Black undersea fiber-optic cable rising from dark water with droplets catching a thin cyan rim light.

What “cyber war” actually means in 2026.

The phrase gets used loosely. In the publicly documented record, “cyber war” refers to a set of specific things: nation-state-attributable operations targeting another nation's critical infrastructure, government networks, military systems, or private companies operating as proxies for national power.

This page describes that framework using only public information: declassified documents, US government attribution statements, federal indictments, CISA advisories, FBI press releases, Five Eyes joint advisories, and reputable journalism (NYT, WaPo, WSJ, Reuters, AP, Wired, Kim Zetter's reporting). Nothing classified. No operational tradecraft.

The reason this matters for someone considering an ethical-hacking career is simple: the demand for technical defenders in 2026 is structural, well-funded by public budgets, and tied to incidents that the public can see. Working on the defensive side of these incidents is a real job done by real people in real agencies whose hiring is public.

Nine incidents that defined the field.

Stuxnet

Discovered 2010

Computer worm that targeted industrial control systems at Iran's Natanz uranium-enrichment facility. Designed to physically degrade gas centrifuges by manipulating PLC code while reporting normal operation to monitoring systems. The first publicly-documented case of a cyber weapon causing physical destruction of industrial equipment. Widely attributed in declassified reporting (Sanger NYT 2012, Kim Zetter's book Countdown to Zero Day) to US + Israeli cooperation under the Olympic Games program. Has not been officially claimed.

Sony Pictures hack

2014

Sony Pictures Entertainment compromised by attackers who released ~100 TB of internal data, including unreleased films, executive emails, and employee personal information. Tied by US government attribution to North Korea / DPRK in response to The Interview film. Treasury Department sanctions followed. One of the first major public examples of state-actor reprisal against a US private company over content.

NotPetya

June 2017

Destructive malware initially disguised as ransomware. Spread via compromised Ukrainian tax-accounting software (M.E.Doc). Caused estimated $10B+ in global damages across Maersk, Merck, FedEx TNT, Mondelez, Reckitt, others. Attributed by US, UK, and other governments to Russia / GRU. The largest documented cyber-attack economic impact to date in public reporting.

SolarWinds Orion compromise

Discovered Dec 2020

Software supply-chain attack inserting malicious code into the Orion network-monitoring product. Backdoored updates pushed to ~18K SolarWinds customers including US federal agencies (Treasury, Commerce, State, DHS, Energy, parts of DoD). Attributed to Russia / SVR. Triggered the Biden administration's 2021 Executive Order 14028 on Improving the Nation's Cybersecurity.

Microsoft Exchange ProxyLogon

March 2021

Four zero-day vulnerabilities in on-premises Microsoft Exchange Server exploited at scale by Chinese state-sponsored actors (Microsoft attribution to HAFNIUM). Estimated tens of thousands of organizations compromised before patches were available. FBI subsequently used court order to remove malicious web shells from victim systems in unprecedented active cyber operation on US private infrastructure.

Colonial Pipeline

May 2021

Ransomware attack on the operator of the largest US fuel pipeline. Pipeline shut down for 6 days, causing fuel shortages across the southeastern US. Attributed to DarkSide ransomware group (Russia-based). Colonial paid ~$4.4M ransom; FBI later recovered ~$2.3M of the cryptocurrency. The incident pushed pipeline cybersecurity into federal Transportation Security Administration mandatory directives.

Volt Typhoon

Public disclosure May 2023

Joint CISA / NSA / FBI / Five Eyes advisory disclosing a China-state-sponsored campaign of pre-positioning in US critical infrastructure (telecommunications, transportation, water, energy) for potential disruptive operations in a future crisis. Subsequent disclosures through 2024-2025 expanded the scope. Different from typical espionage — the publicly stated assessment is that Volt Typhoon is positioning for sabotage, not collection.

Salt Typhoon

Public disclosure 2024

China-state-sponsored compromise of US telecommunications carriers (AT&T, Verizon, Lumen confirmed publicly) gaining access to lawful-intercept systems · the same systems used by US law enforcement for court-authorized wiretaps. Considered one of the most consequential US telecommunications intrusions in public reporting. Disclosed by FBI / CISA late 2024.

