Are We Ready for 2026? Top Cyber Predictions on Policy, Tech, and Threats

Show Notes

Cyber Focus kicks off 2026 (and its 100th new episode) with rapid-fire predictions from McCrary Institute senior fellows. They flag big policy inflection points—especially whether Congress can reauthorize “CISA 2015,” sustain information-sharing protections, and keep state and local cybersecurity funding on track. Tech-wise, the group focuses on AI’s accelerating integration, the “speed” divide between defenders and adversaries, and emerging pressures across connectivity and infrastructure. On threats, they warn about deepfake-driven social engineering, ransomware that’s getting faster and more accessible, “typhoon” intrusions, and the compounding risk of encryption and security tech debt.

Main Topics Covered

• CISA 2015 reauthorization, information sharing, and state/local cyber funding priorities.
• Cyber offense and deterrence: shaping adversary behavior by imposing real costs.
• AI everywhere: faster attacks, faster defense, and higher infrastructure stakes.
• Convergence and connectivity: data centers, wireless, subsea cables, satellite, and scale.
• Deepfake social engineering and shrinking ransomware dwell times in 2026.
• “Typhoon” intrusions, critical infrastructure exposure, and major-event targeting pressure.

Key Quotes

“What I believe is going to overtake identity just in general is deep fake social engineering. And that means the calls that look like your CEO that tell you to get on an urgent call right now… I think I’d click on that if I didn’t know better. And a lot of us in the security realm would.” — Cynthia Kaiser

“We’re actually getting the broader dividing line between haves and have nots… If you can’t move fast, you’re going to need to find someone who can… If you’re someone that can’t receive new information and immediately improve your defensive posture, you’re probably a have not.” — Matt Hayden

“We’re seeing and hearing that the US government is interested in taking the fight to the adversaries… shaping the adversary’s behavior is important because it slows them down, it imposes costs on them, and perhaps it could lead to deterrence.” — Christopher Roberti

“I started with China and I’m going to end with China… making sure again, we don’t take our eye off the ball that wow, there may be reasons to make deals economically with China. We have to treat them as a potential adversary.” — Bob Kolasky

“At the end of the day, I look at as the typhoon epidemic—Salt, Vault… What is the next typhoon we’re going to uncover in 2026 that’s going to be driving our cybersecurity defense measures?” — Bill Evanina

Relevant Links and Resources

https://mccraryinstitute.com/directory/senior-fellows/

Transcript

1
00:00:00,000 –> 00:00:01,000
Frank Cilluffo [00:00:02]: Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. And welcome to a new year and a new season and our 100th new episode of Cyber Focus. This week we did something a little different. At a recent holiday gathering, we pulled aside some of our senior fellows to answer three simple questions. What policy, what technology, and what threat matters most in 2026? You’ll be hearing from Cheri Caddy, Mike D’Ambrosio, Bill Evanina, Laura Galante, Lauren Goldman, Matt Hayden, Cynthia Kaiser, Ali King, Bob Kolasky, Christopher Roberti and Anna Sarneck. I hope you enjoy their insights and I’m glad you’re with us.

2
00:00:01,000 –> 00:00:02,000
Bob Kolasky [00:01:00]: I think the policy issue that’s going to matter the most is whether the administration can continue the commitment to build up our cyber defenses and other defenses against the potential conflicts with China. So what I am particularly focused on is as we work through trade negotiations between the US And China, that we don’t see degradation of the actual security and supply chain risk management practices in place for addressing some of the risks that Chinese government and Chinese influenced technology impacts.

3
00:00:02,000 –> 00:00:03,000
Matt Hayden [00:01:33]: My biggest struggle with policy issues is actually getting policy passed. We’ve hit an odd period in time in which Congress hasn’t really had the stomach for a lot of necessary cyber adjustments or candidly cyber bills. So when we look at things like information sharing and liability protection under CISA 2015, when we look at things like what if CIRCIA needs a tweak or two to make it modernized and effective after the rule-making process goes its way, those are the types of things that we don’t have a lot of faith that the current lawmakers are willing to take this up and address, let alone get a CISA director in place. So my biggest concern with policy issues is actually non policy. So to the extent that we don’t get these necessary changes, legislative actions, we’re actually looking down the barrel of an America that’s less safe.

