Week of Sunday, March 1, 2026

Three rounds of US-Iran nuclear talks produced no deal. On February 28, the US and Israel launched joint strikes across Tehran, Isfahan, Qom, Karaj, and Kermanshah. Iran fired back at Israeli cities and US military bases in Qatar and Bahrain. Within hours, Iranian internet connectivity dropped to 4% of normal levels. That wasn't collateral damage. Iran activated its "Barracks Internet," a two-tiered system built on Huawei infrastructure that gives global access only to security-cleared users and locks 85 million citizens onto a regime-controlled intranet. Foreign telecom partners had already been escorted out of the country weeks earlier.

During the diplomatic window, Iranian cyber groups stayed active but avoided US targets. RedKitten targeted Iranian protest supporters using AI-built malware disguised as lists of killed demonstrators. MuddyWater launched Operation Olalampo across the Middle East with four new malware families, including a Rust backdoor with AI-generated code. CrescentHarvest ran espionage against regime critics. All of it pointed inward or regional. None of it pointed at the United States.

The question is what happens now. Iran's track record may answer it. After Stuxnet destroyed centrifuges in 2010, Iran built an offensive cyber program from scratch. After the US killed Soleimani in 2020, Iranian actors probed US critical infrastructure within days. After the US and Israeli strikes on Iranian nuclear facilities last June, the response was immediate and coordinated. Over 250,000 Telegram messages showed hacktivist proxies mobilizing for DDoS, defacement, and data theft alongside military operations. MuddyWater used compromised CCTV cameras in Jerusalem to help target missiles and assess strike damage. CyberAv3ngers reactivated malware built specifically for industrial control systems. During those same June strikes, the US used offensive cyber operations to disable Iranian air defenses. U.S. Cyber Command took public credit. Iran watched, and learned.

CISA is currently operating at 38% staffing during the government shutdown that began February 14. NSA and U.S. Cyber Command are awaiting Senate confirmation of a new leader. The last time Iran escalated, the response required NSA, CISA, FBI, and DC3 issuing a joint advisory within nine days. Whether that coordination can move at the same speed with reduced staffing is an open question.

Gerald "Runner" Brown spent more than 24 years in the US Air Force, retiring as a Major in 1996. He flew F-16s, commanded units responsible for nuclear weapons delivery, and later worked as a contract simulator instructor for US defense contractors, training American military pilots on the A-10 and the F-35. On February 25, the FBI arrested him in Jeffersonville, Indiana for providing unauthorized defense services to the Chinese military. Brown had traveled to China in December 2023, met with Chinese military officials, and spent over two years training People's Liberation Army Air Force pilots on tactics developed for the aircraft whose plans had already been stolen.

The man who stole those plans is Su Bin, a Chinese national who ran an aviation business in Canada. Between 2008 and 2014, Su Bin directed People's Liberation Army hackers to steal 630,000 files from Boeing. Roughly 65 gigabytes of technical data on the F-35, F-22, and C-17. He identified the targets, translated the stolen material into Chinese, and assessed its value for his handlers. He pled guilty in 2016 and served 46 months. China's J-20 and J-31 fighters entered service during the years that followed. Their structural resemblance to the F-22 and F-35 is not debated in the defense community.

This is not two isolated incidents. This is one program. China's state plan known as Made in China 2025 called explicitly for "acquisition, absorption, and adaptation of foreign technology." The 2035 follow-on adds comprehensive military modernization. The Hundred-Year Marathon, as the broader strategy is known, treats technology transfer, cyber espionage, academic recruitment, and human intelligence as parallel tracks toward the same objective. Steal the blueprints. Recruit the expertise. Build the capability. China added 78 warships between 2015 and 2023. The United States added 20. The stolen data is in production, and now so are the pilots trained to use it.

This is the threat model that drove the Department of Defense to create CMMC, the Cybersecurity Maturity Model Certification, requiring every contractor in the defense industrial base to prove they can protect controlled unclassified information. It is why insider threat programs exist. The Su Bin case was a cyber intrusion. The Brown case was a human recruitment. Both fed the same pipeline. Any organization holding defense-adjacent intellectual property, cleared personnel, or export-controlled technical data sits somewhere on this chain whether they recognize it or not.

Chainalysis published its annual crypto crime report on Thursday. Total ransomware payments fell to $820 million in 2025, down 8% from the year before. The share of victims who paid dropped to 28%, the lowest rate ever recorded.

The groups are adapting. Attacks surged 50% year over year. The number of active ransomware groups grew 49%, according to IBM's X-Force Threat Intelligence Index released the same week. Median ransom demands jumped from $12,738 to $59,556. The price of initial access on criminal marketplaces fell from $1,427 to $439 per victim. Fewer victims are paying, so the groups are compensating with volume, higher demands, and cheaper operations. The math still works for them.