Change Healthcare ransomware

February 2024

ALPHV/BlackCat ransomware attack on Change Healthcare, a subsidiary of UnitedHealth Group processing roughly one-third of US healthcare claims. Disrupted billing across thousands of providers. UnitedHealth confirmed payment of $22M ransom. Notification of affected individuals continued through 2024-2025 with estimates exceeding 100M people. The largest US healthcare data breach by individuals affected to date.

How America is publicly organized to defend.

Department of Defense

United States Cyber Command (USCYBERCOM) is the unified combatant command for cyber operations. Co-located with NSA at Fort Meade. Operates the Cyber Mission Force (~133 teams across offensive, defensive, and combat-support missions). The Cyber National Mission Force is the offensive arm.

Cybersecurity and Infrastructure Security Agency

DHS sub-agency. Lead civilian cybersecurity agency. Operates the .gov network protection, critical-infrastructure coordination, and the Joint Cyber Defense Collaborative (JCDC). Publishes the most-cited public threat advisories (cisa.gov/alerts).

National Security Agency

Signals intelligence + cybersecurity. Co-located with USCYBERCOM. Defends National Security Systems · advises industry through the NSA Cybersecurity Collaboration Center. Issues joint advisories with CISA, FBI, and Five Eyes partners.

Federal Bureau of Investigation Cyber Division

Federal law enforcement lead on cyber threats targeting US interests. Investigates, attributes, indicts. Recent indictments of named state-actor units (PLA Unit 61398, GRU 26165, MSS APT actors, DPRK Lazarus Group) are the public record of attribution work.

Five Eyes partnership

United States, United Kingdom, Canada, Australia, New Zealand intelligence-sharing partnership. Issues joint cyber advisories (most CISA advisories now have Five Eyes co-signatories). Most consequential public attribution work happens in this multilateral context.

The 2023 National Cybersecurity Strategy

The Biden administration published the 2023 National Cybersecurity Strategy in March 2023. Five pillars: defend critical infrastructure, disrupt threat actors, shape market forces, invest in resilience, forge international partnerships. The implementation plan published later in 2023 details specific federal actions across agencies.

The strategy explicitly shifts cybersecurity responsibility from end users toward the largest, most-capable actors (software vendors, critical infrastructure operators, federal agencies) through both regulation and liability. The legal + policy environment around cyber is changing meaningfully through 2024-2026.

Subsequent strategy documents from the second Trump administration (publicly announced 2025) maintain the offensive-cyber posture and the focus on China as the pacing threat, with reshaping of the federal cyber workforce structure and adjustments to the regulatory framework. Read the published documents directly if you want to follow this; the policy environment moves faster than any third-party summary.

What this means for an ethical career

Defense is hiring at scale. CISA, NSA Cybersecurity Directorate, FBI Cyber, US Cyber Command, every service branch, every National Lab, every major civilian agency cyber team — all are recruiting continuously. Salary is below private sector, mission value is high, training value is six-figure equivalent.

Private sector defense is funded. Mandiant (Google Cloud), CrowdStrike, Palo Alto, Microsoft Defender, SentinelOne, ReliaQuest, the major MSSPs · all are growing teams and paying premium. The demand signal from Volt Typhoon, Salt Typhoon, and the Change Healthcare incident is reflected in headcount growth across these firms in 2024-2026.

Critical infrastructure operators need defenders too. Energy utilities, water utilities, hospital systems, ports, telecommunications carriers, payment processors. Less glamorous than the IC and less paid than the frontier-tech defense firms, but more important to everyday American life than either, and often closer to where you actually live.

The legal posture for “offensive” work is narrow and tightly bounded.Authority to conduct offensive cyber operations against foreign targets is held by USCYBERCOM under specific authorities (Title 10 / Title 50 / the 2018 NDAA Section 1642 authorities). No private US person or company has legal authority to conduct offensive cyber operations against foreign actors. “Hack back” remains illegal under the CFAA. The ethical path involves either becoming a federal cyber operator (military or civilian) or working in defensive private-sector roles. Anything else is freelancing into a Federal Computer Fraud and Abuse Act prosecution.

military + federal paths →the career path →← cyber index