Peace-time Cyber vs War-time Cyber

We built an entire cybersecurity doctrine during peacetime. Most people don't even realize there was a peacetime. That's how good it was.

From roughly 2005 to 2020, the internet operated under a set of informal geopolitical norms that functioned a lot like mutually assured destruction. Nation-states ran cyber operations the way they ran espionage: covert, targeted, deniable. The NSA wasn't cyber carpet-bombing infrastructure. Chinese APTs were pretty surgical. Even the Russians, who pushed boundaries more than most, kept most things in the shadows. Nobody wanted to be the first to cross the line that turned cyber conflict into actual conflict. So everybody kept their operations quiet, and the rest of us got to build an industry on top of that relative calm.

The honest answer is that most of what we call "cybersecurity best practice" is a peacetime artifact. We just don't talk about it that way.

The Norms Nobody Wrote Down

There was no treaty. No Geneva Convention for cyberspace. What existed was a set of unspoken agreements maintained through strategic ambiguity and rational self-interest. You don't brick our power grid, we don't brick yours. You steal our intellectual property quietly, we pretend we don't notice until it's politically convenient. The norms were ugly and imperfect, but they held. For fifteen years, they held.

This created something remarkable: a stable enough environment for the private sector to develop cybersecurity frameworks, compliance regimes, incident response playbooks, and defense architectures that all assumed a particular threat model. That model looked like skilled, well-resourced adversaries conducting targeted operations against high-value targets with strategic patience. The MITRE ATT&CK framework. Defense in depth. The kill chain. Zero trust, eventually. All of it developed under conditions of relative geopolitical restraint.

We stress-tested our doctrine against peacetime adversaries and declared it sound. That's like testing your levees during a drought.

Then COVID Changed Everything

COVID did something to the cyber threat landscape that I don't think we've fully reckoned with. When the world went remote overnight, the attack surface didn't just expand — it exploded. But the more significant shift was behavioral, not technical. Nation-state actors who had spent years running careful, targeted operations looked at the chaos and made a rational decision: why be surgical when you can be opportunistic?

The shift was measurable and stark. Mass scanning. Broad exploitation of VPN vulnerabilities. Indiscriminate targeting. Operations that would have been considered reckless in 2019 became standard operating procedure in 2020. The norms didn't collapse in a single dramatic event. They eroded. Month by month, operation by operation, the implicit rules that kept things contained just stopped applying.

And nobody really called it out, because everyone was too busy dealing with the immediate crisis. We were patching Citrix and Pulse Secure and fighting ransomware and trying to secure a workforce that was suddenly operating from kitchen tables over consumer-grade Wi-Fi. The strategic shift happened under the cover of tactical chaos.

The Post-Peacetime World

Here's where it gets uncomfortable. We're now several years into what I'd describe as a post-peacetime cyber environment, and the industry is still largely operating on peacetime assumptions. Compliance frameworks haven't fundamentally changed. Defense architectures are iterating, not transforming. We're bolting new tools onto old doctrine and hoping the math still works.

It doesn't.

The threat model that underpinned fifteen years of cybersecurity strategy assumed adversaries who were constrained by norms, resources, and the desire for deniability. Those constraints are gone or going. Nation-states are operating more openly. The line between state actors and criminal groups has blurred to the point of meaninglessness in several theaters. And the geopolitical incentives that maintained restraint — the ones that said "keep it covert because escalation serves nobody" — are being overridden by a new calculus where cyber capability is sovereign necessity.

Look at the China 2027 thesis. The PLA centenary isn't just a date on a calendar. It represents a strategic deadline that's driving massive investment in offensive cyber capability. Every major power is making similar calculations at different scales. Nations that can't build or buy sovereign cyber capabilities are strategically naked. This isn't future speculation. The procurement cycles are already running.

Now Throw AI Into the Stew

Take everything I've just described — eroded norms, opportunistic state actors, blurred lines between who's who — and throw AI on top of it. Throw accessibility to AI to a broader array of threat actors on top of that. You've got yourself a stew.

AI doesn't just amplify existing capabilities. It democratizes them. Techniques that required a nation-state budget three years ago are available to mid-tier criminal groups today. The "must be this tall to ride" bar for sophisticated offensive operations has dropped through the floor. And it keeps dropping.

But the more dangerous effect of AI on the post-peacetime landscape is how it blurs attribution. When AI tools can generate attack infrastructure, craft socially engineered campaigns in any language, and automate exploitation chains without distinctive tradecraft signatures, the already-difficult problem of figuring out who's behind an attack becomes nearly impossible. And attribution was the mechanism that kept the old norms in place. You can't maintain mutually assured destruction if you can't tell who launched the missile.

What Do We Throw Out?

The question I keep coming back to is simple, and the industry really doesn't want to answer it: if we developed our defense doctrine through ten to fifteen years of peace and prosperity, and we're now definitively out of that period, what do we need to throw out?

I'll start. Perimeter-centric thinking that assumes you can define an inside and an outside — throw it out. Compliance-driven security that optimizes for audit checkboxes over actual resilience — throw it out. Response timelines measured in days or weeks — throw them out. The assumption that your adversary is rational, targeted, and restrained — especially throw that out.

What do we double down on? Resilience over prevention. Assume breach isn't just a framework anymore — it's the operating reality. Continuous engagement models that treat security as a living process. Human creativity in the loop, because when I look at the internet and ask myself how this thing is still functioning, the honest answer is: it's the nerds. It's always been the nerds. The humans who care enough to keep the lights on through ingenuity and stubbornness and the kind of creative problem-solving you can't automate.

The Uncomfortable Reframe

The internet is far more vulnerable than most people realize. We've been coasting on the stability of a geopolitical moment that no longer exists, defended by a doctrine built for conditions that no longer apply, and hoping that incremental improvements will be enough against a threat landscape that changed structurally, not incrementally.

Peacetime is over. The defenders who recognize that and rebuild from first principles will define the next era. The ones who keep running the peacetime playbook are going to learn the hard way what wartime actually looks like.

And if that sounds alarmist — good. We could use a little more alarm and a lot less complacency. The stew is already cooking. The only question is whether we're the ones holding the spoon or sitting in the pot.