The Cybersecurity Tech Accord launched the first edition of the “State of International Cybersecurity Thermometer” in 2023, as an annual assessment of the global state of cyber conflict. In 2026, although several positive developments create opportunities for improvement, the state of peace and security in cyberspace has grown worse, inching the Cybersecurity Thermometer to 95 degrees Celsius. As demonstrated by the conflicts in Ukraine, Iran, and elsewhere, cyber operations are now a regular dimension of modern warfare to an extent that was not the case when we launched the thermometer. We have reassessed the scale of the Cybersecurity Thermometer to account for this, which is why the 2026 Thermometer reads 95 degrees Celsius, a lower number than in 2025.
This shift reflects the growing deployment and complexity of cyber capabilities in conflicts and military operations around the world, and alongside a broader rise in malicious cyber behavior. Developments in Ukraine, Iran, and Venezuela underscore that cyber activity is increasingly a critical component of warfare. Recent assessments from cybersecurity and intelligence agencies, such as an advisory notice issued in April 2026 by cybersecurity agencies in 10 countries, including the UK, Germany, and the U.S, have shown an increase in the volume and sophistication of cyber espionage operations by nation state actors, targeting critical infrastructure and causing disruption. Beyond cyberespionage, financially motivated attacks such as ransomware, extortion, and large-scale fraud continue to expand in frequency and impact, targeting both public and private sector organizations. At the same time, the growing industrialization of cybercrime and the use of AI to scale phishing, social engineering, and other malicious activity are making disruptive attacks faster, cheaper, and harder to defend against.
Major advances in AI are reshaping the cybersecurity landscape: boosting defenders’ capability to detect and respond, while also amplifying concerns about AI-enabled cyber risk. The capabilities that major foundation models globally are expected to reach within six to nine months is a watershed moment that requires a step change in international cybersecurity cooperation. Industry is stepping up to this challenge (Project Glasswing being a notable example) and demonstrating practical action to defend the world’s cyber infrastructure. Governments and international institutions also showed a commitment to cooperation on responsible behavior in cyberspace with the launch of the UN Global Mechanism on ICTs in the Context of International Security. Although much work remains to be done, we hope that efforts like this can be built over the next year.
The State of International Cybersecurity Thermometer aims to provide a clear and objective assessment of the current cyber risk landscape. It seeks to identify key trends and developments over the past year and measures necessary to enhance digital stability and security. This year’s developments fall into three categories: i) diplomatic and institutional developments, ii) the scale and nature of conflict online, and iii) technological developments. The sections below describe each development and note whether its overall impact on the security landscape was positive, negative, or neutral.
READING THE CYBERSECURITY THERMOMETER
100° CELSIUS AND ABOVE – Extensive CYBER WARFARE
Exceeding the boiling point signifies a chaotic, dangerous, and volatile situation, including cyber operations in the context of armed conflict that has harmed and/or targeted civilians.
Evidenced by:
• Use of cyber operations in war in ways regularly in violation of international norms and/or law
• Ineffective or insufficient deterrence
0° – 99° CELSIUS – CYBER CONFLICT
This “liquid” state represents cyber conflict short of warfare. It is characterized by a lack of clarity around international expectations online and/or an inability to uphold such expectations.
Evidenced by:
• Reckless cyber activity by nation states
• Frequent, normalized abuses by nonstate actors
• Limited progress in diplomatic forums
LESS THAN 0° CELSIUS – CYBER STABILITY
This “solid” state reflects stability in international cybersecurity. It requires the existence of a clear rules-based order online with a robust international system to uphold it.
Evidenced by:
• Scarcity of state sponsored cyber operations that violate international norms
• Limited threats posed by other actors
• Increasing capacity for international cooperation by incident responders
DIPLOMATIC AND INSTITUTIONAL DEVELOPMENTS
NEUTRAL
United Nations creates a permanent body for international cybersecurity policy
Following the conclusion of the second Open-ended Working Group (OEWG) on ICTs in 2025, the UN created a permanent body to address the role of states in international cybersecurity. The “Global Mechanism on ICTs in the Context of International Security” (or “GMech”) is set to hold its first official meeting in July 2026.
A permanent body is a welcome development as it shows that the international community recognizes that this policy domain requires ongoing action, especially addressing the behavior of member-states. Regrettably, the GMech will operate on a consensus basis, in which member-states must all agree on any decisions. This will encourage lowest-common-denominator agreements and make policies that meaningfully reduce global cyber risk extremely difficult to adopt. The ongoing debate around the GMech’s modalities, priorities, and agenda provides an early example of the challenges posed by strictly consensus decision-making. The organizational session of GMech in March 2026 demonstrated that the new forum will inherit the issues with the second OEWG on ICTs, including that it will be difficult to ensure meaningful non-governmental stakeholder participation.
