The West Is Not Losing a Cyberwar. It's Losing an Economic War Conducted Through Cyber Means.

Bletchley Park Was Not an Accident

She could have given the speech anywhere. Whitehall has conference rooms. The UK has no shortage of secure facilities suitable for the director of GCHQ to address an audience.

She gave it at Bletchley Park.

That is the code inside the speech. Bletchley Park is where a wartime team — three-quarters of them women, working in huts without heat — cracked Nazi Germany's Enigma ciphers and, by the sober accounting of military historians, shortened the Second World War by two years. Not by fighting. By understanding the enemy's communications faster than the enemy could change them.

Anne Keast-Butler's message on May 27, 2026 was straightforward. Russia is conducting "daily hybrid activity" against the UK and Europe — "from the seabed to cyberspace." GCHQ is defending subsea cables in British waters, disrupting Russian networks smuggling sanctioned Western technology, countering what she called "reckless sabotage and assassination attempts." Britain is now handling four major cybersecurity incidents per week. The UK's new MI6 chief has separately described the country as caught in "a space between peace and war."

China, she said, is "a science and tech superpower with sophisticated capabilities across their intelligence, cyber and military agencies." The West has a "narrowing window" to maintain its edge. She called on businesses to treat cybersecurity "ten times more urgently."

Ten times more urgently. Not "more urgently." Not "with greater seriousness." Ten times. That is the language of someone who has read the signals and concluded that the current posture is not a minor underinvestment. It is a civilizational-scale gap.

The symbolism of Bletchley Park is the argument. The last time the West faced this kind of structural technological threat to its security, the answer was not better procurement processes or improved security frameworks. It was institutional commitment at a scale that looked, at the time, almost irrational. And it worked.

The question this speech is really asking — the question beneath the operational briefing — is: do the people running institutions today understand what moment they are in?

What Salt Typhoon and Volt Typhoon Actually Mean

There are two operations. They are distinct. The coverage treats them as variations on the same theme. They are not.

Salt Typhoon penetrated US telecommunications networks — AT&T, Verizon, T-Mobile, and others. The group accessed call records, subscriber data, and the lawful intercept interfaces that US federal, state, and local law enforcement uses for court-authorized wiretaps. In December 2025, the Senate Commerce Committee concluded that major US carriers have still not convincingly demonstrated they have evicted the intruders. A Senate committee — not a cybersecurity vendor with a product cycle — saying Chinese state hackers are still inside the wiring of American communications infrastructure, over a year after the initial disclosure.

Still.

Volt Typhoon is different in kind, not just degree. The FBI director has stated it plainly: "China's hackers are targeting American civilian critical infrastructure, pre-positioning to cause real-world harm to American citizens and communities in the event of conflict." The NSA director told Congress this represents "pre-positioning for disruption or destruction" — not espionage. Energy grids. Water systems. Transportation networks. Communications backbone. Five years of confirmed dwell time inside all of it.

That word — pre-positioning — is doing enormous work. Salt Typhoon is an intelligence operation. Damaging, historic in scope, but within the historic frame of nation-state espionage. What adversaries have always done to each other. Volt Typhoon is categorically different.

Volt Typhoon is the digital equivalent of pre-placing charges in a building you do not own, with no intent to detonate today, and every intent to preserve the option for the moment conditions change.

Russia already proved this playbook works. Sandworm spent years inside Ukrainian power grid infrastructure before the 2022 invasion. The operation was patient. No disruption. No signatures. No announcement. Then, on the first day of the invasion, the lights went out. US defense planners are not theorizing. They are watching a confirmed, successfully executed version of this playbook being prepared against American soil, by a country that has studied the Ukrainian execution and has substantially more resources.

CISA Advisory AA24-038A — issued jointly by the FBI, NSA, CISA, and Five Eyes partners — confirmed Volt Typhoon had maintained persistent access inside US critical infrastructure for at least five years before that advisory was published. That advisory is now more than two years old.

The access, in other words, has been in place for at least seven years.

This Is Not a Cyberwar. Call It What It Is.

When intelligence chiefs say cyberwar and boardrooms hear it, they picture a kinetic event. Systems going dark. A news cycle. Something visible and discrete that the organization either weathers or doesn't.

That is the wrong picture. And the wrong picture has been producing the wrong response for years.

What China, Russia, Iran, and North Korea are actually running is economic coercion through digital infrastructure. The objective is not to win a battlefield. The objective is to make Western governments and companies too fragile, too disrupted, too domestically consumed to project power or make consequential decisions abroad. They do not need to fire a kinetic round to achieve this. They need to maintain access and wait for the right moment.

Ray Dalio spent years mapping how great powers decline. The pattern is never a single catastrophic defeat. It is accumulated second-order pressure — debt, internal division, manufacturing hollowing, institutional erosion — that makes the empire too heavy to sustain. The cyber operations being run against the West are a contemporary version of that playbook, adapted for digital infrastructure, conducted at a cost asymmetry that the boardroom has not confronted honestly.

Here is the asymmetry. A state actor can maintain persistent access inside a US power grid for five years using living-off-the-land techniques — abusing the legitimate administrative tools already present on the network — for a fraction of what it costs the defender to detect and remove them. The offense is patient and inexpensive. The defense is reactive and expensive. The dwell time is measured in years. The cost ratio is not close.

Adam Smith's insight about specialization is that it creates wealth. The corollary — which Smith had no occasion to contemplate — is that attacking the nodes of specialization creates fragility at scale. The global semiconductor supply runs through roughly three nanometers of silicon process technology controlled by one company on one island in the Taiwan Strait. The US telecom backbone runs through a handful of carriers whose lawful-intercept interfaces were accessible to a foreign government for years. Poland's energy grid went down in January 2026. The European Commission's cloud infrastructure was hit in March 2026. Singapore's four major telecom providers were all breached by a single Chinese-linked group in February. Germany is handling what its security services are calling a sustained geopolitical campaign.

