Global Cyber Warfare: The first war no one declared
The undeclared cyber war is sixteen years old and has lost the peacetime cover the West relied on.
PowerFlow Labs · Conflict Assessment · May 2026
Sixteen years · no declaration
The first shot came in 2010. United States and Israeli intelligence services jointly built Stuxnet, a piece of code that physically destroyed roughly a thousand Iranian nuclear centrifuges and proved that malware could break machines. Adversary states answered. North Korea hit Sony in 2014. Russian military intelligence hacked the Democratic National Committee in 2016 and ran a parallel social media campaign that reached every American voter. The Russian malware NotPetya cost the global economy roughly ten billion dollars in 2017. Russian operators sat undetected inside nine US federal agencies for nine months through SolarWinds in 2020. Each one got treated as a peacetime incident. No one ever declared the war they added up to.
Chinese state hackers sit inside US power grids and telecom networks. Russian intelligence runs continuous malware operations against Western targets. North Korea steals billions in cryptocurrency to fund its weapons program. The West used to claim it could outhit any of them. In May 2026, Trump took that claim back at the Beijing summit when he told the room the US and China are evenly matched at cyber. The summit produced no movement on dislodging the hackers or shutting down the operations. The peacetime story the West relied on has expired with nothing in its place.
Trump's quiet part out loud
The peacetime claim wasn't "we don't do offensive cyber." It was "we do it legitimately, and they don't." For sixteen years, allied posture rested on that gap. The US ran Stuxnet against Iran's nuclear program and called it defensive arms control. Russia ran NotPetya and got called destabilizing. Chinese intelligence stole intellectual property from Western tech firms and got called criminal. The capabilities looked the same. Only the legitimacy framing differed.
In May 2026 at the Beijing summit, Trump told the room that the US and China are evenly matched at cyber. "What they do, we do too." The phrase ended the legitimacy framing on the public record. The summit produced no other movement. Chinese state hackers remained inside US power grids and telecom networks. Chip export controls held but did not advance. The bilateral AI dialogue announced as the deliverable was process, not concession.
Allied cyber doctrine, deterrence signaling, and treaty conversations all rested on the legitimacy gap. Removing it in public did not produce a successor frame. NATO's cyber posture has not been re-explained. The Five Eyes have not collectively responded. What was a peacetime claim became, in one sentence, a wartime acknowledgment without a wartime doctrine attached.
What they do, we do too.
Donald Trump · Beijing summit · May 2026
AI broke the floor
Building exploit chains by hand is expert work. A skilled analyst can spend months chaining vulnerabilities to compromise a target. That cost is what kept offensive cyber a great-power monopoly. Only states could afford the salaries and the patience.
Anthropic's Claude Mythos, announced in April 2026, posted a 72.4% success rate at autonomous exploit development. It chains zero-day vulnerabilities the way a junior analyst would, except in minutes. Other frontier models are converging on similar capabilities. Open-source variants are catching up. Within eighteen months, exploit-chain construction will be a commodity service, available to anyone with a credit card or a borrowed model.
The implication is not that nation-states will lose their cyber edge. They will retain advantages in targeting, persistence, and operational tradecraft. The implication is that the floor underneath them just dropped. Iranian-aligned criminal groups, Chinese contractor firms, Russian-tolerated ransomware crews, and pure-criminal exploit brokers will all access capabilities that required nation-state budgets five years ago.
The deterrence math breaks at this level. Deterrence depended on attribution. Attribution depended on the small number of capable actors. The small number depended on the cost barrier. The cost barrier is gone. A Volt-Typhoon-style intrusion two years from now might be Chinese, or might be a third-party exploit kit run by a buyer the West cannot name.
China built walls
While Western cyber posture eroded operation by operation, China built infrastructure. Not network infrastructure. Political infrastructure. The kind that makes information control a permanent feature of the state rather than an ongoing effort.
The pieces are now operational. VPN access from inside China has been throttled and intermittently severed across major commercial providers. Exit bans have expanded from Chinese dissidents to foreign nationals, including US federal employees and the families of US officials. The CCP succession question has been locked down through institutional rule changes. Elite networks that previously crossed factional lines have been granulated, with anti-corruption campaigns isolating each cell from the others.
This is not the cyber operation the West tracks. The West tracks Volt Typhoon and Salt Typhoon, the Chinese state hackers sitting inside US power grids and telecom networks. Those operations exist, and they are continuing. But they are the outward-facing complement of an inward-facing architecture that does not depend on adversary forbearance. No US cyber operation can dismantle a Chinese exit ban. No allied response can re-open a Chinese VPN.
Russia has started copying. In February 2026, the FSB gained expanded authority over domestic internet control. The model is exportable. Other authoritarian states with the technical capacity will follow. The West used to claim asymmetry between open and closed information environments. That asymmetry is becoming a permanent feature of the international system rather than a contested edge.
The other front no one declared
The 2016 GRU social-media operation against the US election took a nation-state to run. It required dedicated intelligence officers, content farms, attribution-laundering infrastructure, and the patience of state planners. In 2026, an Iranian campaign reached one billion views across major platforms using AI-generated content at a fraction of that cost. Mid-tier states now run information operations at scales that used to require great-power resources.
China's contribution to the same shift is doctrinal. In March 2026, the CCP reframed national closure (the system of VPN cuts, exit bans, and succession controls) as a sovereign strategy rather than a defensive necessity. It positions the closure model as a positive script for other authoritarian states to adopt without apology.
The West has been losing the credibility it needs to counter all of this. In April 2026, an 85-country survey found China viewed more favorably than the US for the first time across a global sample. The shift is not new. It has built since the Iraq War, accelerated through the financial crisis, and compounded through allied tensions over the past decade.
Information warfare used to be a contest the West expected to win on credibility. It is now a contest where Western credibility is the disputed asset.
The Leverage Map
One side is patron-organized: China at the center, Russia as architectural peer, Iran and North Korea as dependent clients. The other is not aligned the same way. The US contests China bilaterally while allies run parallel fronts (Russian pressure on UK aviation, Chinese closure projecting into the UK diaspora), and the asymmetry shows up on every edge.
What to Watch
Outlook
Most likely
No successor frame for the legitimacy gap emerges. The bilateral AI dialogue from the May 2026 Beijing summit produces process meetings and modest transparency commitments, none of which constrain offensive cyber operations on either side. Chinese pre-positioning inside US infrastructure remains in place. AI-enabled exploit kits diffuse to mid-tier and non-state actors. Iranian and Russian information operations scale further. Western credibility continues to erode in global surveys.
Plausible alternative
A coordinated allied re-norming attempt. NATO, the Five Eyes, or the G7 publishes a joint cyber doctrine statement defining offensive cyber legitimacy, naming an armed-attack threshold, or both. The statement reasserts some red lines and rebuilds partial deterrence around civilian critical infrastructure. It does not replace the legitimacy gap with a frame as comprehensive as the original. The information warfare side remains unaddressed. The re-norming attempt slows the trajectory but does not reverse it.
Tail risk
A Volt-Typhoon-style pre-positioned malware activation, or an AI-enabled mass exploit run by a non-state actor, disrupts a US power grid, water system, or major financial network. State attribution arrives within weeks. The strike forces the first serious invocation of an armed-attack threshold in a cyber context. No allied doctrine has an answer ready. The crisis becomes the doctrine, written under pressure.
Bottom Line
The wall came down sixteen years late. The other side never stopped building.