealed that Salt Typhoon actors had compromised a US state's Army National Guard network for nine consecutive months in 2024, exfiltrating administrator credentials and detailed network diagrams. Those are not surveillance trophies. They are operational inputs for coordinated infrastructure disruption.

Salt Typhoon, attributed to China's Ministry of State Security, has compromised over 200 organizations in more than 80 countries. October 2024 was the inflection point. The compromise of Verizon, AT&T, and the broader US telecommunications backbone gave Chinese intelligence direct access to the systems courts use for law enforcement wiretaps. Three months later, on 17 January 2025, the Treasury sanctioned Sichuan Juxinhe Network Technology, the front company directly involved. Then February 2026 happened. Norway disclosed a breach. So did Singapore. Senator Maria Cantwell stated publicly that the group may still be inside US networks.

Flax Typhoon operates IoT botnets across hundreds of thousands of devices to enable surveillance and offensive capability against Taiwan and Western critical infrastructure. Brass Typhoon, the group long tracked under the APT41 banner, has done something more interesting. It has crossed over. Espionage to financial extortion. Gambling, gaming, critical sectors. Beijing is no longer pretending the line between state and criminal cyber activity matters. The fuzziness is now the point.

Moscow runs the same playbook with different tools. The Eurelectric February 2026 report is blunt about what it sees: physical sabotage, cyberattacks, aerial intrusions, subsea cable severances—all of it accelerating, all of it targeting European energy. The Estlink-2 cable cut by the Eagle S on Christmas Day 2024 cost up to €60 million to repair. APT28 ran Operation Neusploit in February 2026 against Ukraine, Slovakia, and Romania, weaponizing CVE-2026-21509. A month later, the Russian-speaking ransomware group Qilin hit Romanian pipeline operator Conpet and German political institutions and openly described the attacks as hybrid warfare. They were not lying about the framing.

Tehran has done the same conversion. The Iranian playbook used to be episodic—headline-grabbing, occasional, deniable. Not anymore. Check Point tracked sustained password-spraying campaigns against Microsoft 365 environments across Europe, the UK, the US, and Saudi Arabia through early 2026. Last August, Norway formally attributed an April 2025 cyberattack on the Bremanger dam to Russia, where hackers had taken brief control of the facility. The CRINK quadrant—China, Russia, Iran, North Korea—stopped being a theoretical alignment some time ago. What it actually is now is an operational ecosystem with shared targets and complementary tooling.

Why This Is Not Cyber Anymore — It Is Infrastructure Warfare

The framework that separates cyber warfare from national security has collapsed. The Munich Security Report 2026 captured this directly: the line between cyber and energy security has ceased to exist. Three operational realities make the distinction obsolete.

First, the OT attack surface is expanding faster than defense capacity. NERC estimates that the US grid is gaining roughly 60 new vulnerable points per day from increased digitalization, distributed energy resources, and third-party vendor integration. Smart grids, renewable assets, and connected industrial sensors are deployed for efficiency. Each connected device is a potential entry point. The math does not favor defenders.

Second, the attribution problem creates permanent strategic ambiguity. Living-off-the-land techniques. IoT botnets running through compromised consumer devices. Ransomware-as-a-service rented out to deniable proxies. And now, AI-assisted intrusions: in February 2026, an AWS environment went from initial credential theft to full administrative privileges in under ten minutes, with large language models automating the reconnaissance phase end to end. The threshold for plausible deniability has dropped. The technical sophistication of attacks has risen. Defenders are losing on both axes simultaneously.

Third, cascading effects of infrastructure compromise cross national boundaries instantly. European electricity grids are interconnected by design. A successful attack on a single transmission node creates regional consequences. The 2025 Iberian blackout is the clearest example. Initially written off as a technical malfunction, it ended up flagged by the World Economic Forum and multiple security analysts as a case where the line between system failure and coordinated cyber operation was simply too thin to draw with confidence after the fact. Industry threat reporting from early 2026 puts the trend on hard numbers. Cyber breaches with physical consequences are climbing fast. Oil and gas. Water systems. Power. Metals and mining. Pharmaceutical manufacturing. Jaguar Land Rover took the most costly production shutdown in a decade. Collins Aerospace was crippled to the point of weeks of flight cancellations. Polish distributed generation systems were hit in a near-miss attributed to Russian nation-state activity.