The tactics are shifting too. Encryption is noisy. It triggers endpoint detection, disrupts operations in ways that draw immediate attention, and gives defenders a clear signal to respond. More groups are skipping encryption entirely and moving straight to data exfiltration. Steal the data quietly, leave the systems running, and make the threat about exposure rather than recovery. For organizations in healthcare, legal, and financial services, that threat carries regulatory and reputational weight that can exceed the cost of downtime. For manufacturers and logistics operators, the calculus is different. The Jaguar Land Rover attack in August 2025 halted production across multiple countries and caused an estimated £1.9 billion in damage, the costliest cyber incident in UK history. Operational disruption was the leverage, not leaked files.

Supply chain compromises have nearly quadrupled since 2020. North America became the most-attacked region for the first time in six years. Leaked toolkits, established playbooks, and AI-assisted automation continue to lower the barrier to entry for new groups.

On February 26, a Greek court sentenced Tal Dilian, the founder of Intellexa, and three associates to eight years in prison for wiretapping 87 individuals using Predator, a commercial spyware tool designed for mobile devices. The targets were not criminals or terrorists. They were the leader of Greece's main opposition party, investigative journalists covering banking corruption, and the editor of the country's largest newspaper. People whose decisions, reporting, and influence someone with government access wanted to monitor. The defendants remain free pending appeal.

The court records confirm what security researchers and watchdog organizations have been documenting for years. Predator was found on devices in at least 25 countries. The United States sanctioned Intellexa in 2024 after confirming it was used to target American government officials and journalists. This is the first criminal conviction of a commercial spyware executive anywhere in the world.

It will not slow the market down. NSO Group continues to license Pegasus. Paragon Solutions recently sold interception tools to the US Drug Enforcement Administration. Dozens of smaller firms across Israel, Italy, Spain, and India sell similar capabilities to government buyers with limited oversight. The barrier to purchasing targeted surveillance of a specific individual is a government contract and a phone number. No network intrusion required. No perimeter to defend. Zero-click exploits delivered over iMessage or WhatsApp compromise the device without the target ever opening a file or clicking a link.

The legal environment is tightening. EU Parliament investigations, US executive orders restricting spyware procurement, and now a criminal conviction in an EU member state are building pressure on both sellers and buyers. But for security leaders, the legal landscape matters less than the operational reality. If your CEO is involved in a politically sensitive acquisition, if your board members sit across regulated industries, if your general counsel is navigating cross-border disputes, their personal devices are potential targets. This is not theoretical. The Greek court just unsealed 87 examples.

Over the past year, 56% of CISOs reported that their cyber insurance claims were denied. According to the National Association of Insurance Commissioners, nearly three times as many claims were closed without payment as those that were paid in 2024. For excess cyber policies, the kind that cover catastrophic losses, unpaid claims outnumbered paid ones by more than 20 to 1.

The denials are not arbitrary. When an organization files a cyber insurance claim, the carrier sends a forensics firm. Most policyholders assume that firm is there to help them recover. It is not. The forensics firm is hired by the insurer, reports to the insurer, and is paid by the insurer. Its job is to determine whether the policyholder was actually doing what the application said they were doing. In Travelers v. International Control Services, the insured stated on its application that multi-factor authentication was deployed across all systems. After a ransomware attack, the insurer's investigators found MFA was enabled only at the firewall. The court did not reduce the payout. It rescinded the entire $1 million policy as if it had never existed. The legal term is material misrepresentation. The practical reality is that the forensics team walking through your door after a breach is not your incident response partner. They are the insurance company's auditor, and the gap between what your application says and what your environment actually does is the first thing they look for.

This is happening while the market tightens. Premiums are forecast to rise 15 to 20% in 2026. Underwriting requirements are getting stricter. Exclusions are getting broader. Insurers increasingly require documented proof of specific controls, not just attestation. Employee training programs, incident response plan testing, endpoint detection coverage, privileged access management. If those controls exist on paper but not in practice, the policy becomes a false floor.

Most boards hear "we have cyber insurance" and consider the risk transferred. The policy exists. The premium was paid. The conversation moves to the next agenda item. But a policy that gets rescinded after a breach transfers nothing. It is a financial backstop that disappears the moment it is tested. Organizations that treat cyber insurance as a buy-and-forget line item are the ones discovering during an incident that the payout they budgeted for is not coming. Knowing what your policy requires, what your environment actually looks like, and what invalidates your coverage is not a renewal exercise. It is an operational responsibility that belongs next to your incident response plan.