Is the Cybersecurity Paradigm Broken?

Is the defensive model no longer holding?

As 2026 gets underway, a critical question is worth considering: is the cybersecurity paradigm broken, and in need of a radical change? This may seem like an audacious question, particularly coming from a cybersecurity company blog, but hear me out.

Although defensive measures continue to evolve and awareness of cyberthreats is improving, victim statistics continue to grow. Worse yet, state or state-sponsored activity that had previously been seen as a “line in the sand” – attacking critical infrastructure, and espionage for economic advantage – has long since passed without meaningful repercussions.

From isolated incidents to a strategic pattern

What we are witnessing is not a series of unrelated intrusions or opportunistic campaigns, but the maturation of a strategic operating model. The following cases illustrate how this model functions in practice, and why traditional defensive assumptions are increasingly misaligned with reality.

• There are regular reports of cybercriminals attacking or persisting in telecom and critical infrastructure, with the Chinese groups being particularly adroit. APTs such as Salt Typhoon has raised alarms for persisting in US telecom infrastructure, hacked phones in the UK “right into the heart of Downing Street”, and breached Singapore’s four largest telecos.
• North Korea has been persistent and remarkable successful at stealing money and using fake IT workers to evade international sanctions and fund its nuclear and missile programs.
• Russia’s state-sponsored groups such as Sandworm have had fingers in many pies for years.

Nation states adversarial to western democracies have established and maintained relationships with criminal ransomware operators for some time. As outlined in the Recorded Future Paper “Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals”, the coziness ranges (in the case of Russia) from direct association to tacit agreement. This gives them a greater talent pool to draw from to support national cyber operations, as well as plausible deniability for those operations.

A turn toward the offensive

Making matters worse, the threat is growing with AI being used to improve phishing attacks and worse. Perhaps western powers are at a disadvantage and need a new approach. Alternatives are being considered by some countries currently:

• Japan is changing its rules of engagement to allow threats to be addressed through offensive cyber activities.
• The UK government in its recent action plan states that “must transform how we approach cyber security” with leaders urging that “There needs to be essentially an offensive element to deterrence, as well as simply a defensive element,” to help defend against cyber attacks.
• An even more unconventional approach is being considered by the US, which may see private companies taking an expanded role in cyber operations, including participating in offensive cyberattacks – an activity currently prohibited by law. Allowing private companies to go on the offensive seems like an obvious and satisfying approach. A few years ago the Lockbit ransomware group was hit by a DDoS attack, apparently by a victim although this was never confirmed. Turning the tables so that the attacker became a victim was quietly applauded in cybersecurity circles.

The risks we can’t ignore

The internet has relegated what used to be accepted and expected behavior of the cold war to the garbage heap, along with CRT monitors and floppy disks. And as much as we love the idea of instant karma, the prospect of vigilante justice opens some serious legal, moral and ethical questions. If we employ the tactics used by our economic and ideological adversaries, what are the risks that may develop? What are the risks of offensive private sector operations? Can we anticipate the unintended consequences that may result?

• Legal & jurisdictional risk. Unauthorized access to a computers is illegal in most jurisdictions according to domestic (as in the US) and international law (as per the Council of Europe Convention on Cybercrime, signed by 81 nations). Using these tools, criminal cyberactivity by individuals in uncooperative cybersecurity jurisdictions are still indicted. If (when) the individual travels, for work or pleasure, they risk being captured under an international arrest warrant. If western jurisdictions allow offensive cyber operations are approved for private companies, will the cyber responders face a similar risk?
  Attribution risk. Accurately identifying exactly who’s behind a cyberattack isn’t easy, and threat actors usually go to great lengths to hide their identities. The potential for offensive responses makes the job of attribution more important than ever. If companies or countries do respond to an attack, what happens when the wrong target is attacked and harmed? Is compensation or prosecution in order?
• Risk of retaliation. Offensive cyberattacks may escalate the problem, prompting even more aggressive responses. Perhaps targets previously regarded as “off-limits” are attacked. Imagine if hospitals and critical infrastructure suffered from more aggressive attacks that threaten massive disruption or even the loss of life. Legal systems are in place precisely to address the problems inherent with vigilante justice.

The real question isn’t “Can we?” – it’s “What breaks if we do?”

Are these heightened risks plausible, or just fear mongering? As documented in our recent year-end report the number of reported victims is relentlessly rising. And although the thought of allowing and enabling more aggressive and visible responses to cyberattacks may seem satisfying, the potential unintended consequences should be given adequate consideration before proceeding with significant changes in posture. In other words, be careful what you wish for.