Cyber attacks are evolving at a pace that outstrips traditional defences. From state-backed hackers targeting critical infrastructure to ransomware gangs collaborating like organised businesses, the attack surface is expanding as AI, IoT and legacy systems converge. For governments and enterprises alike, the challenge is no longer if they will be targeted but how prepared they are to withstand and recover.
Amid this, nations are increasingly confronting the reality that cyber attacks are part of modern hybrid warfare. From disabling power grids to infiltrating water systems, the battlefield now stretches into critical infrastructure that underpins daily life.
“Countries like Russia, China and the United States may have hypersonic missiles, but I am more concerned about cyber attacks on critical infrastructure. A single code update gone wrong can cause widespread disruption and adversaries are trying day in and day out to exploit such fragility,” said Morgan Wright, former senior adviser to the US State Department Antiterrorism Assistance Programme, in an interview with Tech Observer Magazine’s Mohd Ujaley.
Edited Excerpts:
Cyber threats are evolving faster than ever. From ransomware gangs to state-sponsored attacks, what trends are you seeing and how should organisations stay ahead?
We need to move out of a reactive mode. Right now attackers, whether state actors or transnational criminal groups like ransomware gangs, are driving our behaviour. We need to take the initiative and push back.
For example, during the Russia-Ukraine war, new cyber weapons were developed. Tools like AcidRain did not proliferate as widely as expected, but they did breach containment and affected 5,800 German wind turbines, disabling their satellite modems. This shows how cyber tools are now part of hybrid warfare, mixing kinetic attacks like bombs and missiles with digital attacks.
We are also seeing China’s growing aggressiveness, not just physically in areas like the South China Sea but in cyberspace. Groups like Vault Typhoon have infiltrated critical infrastructure, including Guam, a key strategic location for the US in any potential conflict.
Meanwhile, ransomware continues to evolve and get worse, despite increasing security spending. Threat actors are finding new ways to gain access. Access brokers, specialised groups like Rhysida identified in 2023, find vulnerabilities and sell access to other criminal groups, showing how collaboration among attackers is increasing.
The proliferation of devices is another challenge. We moved from IPv4 to IPv6 because billions of phones, tablets and IoT devices now exist. While cybersecurity is improving, the attack surface is growing exponentially, making it harder to keep up.
State actors such as Russia’s Fancy Bear and Cozy Bear, China’s Ministry of State Security, North Korea‘s General Reconnaissance Bureau and Iran’s IRGC and Quds Force are serious players. They focus on espionage, disruption and strategic objectives while transnational criminal groups are driven by money.
Overall I see increased collaboration both between state and non-state actors and among criminal groups, making the threat landscape more complex and challenging than ever.
With AI and IoT transforming how data is collected and analysed, how do you see these technologies affecting cybersecurity and how can organisations stay ahead of criminals?
This goes back to a theory I have always had about transforming our approach. How do we stop reacting and start making the attacker react to us? That is exactly what you are getting at. AI helps us by building a wall between us and the attacker. Every brick in that wall raises the cost of an attack. If the wall is low, attacks are cheap and attackers keep coming. The more we layer in technologies and AI, and get faster and better at responding, the more we shift the advantage.
It is like building houses. I have been in New Delhi, Hyderabad and Mumbai. A house with basic doors and unprotected windows is easy to break into. Compare that to a house with a gate, a wall, an armed guard, a security door and secure windows. It is much harder to breach. A burglar will go for the easier target because the longer they dwell, the higher the risk of being detected.
Hackers are human. If it is very hard to break in, they will move to an easier target. Time is their most valuable resource. You can get money back but not time. The more we drain their time, the harder it becomes for them to succeed.
That is why I advocate building enough bricks in our wall like the Pink Floyd album. Build enough to eliminate the majority of attackers. This allows us to focus on the remaining threats, understand their tactics, techniques and procedures, and strengthen our defences rather than defending a thousand doors at once.