4
00:00:03,000 –> 00:00:04,000
Lauren Goldman [00:02:23]: I would say that the policy issue, at least that I’m focused on and the one that I’m watching, you know, with bated breath, is the reauthorization of CISA 2015. And I’m probably one of many people who are focused on that. But I think that and you know, the funding for state and local is, you know, the things that we should really be looking out for and hopefully reauthorizing. I know we have a continuing resolution right now and so we got it all the way through January, but my hope is that there will be some kind of reauthorization of that, hopefully maybe even a rename, because it’s very confusing, CISA 2015, because everyone thinks you’re thinking, talking about the agency. So I think CISA 2015, because I, you know, during the shutdown, I was really worried about how much was happening behind the scenes, and companies didn’t feel safe reporting on that because they didn’t have the protections that CISA 2015 provided them. And I think the only way we’re going to win against ransomware and other cybercrime is by sharing information and sharing intelligence.

5
00:00:04,000 –> 00:00:05,000
Mike D’Ambrosio [00:03:24]: To me, the Cyber Information Security Act, getting that sort of resolved permanently, right, is important, continuing to not lose the traction that we’ve had with the collaboration between the private and public sector. So I think that there’s a lot of fear within the private sector on how that’s going to shake out and whether it will shake out and what that means. So I think getting that resolved this year is going to be important. But there’s a lot of cyber policies that I think are going to be important. I think some of the workforce issues, I think some of the grants, the state and locals, if the administration wants to focus on sort of pushing things down and cybersecurity down to the state level, then I think it even makes the grants to state and locals that much more important.

6
00:00:05,000 –> 00:00:06,000
Christopher Roberti [00:04:05]: One of the most dramatic shifts we might see is more aggressive posture that the US government has telegraphed that it may pursue against cyber threat actors. So, in essence, we’re seeing and hearing that the US government is interested in taking the fight to the adversaries and really looking at cyber offense as an important toolkit in its ability to deter and defeat cyber adversaries. What we need to understand is that shaping the adversary’s behavior is important because it slows them down, it imposes costs on them, and perhaps it could lead to deterrence, which is the ultimate goal.

7
00:00:06,000 –> 00:00:07,000
Cheri Caddy [00:04:43]: So I’ve been working in control systems and operational technology for about a decade now, and so I’m super enthusiastic about this area as a place where we can really make a lot of progress. And I say this every year that the time for operational technology has come, but I really feel like it has this year. We’re starting to see more policymakers understand and talk about operational technology, realize that it’s something different than information technology. We’re starting to see more coherent mentions in legislation. The WIMWIG mentions operational technology and edge devices and IoT, understanding that that’s a different category of activity. So there’s just so many concerning and unique threats with operational technology and control systems. The ability for adversaries to have effects, cyber effects in the United States has been talked about in the US Intelligence community’s annual threat assessment for five years now. And I think that we really, really need to marshal both policy, technology, emerging technology like applied machine learning and AI to get after operational technology and control systems.

8
00:00:07,000 –> 00:00:08,000
Cheri Caddy [00:05:50]: It is literally the thing that underpins everything in our lives. So I really feel like the time has come and 2026 is going to be the year that we see some major policy moves in this area and we start to really tackle what is going to be a multi year problem.

9
00:00:08,000 –> 00:00:09,000
Bill Evanina [00:06:04]: I think policy issues in 2026 are going to be robust and really important for three areas. Number one will be data privacy and governance. How are we going to match any type of data policy with the speed and viciousness of which AI is being promulgated? Number two is going to be Internet of Things. Is there going to be an opportunity in Congress or the administration to drive some type of basic fundamental security for Internet of Things as our nation state threat actors and criminals continue to try and break in and cause mass havoc in our civil society.

10
00:00:09,000 –> 00:00:10,000
Laura Galante [00:06:41]: In 2026 we’re going to see a lot of discussions around convergence. From data centers to fixed telephony, wireless, subsea cables, satellite, all of the interconnectivity that is increasingly changing the speed and scale of how companies can implement AI, how different interconnections can work globally. All of this activity is going to really focus on how do you build out technology systems, partnerships, security apertures that really focus on faster and more effective and more efficient connectivity across the globe.

11
00:00:10,000 –> 00:00:11,000
Matt Hayden [00:07:16]: When we look at technology shifts, we’re actually looking at the measure of speed. And so we’re actually getting the broader dividing line between haves and have nots. Whether that’s offense or defense, if you can’t move fast, you’re going to need to find someone who can. And so when it comes to defensive practice, if you’re someone that can’t receive new information and immediately improve your defensive posture, you’re probably a have not. And that is going to be a 2026 challenge where people are starting to look at themselves and figure out what do I need to hand off to someone who can practice at speed these real time interpretations of threat, real time actions, and AI is going to play a big part in this. But we’re also talking about making sure we have all of our practices up to speed at a policy and an industry level. And so that’s going to take a lot of work.

