COMMENTARY: The cyber threat environment in 2025 has been characterized by the convergence of geopolitical ambition and advanced offensive tradecraft, with direct implications for global markets. Adversary behavior has moved from opportunistic espionage to the strategic pre-positioning of disruptive capabilities inside critical infrastructure. It’s no longer a theoretical possibility because it’s the future economic battlefield.China, Russia, Iran, and North Korea have progressed from parallel operations to pragmatic alignment. They aim to to displace U.S. economic and military influence while building alternative governance and trade models.[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]While cooperation has not been formalized, operational synergies are evident in shared intelligence, technology exchange, and coordinated influence campaigns. Russia’s war in Ukraine has accelerated this realignment, while China’s Volt Typhoon campaign demonstrates the long-term infiltration model now favored by advanced actors.Now, we have an environment in which an action by one adversary can be amplified by another. Cybersecurity has become inseparable from geopolitical risk management. Majority of large enterprises report that geopolitical tensions now influence security strategy, and one in three CEOs ranks cyber espionage as a top board-level concern.Threat actors are using legitimate system tools to evade detection. Nearly 80% of observed attacks are now malware-free. Volt Typhoon, for example, relies on native Windows utilities for recon, credential dumping, and persistence, synthesizing into legitimate administrative activity.Stolen credentials account for more than one-third of cloud intrusions. The traditional intrusion-persistence-lateral movement sequence has collapsed into a single step. Once valid credentials are obtained, an adversary operates as a trusted user. This has reduced the average breakout time to under one hour, giving defenders minutes to act.Nation-states are deploying synthetic voice, video, and persona generation at scale. Russian deepfake operations and Chinese planning for automated influence campaigns exemplify the speed and sophistication of this capability expansion. State actors are aligning resources and campaigns to alter the balance of power. Their tactics are stealth-driven, objectives are strategic, and impacts are financial at a systemic scale.In the months and years ahead, defensive maturity will be contingent on our leadership’s ability to anticipate, withstand, and adapt to hybrid actors designed to operate below the threshold of conventional warfare. Cybersecurity has become a macro-critical market risk, and its management warrants a place in the boardroom alongside credit, liquidity, and geopolitical exposure.Nic Adams, co-founder and CEO, 0rcusSC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
From espionage to pre-positioned disruption
Our adversaries are no longer just interested in theft. China has entrenched itself in the control systems of lifeline sectors such as communications, energy, and transportation. These accesses are maintained for potential use in a crisis. Russia aspires to undermine confidence in democratic institutions, plus disrupt allied support for Ukraine. Iran projects regional power through proxy operations against U.S. and allied infrastructure. North Korea funds its weapons programs through large-scale cryptocurrency theft and by implanting operatives as IT workers inside technology companies.These activities focus on persistent, deniable capabilities which our adversaries can activate for strategic coercion, furthering economic damage. Here are three important trends governing today’s activities by threat actors:- The move from custom malware to living-of-the land techniques.
- Identity compromise has become the primary access vector.
- Deception has being industrialized through advanced automation.
The economic impact
Cyber disruption has become a macroeconomic factor. Global losses are projected to reach $10.5 trillion annually, placing cybercrime behind only the United States and China in GDP terms. Campaigns targeting the software supply chain and network edge magnify these costs, yielding simultaneous compromise of many downstream victims.The systemic nature of the risk is evident in recent incidents. Disruptions at Change Healthcare and CDK Global demonstrated how a single intrusion can cascade across industries and supply chains, halting transactions, impairing services, and diminishing market confidence. Concentration of critical infrastructure in a small number of providers creates single points of failure. A large-scale attack on one of these could impede financial transactions, disrupt supply chains, and trigger a loss of confidence in digital markets.Here's how boards and executives can respond to all these trends:- Assume-compromised identity: Deploy phishing-resistant authentication, enforce just-in-time access for privileged accounts, and implement behavioral analytics to detect misuse of valid credentials.
- Mandate supply chain transparency: Require a software bill of materials from all vendors, conduct continuous third-party risk monitoring, and apply zero trust controls to all external connections.
- Engineer resilience for degraded operations: Prepare for sustained outages in critical systems. Maintain offline, immutable backups and conduct regular war-gaming for cyber-enabled infrastructure disruption.
- Invest in proactive defense: Establish continuous threat hunting, segment networks to limit lateral movement, and deploy network-level monitoring to detect anomalies in encrypted traffic and operational technology environments.