Think of the Red Fort. Defending it with one guard at each corner would be impossible. Networks and devices need the same layered protection. AI combined with IoT can help, but the rapid growth of sensors creates vulnerabilities. One major issue is default passwords. Devices are often used straight out of the box without changing credentials.
The Mirai botnet, the largest IoT-based attack in history in 2016, exploited 63 default passwords worldwide and was created by kids experimenting with gaming. Volt Typhoon, an Iranian threat actor, infiltrated Israeli programmable logic controllers and internet-facing devices controlling water supply and treatment plants using default passwords publicly available online.
The responsibility is ours. We must stop being poor stewards of technology. The moment we get a device, change the username and password. AI can simplify complexity and highlight what truly needs attention. Instead of a spreadsheet with five million log rows, AI can pinpoint the three things that need action.
IoT devices are proliferating rapidly, yet many industries rely on legacy OT systems that are air-gapped. What advice would you give CIOs and CISOs for creating a secure bridge between OT and IT for large organisations?
That is a good question. It does depend on the environment, but one thing is clear: OT systems are not inherently safe just because they are air-gapped. Take Iran’s centrifuge programme. Stuxnet infiltrated it through a USB, targeting Siemens controllers and almost entirely destroying the system. OT systems are vulnerable to direct attacks, whether intentional or accidental. Many were designed years ago and never intended to be connected to the internet.
A similar vulnerability was seen in the BlackEnergy attack against Ukraine on 23 December 2015. A spoofed email with a Word document containing malicious code led users to enable macros. Over six months, attackers moved through the network, identified accounts with access to industrial control systems and even gained control of the Windows domain controller, giving them time to develop new tools.
When connecting IT and OT, the first step is discovery. You need to know exactly what you have to protect. Networks often contain unexpected devices, extra routers, wireless access points and shadow IT systems. You cannot protect what you do not know exists.
The second step is investment. You must decide to modernise and secure your technology. Critical infrastructure like rail, transport and water requires significant budgets. Failing to invest early is far more expensive in the long run. As the saying goes, we never find time and money to do it right, but when something fails, we find time and money to fix it at ten times the cost.
Modern solutions, including AI, work best when infrastructure is up to date. There is no single answer because every network is different, but knowing what you have, measuring it and protecting it is the foundation. Without that, gaps will remain, and attackers, including nation states, will find them.
Cyber attacks are now part of geopolitical struggles. What should organisations prioritise to recover quickly from attacks such as ransomware?
That is a tough question but an important one. The best strategy is to prevent the attack in the first place. That means modernising systems and applying effective solutions. But if an attack does occur, one thing I emphasised at the State Department is that you need more than a plan—you need to practise it.
You cannot perform at the Olympics in the 100-metre dash, 400-metre freestyle or shot put without practice. Most elite performers have a minimum of 10,000 hours of practice. Bruce Lee said: “I don’t fear the man who knows 10,000 kicks and has done them once. I fear the man who knows one kick and has done it 10,000 times.”
If you have a plan, you must train on it. People need to know exactly what to do. You can deflect a lot of damage and reduce recovery time if everyone knows the procedures, where to report issues and has a clear action plan—Plan A, Plan B, Plan C—because nothing ever goes exactly to plan.
As the Prussian general Helmuth von Moltke said: “No battle plan survives first contact with the enemy.” You can have all the plans you want, but do you understand your capabilities?
Rather than scenario-based training alone, we focused on understanding capabilities. If you know what you can do, it does not matter what scenario occurs—you can analyse it and deploy the right response.
For example, in World War II, engineers analysing returning planes first looked at bullet holes to reinforce them. They realised the correct approach was to study the areas with no bullet holes—the planes that did not return. Reinforcing those areas increased survivability significantly.
The same thinking applies today: identify potential failures, test systems to the point of failure during training, and fix the weaknesses. You can have the latest technology, but if you do not know how to use it effectively, it is of little value.
How do you see AI shaping the future of cyber warfare, particularly as it converges with space and other emerging domains?