12
00:00:11,000 –> 00:00:12,000
Matt Hayden [00:08:04]: And so matching speed for speed is going to be our largest technology hurdle coming up.

13
00:00:12,000 –> 00:00:13,000
Lauren Goldman [00:08:08]: So in 2026, the technology shift I think that’s going to be interesting is all of the different ways that people are going to use AI and other tools. I know AI is always the easy answer, but I think just using other tools that will help them become more capable, faster, kind of scale of attacks, those are the things that I think we’re going to see more of. I mean, I think only in the last few months have we seen actual AI used for an attack. And I think we’re just going to see more and more of that. So my hope is, is that we will find ways to counteract that. But I think it’s one of those things that we’re going to have to look at from a technology perspective.

14
00:00:13,000 –> 00:00:14,000
Mike D’Ambrosio [00:08:44]: Listen, at least from my perspective and looking at different companies, obviously artificial intelligence is the buzzword, but it’s not just artificial intelligence. It’s really going to be how it’s utilized. We’re seeing it transform business processes. We’re seeing businesses utilize it, the cybersecurity tools. Its ability to sort of aggregate the volumes of data and provide insights is going to be increasingly important over the next two to three years.

15
00:00:14,000 –> 00:00:15,000
Bob Kolasky [00:09:12]: We are talking about AI, AI, AI, right, so it continues to be how quickly artificial intelligence gets integrated into critical functions. We’re at the McCrary Center, how does artificial intelligence get integrated into cybersecurity, into the use of actually cyber defense? To what extent does artificial intelligence present an offensive cyber risk? At the same time, the general enablement of artificial intelligence means a reliance on critical infrastructure, data centers, energy. You know, I want to be thinking about a smart build out in critical infrastructure to support taking advantage of artificial intelligence and not introducing too much risk associated with artificial intelligence.

16
00:00:15,000 –> 00:00:16,000
Bill Evanina [00:09:52]: I see it in like four buckets. Number one, 5G to 6G. Where are we strategically as a nation from Congress, the administration, and where are we going to be implementing new changes from get 5G to 6G to continue to be competitive with China, not only domestically but around the world? I also look at that policy from an AI perspective, ML. Are we going to start to include security and the human aspect of teaching humans how to use AI and emerging technologies? And the last will be quantum. Where are we in the movie on quantum and are we ready for 2026 quantum being really important. And lastly, energy. Do we have the opportunity to understand the technology rise from energy domestically and globally to support AI Development.

17
00:00:16,000 –> 00:00:17,000
Ali King [00:10:46]: So in 2026, I predict the cyber threat that will matter most is going to be around our tech debt as it relates to encryption. And so we really struggle with having a comprehensive understanding of what assets matter the most to us and then being able to determine in real time by endpoint, the level of encryption that we have running on those assets, if any at all for OT. And so moving forward, there needs to be a national crypto modernization plan rollout to include clear objectives and milestones. We need to have ability to prioritize high value assets and then mandatory inventory. And all of that has to come with resources because policy by itself does not solve anything.

18
00:00:17,000 –> 00:00:18,000
Anna Sarnek [00:11:32]: So I think when we think about threat, it’s really easy to focus on the new innovative technology that’s coming. For the past couple of years it’s been AI, recently agentic AI. Now more and more focus is being shifted to what about space, what about quantum? But really a lot of this security comes down to do you have the fundamentals in place as it comes to asset management, identity, access, control, your data, which is now very critical with AI. So I like to think about it in the context of do you have your protect surface defined rather than what the industry tends to focus on from the attack surface perspective. Where my challenge comes is we still aren’t there yet in the conversation where when a board sits down at the private sector level, you’re starting by defining what are my critical assets that are generating revenue? For a majority of the private sector today, that’s data. Because for the most part it’s really fundamental. And what’s accelerating that threat is, is the fact that through AI and quantum, the compute power is increasing. So the tech debt, the security debt that you’ve had now is just so much faster exploited at much larger scale.