POSITIVE
International Criminal Court releases groundbreaking policy to address cyber-enabled war crimes
In December 2025, the ICC Office of the Prosecutor launched a Policy on Cyber-Enabled Crimes under the Rome Statute, aiming to respond effectively to the evolving ways in which Rome Statute crimes may be committed. The Policy sets out the ICC’s understanding of how its legal framework applies to conduct in cyberspace which may constitute crimes under its jurisdiction, such as genocide, crimes against humanity, and war crimes. These international crimes may be facilitated through cyberspace, and digital evidence may be key to establishing them. This welcome reinforcement that international law applies to cyberspace also reflects an understanding of the need to effectively address the cyber dimensions of modern conflict.
NEGATIVE
Limited progress made in curbing the cyber mercenary market
According to several reports, including a study by the Economic Security Council of Ukraine and the Parliament of Ukraine, the global cyber mercenary market is expected to triple in size by 2033 despite international efforts to counter such activities. The study found little evidence that any of the countries that signed up to the Pall Mall Code of Practice have changed their behavior in handling cyber intrusion capabilities. In seven of the signatories (the United States, France, Germany, Italy, Hungary, Greece, and Ireland) spyware companies are still present or have technical infrastructure that allows the deployment of cyber intrusion capabilities.
The Cybersecurity Tech Accord will continue to draw attention to the danger posed by cyber mercenaries to the entire online ecosystem by enabling irresponsible use and allowing state and non-state actors to carry out offensive cyber operations. In anticipation of the upcoming Code of Practice for industry, whose role is equally significant, we call for a swift implementation of the Pall Mall Code of Practice by endorsing states to meaningfully restrict the cyber mercenary market.
NEGATIVE
National Cybersecurity Strategies increasingly shift towards offensive postures
In recent months, many states have updated their national cybersecurity strategies to encompass more offensive postures. Several governments are building on their defensive cyber capabilities by adding offensive cyber capabilities, designed to disrupt or destroy adversary systems.
While governments have a legitimate responsibility to ensure their national security increasing reliance on offensive cyber operations risks contributing to a cycle of escalation that undermines global stability, trust, and security. Increased offensive cyber activity may offer states some short-term strategic advantages but may damage the entire cybersecurity ecosystem over time. This shift requires international cooperation on common thresholds, and careful legal and diplomatic balancing to ensure transparency and respect for international norms.
Since its launch the Cybersecurity Tech Accord has been grounded in a clear commitment: signatories will not knowingly undermine the security of the online environment, and will oppose cyberattacks on innocent citizens and enterprises. We remain committed to the principle of “no offense” and call on states to recognize the importance of restraint, transparency, and adherence to the norms for responsible state behavior, prioritizing defensive over offensive actions.
NEUTRAL
Flawed UN Cybercrime Treaty moves towards implementation despite widespread criticism
The recently adopted UN Cybercrime Treaty, which aims to establish a global framework for preventing, investigating and prosecuting cybercrime by promoting international cooperation was signed in Vietnam in October 2025 by more than 70 states. Despite criticism from human rights groups and industry, including the Cybersecurity Tech Accord, regarding the broad scope and criminalization provisions and potential for weaponization of the treaty by authoritarian states, some countries are moving forward with the treaty’s ratification and implementation.
During the adoption of the treaty it was agreed that the Ad Hoc Committee (AHC) that negotiated it would resume work one year after the Treaty was adopted to negotiate further provisions, including additional offenses, in a Protocol. That process has now begun and negotiations are scheduled for January 2027. During this phase it will be essential for democratic states to ensure that the Protocol can strengthen human rights safeguards in the treaty, advance transparency, and reduce the capacity for the Convention to be used contrary to the values of the UN Charter.