These are not random. They are the nodes. The adversaries have read the architecture of the global economy and identified which elements, if degraded, make everything downstream harder to sustain.

Thomas Friedman wrote The World Is Flat as an optimistic case for globalization. The adversaries have been reading it as a targeting document.

The Exposure Nobody in the Boardroom Is Discussing

The companies most exposed to this environment are not the ones with the largest security programs.

They are the companies with no security program.

A PE portfolio with fifteen companies across manufacturing, logistics, healthcare, and professional services has fifteen potential Volt Typhoon entry nodes, fifteen sets of unpatched edge devices, and fifteen credential environments that were never fully remediated after the last acquisition. The acquirer who ran cyber due diligence before close and found nothing alarming should note that nothing alarming is precisely what living-off-the-land techniques are designed to produce. No malware signature. No anomalous traffic patterns. Activity that looks like authorized administrators — because it uses their tools.

Volt Typhoon has a documented preference for small-office routers, VPN concentrators, and firewalls used as botnet infrastructure. The entry point into a national security-relevant supply chain can be a 200-person manufacturer in Ohio with an IT budget measured in tens of thousands of dollars and a network administrator who also handles the help desk.

The ODNI's 2026 Annual Threat Assessment puts it plainly: these operations are "deliberate and sustained, aimed at embedding access within key systems to enable disruption during periods of conflict or crisis." The key phrase is periods of conflict or crisis. That is not a distant hypothetical. That is the condition under which every portfolio company will be most operationally dependent on its infrastructure — and least equipped to absorb a simultaneous disruption from within it.

Six questions every board must answer this quarter — not this year, this quarter:

1. Can you detect living-off-the-land? Volt Typhoon does not deploy malware. Traditional endpoint detection is not built for it. Detecting this requires behavioral monitoring of legitimate administrative tool usage — which most mid-market programs do not have.

2. When did you last audit your edge infrastructure? Routers, firewalls, VPN concentrators. Default credentials. Legacy firmware. This is the documented entry vector. This is the front door.

3. Does your incident response plan account for simultaneous activation? Sandworm activated against Ukraine during a kinetic war when communications infrastructure was also degraded. Incident response plans built for "breach and recover" do not map to "breach, wait seven years, activate at the worst possible moment."

4. Do you know your vendor attack surface? The supply chain is the attack surface. The portco's 200-person manufacturer has a Volt Typhoon exposure whether the portfolio knows it or not.

5. Who has the incentive to tell you the truth? Vendors find manageable problems. Nation-state pre-positioning is engineered to be invisible to the sensors vendors sell. This requires a different kind of auditor — one whose business model is not selling you the next product after the one that missed it.

6. Have you read your war exclusion? Most cyber policies have one. Most boards have not read it carefully. A Volt Typhoon activation during a Taiwan conflict may be exactly the event an insurer calls an act of war — and denies coverage for.

"Narrowing Window" Is Intelligence Community Language for "The Door Is Closing"

In intelligence community usage, narrowing window does not mean act with moderate urgency. It means: the conditions under which effective action is possible are deteriorating faster than the capacity to act through them. It is the clinical way of saying that some windows close — and do not reopen.

China operates 210 tracked state-backed hacking organizations. In 2025 alone, they targeted networks in 178 countries. Taiwan's government networks absorbed 2.63 million cyberattack attempts per day last year. The Hormuz crisis in early 2026 produced a measurable, documented surge in Chinese cyber activity against US-aligned targets — confirming the model analysts had described: cyber operations as coercion in the space between trade and shooting war.

Russia is simultaneously losing a ground war in Ukraine — approaching 500,000 combat deaths by GCHQ's own count — and maintaining the operational tempo to conduct daily hybrid attacks against European infrastructure. A state that is losing on the battlefield and has fewer conventional options is not a state that is becoming less dangerous in the gray zone. It is a state with more desperation, a demonstrated willingness to use the instruments it still controls, and a specific historical model — the Sandworm playbook — that it knows works.

Iran is exploiting unpatched Fortinet and Microsoft Exchange infrastructure in US government and enterprise networks, and using large language models to accelerate reconnaissance, vulnerability research, and phishing at scale. North Korea is funding the regime through crypto theft and ransomware while conducting defense sector espionage targeting drone and autonomous vehicle programs.

Four adversaries. All active. All operating in the space between the threat levels that trigger kinetic responses and the baseline that organizations treat as acceptable background noise.

That space is not sustainable.

The regulatory direction is clear: EU NIS2, SEC cyber disclosure rules, UK PSTI Act, the successor to CIRCIA. All of them require mandatory disclosure, mandatory minimum standards, mandatory board accountability. The companies reacting to regulation will be building programs under time pressure against adversaries who have had years of access and are watching the remediation unfold. The companies that got ahead of it will treat an incident as a recoverable business event rather than a governance failure.

There is a reason the Bletchley Park speech was delivered at Bletchley Park and not in a Whitehall conference room. The message encoded in the venue is: the last time we faced a structural threat at this scale, the response that worked was not incremental. It was a commitment that looked, at the time, almost disproportionate. Until it became obviously exactly right.

"Ten times more urgency."

That is not the language of a budget conversation. It is the language of someone who has seen the signals and concluded that the current posture is not a minor miscalibration.

It is the language of someone who knows the window is closing.

Related Reading

• What is Incident Response?
• What is Vendor Risk Management?
• What is Ransomware?