Cyber experts pinpoint what to look out for in 2026

With 2025 coming to a close, Nextgov/FCW asked cybersecurity experts — including former officials, research analysts and providers — to outline their predictions for cybersecurity activity in 2026.

Morgan Adamski, former executive director at U.S. Cyber Command and deputy leader for PwC’s Cyber, Data & Technology Risk Platform:

Looking ahead to 2026, I don’t expect a single “big bang” cyber event so much as a steady escalation in quiet, hard-to-spot campaigns. Instead of smashing through the front door, more attackers will simply walk in using valid credentials, abusing identity systems, single sign-on and trusted AI agents to blend into normal activity. These operations will be longer-running, more tightly linked to geopolitical and ideological tensions, and increasingly aimed at disrupting real-world services, not just stealing data.

At the same time, the foundational capabilities and infrastructure we use to build, innovate, and operate securely, like cloud, AI, [operational technology and information technology] convergence, satellite connectivity, and eventually quantum and 6G, are rapidly expanding the attack surface. The core challenge for 2026 is reconciling this pace of innovation with the need for true end-to-end security. That means assuming identities will be targeted, designing continuous monitoring and validation, and integrating threat intelligence, AI-driven detection, and next-gen [security operations center] capabilities as part of the business operating model, not optional add-ons. 

Organizations that bake security into architectures, products, and AI models from day one — and that continuously monitor their cloud, supply chain, and critical operations — will be the ones that stay resilient. Those who keep bolting controls on at the end will find themselves outpaced by adversaries who are already learning, automating, and scaling faster than ever.

Jiwon Ma, senior policy analyst at the Foundation for Defense of Democracies’ Center on Cyber and Technology Innovation:

In 2026, the core question will be whether the United States can protect the homeland while translating inconsistent alignment with its international partners into operational resilience at scale.

Domestically, the United States will continue to face a widening gap between rising expectations for cyber resilience, reporting and coordination and the capacity of federal, state and local governments and critical infrastructure operators to deliver them. Economic pressure, political uncertainty, and persistent workforce shortages will continue to limit both federal and private sector’s ability to implement new requirements, even as the threats continue and become increasingly automated. 

That misalignment will be most acute across critical infrastructure, where it systemically pushes cybersecurity investment toward maintenance and compliance rather than modernization and risk reduction — leaving familiar weaknesses to persist at scale.

Internationally, cybersecurity will become a test of collective credibility, shaped by lessons from Ukraine and the growing focus on a potential Taiwan contingency. In both contexts, Russia and China’s cyber operations are not designed to “win” outright, but rather to degrade coordination, strain logistics and test alliance cohesion over time. NATO’s integration of cyber into collective defense planning and the EU’s push to raise baseline security expectations for vendors and operators should, over time, help blunt disruptive activities that exploit coordination gaps while shaping global market behavior well beyond Europe’s borders. 

In Asia, the same logic should drive U.S. partnerships with Japan, South Korea, Taiwan and others, with a growing emphasis on building institutional capacity for cyber resilience across shared supply chains, logistics, and communications networks. However, trade negotiations under the Trump administration risk complicating cooperation. Given recent political transitions and regional frictions, the priority will be establishing trusted mechanisms for information sharing and coordination ahead of a potential Taiwan contingency. Without State Department capacity to support this work, alignment is unlikely to translate into effective operational resilience.

John Laliberte, former NSA vulnerability researcher and CEO and founder of ClearVector:

In 2026, identity-driven attacks will cause material damage in the physical world. The proliferation of AI and non-human identities, combined with the adoption of deepfake technologies, will enable adversaries to assume any identity at any given moment. 

With the midterm elections approaching in 2026, adversaries will exploit this convergence — where manufactured identities in the physical world collide with the explosion of identities in the cyber realm — and attempt to influence electoral outcomes. The fundamental question becomes: how do you prove who you are?

Madison Horn, national security and critical infrastructure chief advisor at World Wide Technology:

In 2026, the most dangerous cyber events will not look like cyberattacks at all. They will look like reasonable, automated decisions made at scale until systems begin to fail.

The defining risk will be AI cascading failures across critical infrastructure. A single compromised or poorly governed AI agent in energy, transportation or logistics will trigger automated responses across tightly coupled systems. One “bad” decision will propagate instantly, not because systems were breached, but because they were trusted.

At the same time, AI supply chain compromise will eclipse zero-day exploits as the highest-impact attack vector. Poisoned training data, manipulated model weights, compromised plugins, and agent action libraries will quietly undermine AI systems long before deployment. These failures won’t be detected by traditional security tooling, and most organizations won’t realize they are operating on corrupted intelligence until physical or economic consequences emerge.

Beneath the AI layer, virtualization and hypervisors will become the next systemic choke point.

Hypervisors sit below cloud workloads, [operational technology] edges, and enterprise environments yet few organizations have visibility or security ownership at this layer. As dependence on virtualization deepens, these hidden control planes will represent a single point of failure capable of producing cross-sector disruption.

By the end of 2026, identity as we know it will break. Enterprises will manage exponentially more machine, AI agent, and workload identities than human ones and current [identity and access management] models are fundamentally incapable of governing autonomous, non-human trust at scale.

Meanwhile, quantum transition shock will arrive abruptly. Organizations will realize overnight that they should have started post-quantum migration years ago, particularly for long-life systems such as operational technology, satellites, and military communications.

As these risks converge, AI governance will move beyond corporate compliance and become a national security imperative driving new liability frameworks, mandatory incident reporting, and sector-specific controls for AI systems with physical consequences.

Frank Cilluffo, former homeland security official under President George W. Bush and director of the McCrary Institute for Cyber and Critical Infrastructure Security:

I believe attention will continue to focus on the implications of emerging technologies for cybersecurity and national security. Artificial intelligence is reshaping both defensive capabilities and adversary tradecraft — enabling faster detection and response on the one hand, while lowering barriers to entry, accelerating reconnaissance, and increasing the scale, speed, and sophistication of malicious campaigns on the other. Experience has shown that the status quo — largely reactive and incident driven — has been insufficient to meaningfully change adversary behavior or impose sustained costs.

At the same time, advances in quantum computing raise longer-term concerns about the durability of existing cryptographic standards and the protection of sensitive government, commercial, and personal data. Taken together, these developments are likely to intensify policy debates over offensive cyber operations, including questions of deterrence, escalation management, and the appropriate role of the private sector in defending U.S. lifeline systems that remain largely outside direct federal control. I expect that this policy conversation will rightly intensify following the release of the imminent National Cyber Strategy. 

The role of state and local governments will remain central. They face growing exposure to cyber threats while often lacking the resources, authorities, and technical capacity available at the federal level. They are vital to public safety, service delivery, and national resilience. This administration has called on the private sector and state governments to take a larger role in our collective cybersecurity. Lawmakers need to make sure they have the ammunition they need to win in the fight.

I also expect increased federal attention on strengthening the resilience of U.S. critical infrastructure against state-backed threats, most notably from the People’s Republic of China. As Beijing continues to pre-position and embed access across U.S. critical infrastructure, questions of preparedness, deterrence, and response will increasingly shape how cyber policy is integrated into broader national security planning.