SCALE AND NATURE OF CONFLICT ONLINE
NEGATIVE
Cyber espionage operations by state actors intensify
According to an advisory notice issued in April 2026 by cybersecurity agencies in 10 countries, including the UK, Germany, and the U.S., China-nexus cyber actors are using large scale networks of compromised devices (covert networks) to carry out cyber attacks. While China-nexus actors’ use of covert networks is well-documented, the notice warns that the actors are now using the tool strategically and at scale. A China-backed actor, flagged by cybersecurity agencies as a user of covert networks, has infiltrated critical infrastructure in the U.S. such as aviation and water systems. In addition, an assessment released by Finland’s intelligence service in March 2026 stated that Russia and China continue to conduct extensive cyber espionage and influence operations targeting the country’s technology sector, including cyber intrusions, traditional espionage and political influence campaigns. In Singapore, authorities announced in February 2026 that a China-linked group carried out a targeted campaign against all of the country’s major telecommunications operators using advanced tools to infiltrate telecom networks and maintain long-term covert access. Recent Microsoft threat intelligence also shows how state-backed espionage operations are becoming more covert and resilient. In May 2026, Microsoft documented how the Russian-linked Kazuar malware has evolved into a modular peer-to-peer botnet designed to maintain persistent, low-visibility access to target environments for long-term intelligence collection. Through our work, the Cybersecurity Tech Accord has encouraged businesses and users to play their part and help limit opportunities for cyber espionage by threat actors through improved cyber hygiene, such as better securing internet-connected network devices.
NEGATIVE
Deployment of cyber capabilities in military operations intensifies
The use of cyber capabilities in sustaining military operations has increased globally in intensity, complexity, and scope. According to a recent report by RUSI, cyber is now a critical capability in supporting reconnaissance and broader intelligence-gathering efforts in the time preceding a military operation: “mapping adversary networks; pre-positioning access within critical systems; and informing the planning of subsequent phases”. The same report notes that in the case of U.S.-Israeli cyber operations in Iran the U.S. distilled two different roles for its Cyber Command: “as ‘first-movers’ in using ‘non-kinetic effects’ to shape the environment for the subsequent phases of the operation; and secondly, in maintaining a ‘continuous layering’ throughout the first 57 hours of the operation”. Cyber capabilities were also deployed by the U.S., alongside kinetic force, to capture Venezuelan President Nicolás Maduro in Operation Absolute Resolve, although their precise role remains unclear.
In parallel, data from our signatory Resecurity identified that the Iran war has fast evolved into a multidomain confrontation where traditional strikes are tightly interwoven with cyber operations, electronic interference, and psychological warfare. Resecurity showed that hacktivist groups aligned with both sides have been involved in the conflict, executing DDoS attacks, website defacements, and reconnaissance missions targeting critical infrastructure and government resources across the Middle East. These digital campaigns are synchronized with physical operations to intensify operational impact and strategic pressure. Resecurity identified several key groups involved in the escalation, including Iranian-aligned hacktivist collectives such as Cyber Islamic Resistance and Cyber Fattah. The operations extend beyond disruption, as the parties to the conflict are also using cyber reconnaissance to support military targeting and assess damage, reflecting a coordinated approach to warfare where cyber operations are integrated with kinetic ones.
TECHNOLOGICAL DEVELOPMENTS
POSITIVE
Emergence of new capabilities in advanced AI systems increase AI-driven cyber risk while also greatly increasing the capacity of defenders to protect systems
The unveiling of Claude Mythos Preview in April 2026, a frontier AI model by Anthropic, which was followed shortly by OpenAI’s GPT 5.5, have created an inflection point in the application of AI to cybersecurity. As part of the response Anthropic launched Project Glasswing, an initiative that brings together more than 40 major companies including Cybersecurity Tech Accord signatories Cisco and Microsoft, in an effort to ensure systemically critical systems and platforms are patched before equivalent capabilities are available to malicious actors. As part of Project Glasswing industry partners are using Mythos Preview as part of their cyber defense work and sharing insights with the wider industry to strengthen cyber defenses.
These systems can identify unknown vulnerabilities autonomously and carry out complex cyber operations with minimal human input. It achieved a 83.1% success rate on the CyberGym benchmark, an industry test of vulnerability detection, and autonomously identified thousands of zero-day vulnerabilities across every major operating system. Additionally, Mythos can analyze compiled binary code without access to source code. While the full implications are still unfolding, it is clear that this marks a structural shift for cybersecurity. AI cyber capabilities are now so powerful that AI is fundamentally necessary to defend against attacks which leverage AI. It is likely that Mythos-class capabilities will be in wide circulation within six to nine months, so the race is on to secure critical systems globally before these tools are in wide circulation.
Under this new reality, organizations and governments must improve their cyber posture to both leverage and prepare for frontier AI. The imperative to deepen international cooperation to address cyber risks is more crucial than ever, before similar capabilities are developed by state actors known to sponsor cyberattacks (such as China and Russia). The Cybersecurity Tech Accord’s is currently working on proposals to deliver positive action in reducing global cyberattacks and increase accountability for those that engage in them, through defining practical steps to pursue through international public-private partnerships.