The Corporate Blindspot

Most European boards still operate on an outdated threat model — one that predates the era of infrastructure warfare. Three errors recur with damaging consistency.

Cyber budgets allocated against the wrong threat. Corporate cyber spending overwhelmingly targets ransomware and data exfiltration. Real risks. Not the strategic risk. State-sponsored pre-positioning requires different controls: network segmentation between IT and OT, identity behavior analytics, edge device monitoring, supply chain trust verification. Most boards have approved spending that protects them against 2020 threats while the 2026 threat operates inside their networks undetected.

Compliance treated as cybersecurity. NIS2, the Cyber Resilience Act, DORA, and the upcoming sector-specific network codes are necessary but insufficient. Compliance documents an organization's posture. It does not defend against an actor that has been inside the network for six months, blending into legitimate traffic via living-off-the-land techniques. Audit reports are not threat detection.

Third-party risk underestimated. 54% of large organizations cite third-party risk management as a major challenge. Most third-party assessments are annual questionnaires rather than continuous monitoring. Salt Typhoon's primary attack vectors are known CVEs in network edge devices: Ivanti Connect Secure, Sophos Firewall, Fortinet, Citrix. These are vendors, not victims. The supply chain is the front line.

Four Operational Disciplines Boards Must Adopt Now

Treat OT and IT as architecturally separate. The cost is real. The alternative is worse. NATO has earmarked 1.5 percentage points of the 5% GDP defense target specifically for critical infrastructure protection and cybersecurity—approximately €250 billion across allied countries. That capital will reward firms that can demonstrate genuine segregation, not nominal compliance.

Continuous adversary emulation, not annual audits. State-sponsored actors operate hands-on-keyboard for months. Defense must operate at the same tempo. Tabletop exercises run quarterly. Red team engagements run continuously. Detection capability is measured in hours, not weeks.

Edge device hygiene as a board-level metric. If your board does not see monthly reporting on patch status of internet-facing appliances, your board is not seeing the actual threat surface. The vulnerabilities that enable Volt Typhoon and Salt Typhoon are known, public, and patchable. Failure to patch is not a technical issue. It is a governance failure.

Crisis preparation assumes successful breach. The question is no longer whether an organization will be compromised. It is whether the organization can detect, contain, and recover within an operationally relevant timeframe. Recovery plans must address scenarios from ransomware encryption to physical destruction of control systems.

The Window for Voluntary Adaptation Is Closing

NIS2 enforcement is sharpening. The first obligations under the EU Cyber Resilience Act activate this year. National regulators are no longer issuing guidance—they are issuing penalties. And on 19 January 2026, the European Commission proposed yet another cybersecurity package on top of all of it, framed explicitly as a resilience reinforcement. The compliance cost of adaptation is rising. The operational cost of non-adaptation is rising faster.

Beyond regulation, the strategic environment has changed. The infrastructure that sustains corporate operations now sits in a contested theater. The actors targeting that infrastructure are not opportunistic. They are state-directed, long-duration, and operating with strategic patience that exceeds most corporate planning horizons.

The era of treating cyber as a discipline distinct from national security is over. It is now a competitive variable between corporate ecosystems and a deterrence variable between blocs.

The boards that recognize this first will price their resilience into their cost of capital. Those that delay will discover the cost of insufficient resilience the way it has always been discovered—in the middle of a crisis, with no time to remediate.

---

Don't just follow the news—anticipate the threat: Receive the CES Daily Intelligence Briefing for vetted intelligence and impact analysis. Delivered daily at 2:00 PM CET.

From cyber-driven disruptions to trade-control shifts, we provide the independent intelligence required to navigate 2026. Request a secure consultation.