Back in 2013, I was war-gaming with colleagues at the National Defense University in the United States. I proposed we war-game how Russia might invade Ukraine. From that came a presentation I called Cyber Strike Warfare in the Fifth Domain, because there are technically five domains of war: sea, air, land, space and cyberspace. Some people are now talking about a sixth domain: subsurface, including submarines and underwater drones.
One thing we examined was the combination of hybrid and kinetic warfare. When the war happened, we found that about 85 per cent of what we predicted actually occurred, including operation-specific malware and disruption of certain services.
I see the future of warfare as linked to Maslow’s hierarchy of needs. People require essentials such as fire, warmth, food, water and shelter to feel safe. If you want to bring a nation to its knees, you target two essentials: power and water.
India recently surpassed China as the most populous nation on Earth. Imagine what would happen in New Delhi, Hyderabad or Mumbai if all power was cut off or all water contaminated. It would create panic that would worsen over time.
A real-world example is the DarkSide ransomware attack on the Colonial Pipeline in the United States, the largest distributor of oil on the eastern seaboard. I live in northern Virginia near Washington, D.C. We did not lose any oil, but the perception of a shortage caused panic and people hoarded fuel. Now imagine a real shortage lasting days.
Warfare today, especially cyber warfare, targets Maslow’s hierarchy. It disrupts critical infrastructure such as power, water and communications. If these systems fail, people turn to phones, tablets and social media for information. Disrupting those channels amplifies fear, and that is where I see the real danger.
Countries like Russia, China and the United States possess hypersonic missiles, which are alarming. However, I am more concerned about cyber attacks on critical infrastructure. Take the CrowdStrike and Microsoft outages as an example. A single code update gone slightly wrong caused widespread disruption. While unintentional, it demonstrates how fragile these systems are. Threat actors are trying day in, day out to exploit such fragility.
AI currently lacks a global framework covering ethics, usage and cybersecurity implications. How do you see AI shaping cyber defence strategy today?
A quick note for those unfamiliar: in the United States, when a president issues an executive order, the next president can undo it. I don’t think the next president will necessarily undo it, but it is not law. In some areas it carries the force of law, but only for the executive branch and certain parts of government. So yes, you have to start somewhere. The EU has already passed regulations around AI.
Here is the challenge: one of the countries with the largest AI development centres is China. Do you think China will voluntarily comply with global AI regulations? Probably not. No matter what we pass, there will be actors who ignore it—like putting a sign in your front yard saying “Burglars not allowed.” Will that stop a burglar? No. That is the reality we face.
We have seen it with China, Russia, arms treaties and alliances like NATO. The threat of deterrence does not prevent action, it only discourages it. You can never fully stop a bad actor from operating in a country without extradition treaties.
Regulation alone will not stop bad actors. What we need is to defend ourselves effectively. Regulations can provide guardrails and prevent a doomsday scenario, which I do not think will happen. AI is not going to become Skynet and take over the world. Properly used, AI can make a huge difference.
For example, consider lethal autonomous weapon systems (LAWS). We have made an ethical decision that a human must make the final decision before a bomb is dropped or a trigger is pulled. AI enhances speed and precision in decision-making loops, but humans remain in the loop. Context matters, including cultural, political and operational factors.
Adversaries will also use AI. The advantage we have is that threat actors, including criminal groups, cannot operate at the scale that countries like India or the United States can. We still have the advantage, but they use AI to overwhelm smaller companies or critical infrastructure. AI can automate discovery, adapt tools in real time and target weak points in systems.
I do not see a ransomware group shutting down the United States, but they can exploit weaker infrastructure elsewhere, such as water plants in India with poor cyber defence. They can use AI for automated discovery, tool adaptation and targeted attacks.
At the same time, AI is a force for good. It reduces cognitive load and improves efficiency. Analysing millions of log lines manually is infeasible. With AI, critical insights can be distilled into actionable items in a fraction of the time.