19
00:00:18,000 –> 00:00:19,000
Cynthia Kaiser [00:12:43]: We’ve seen and talked a lot about identity being a way in which actors are compromising systems, right? It’s the initial way they get in, they compromise logins, passwords, your single sign on, something along those lines. I think as we see some of these AI advancements occurring, what I believe is going to overtake identity just in general is deep fake social engineering. And that means the calls that look like your CEO that tell you to get on an urgent call right now and here’s the link coming at employees across the US where I think I’d click on that if I didn’t know better and a lot of us in the security realm would. And they think about that times millions and millions of people, I have a lot of concerns that that’s really the shift and like threat, right, that we’re going to be facing as we go throughout 2026.

20
00:00:19,000 –> 00:00:20,000
Cynthia Kaiser [00:13:35]: AI is making ransomware operations more accessible to a wider swath of actors who maybe couldn’t do it in the past. It doesn’t mean they’re better operations, it means there’s more actors. So I think ransomware is going to increase in the amount of attacks. And we’re already seeing the speed of these attacks go from weeks and weeks to 24 hours or just hours, which means the dwell time, the like identification time that all of our security people thought they had, they don’t have anymore.

21
00:00:20,000 –> 00:00:21,000
Matt Hayden [00:14:07]: So cyber threat is going to be in a myriad of ways. The adversary is going to come wherever we think we’re the least targeted, but they’re also going to hit us really hard in identity. So we have this challenge where edge devices get compromised, they collect credentials, they look to establish persistence. That’s not going to go away anytime soon because as we’ve seen edge devices are still very, very vulnerable. So as long as that is a practice of the adversary, we’re going to start to see that still compelled. I think a lot of the traditional malware strains are going to get more advanced as they start to learn how to move laterally and do interesting things in a smaller package with more AI based compiled and lessons learned. That’s going to be something we’re going to have to keep an eye on. But leveraging machine based authentication, like those machine accounts that currently do a lot of the work on the back end, are probably going to need dedicated agents to really take that threat down.

22
00:00:21,000 –> 00:00:22,000
Matt Hayden [00:15:01]: And then we always have the operational technology or OT land.

23
00:00:22,000 –> 00:00:23,000
Mike D’Ambrosio [00:15:04]: Listen, from my perspective and my background from the Secret Service, I still think what I call complex cyber enabled fraud is a huge vector and a problem for the United States. Listen, we have problems with espionage and pre positioning with nation state actors, but at the end of the day, what’s probably at least the most prevalent is complex cyber enabled fraud. And again going back to my last comment on artificial intelligence, that’s only going to sort of enable that to occur at scale with more complexity and more challenges.

24
00:00:23,000 –> 00:00:24,000
Lauren Goldman [00:15:35]: In terms of threats, I continue to look at critical infrastructure and see what kind of attacks are having on critical infrastructure, water, power. We have a lot of major events coming up in the United States. I think there’s a big target for cybercrime and cyber actors on say the World Cup. Ransomware continues to be something that we’re all struggling with and something that companies are having to figure out a way to combat and a lot of them do not have the tools for that. So same thing with municipalities. There’s, you know, small to medium sized businesses, municipalities, they’re all under threat from both nation state actors and you know, cybercrime. So that’s kind of the, the biggest threat I think is how do we empower all of these smaller companies, these smaller municipalities who are protecting our critical infrastructure on a daily basis, enabling the American way of life, if you will.

25
00:00:24,000 –> 00:00:25,000
Lauren Goldman [00:16:27]: How do we help them so that they can protect against these threats?

26
00:00:25,000 –> 00:00:26,000
Bob Kolasky [00:16:31]: You know, I started with China and I’m gonna end with China in terms of, I tend to worry about things that are big risks and big threats and the potential geopolitical conflict with a near peer nation state adversary has to be on the top of the mind from a strategic degree. And so making sure, again, we don’t take our eye off the ball that, wow, there may be reasons to make deals economically with China. We have to treat them as a potential adversary from a national security perspective. We have to be ready to deal with that.

27
00:00:26,000 –> 00:00:27,000
Bill Evanina [00:17:00]: From a CyberSecurity perspective in 2026, I look at it as in three different buckets. Number one, Internet of Things, we are still weak and vulnerable in that space. Ransomware will continue to be a viable vulnerability for businesses and people, especially with the promulgation of AI driven business email compromises are continue to grow from a nation state perspective. But at the end of the day, I look at as the typhoon epidemic Salt, Volt type. What is the next typhoon we’re going to uncover in 2026? That’s going to be driving our cybersecurity defense measures in 2026.

28
00:00:27,000 –> 00:00:28,000
Frank Cilluffo [00:17:33]: Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners. Drop us a line if you have any ideas in terms of topics, themes or individuals you’d like for us to host. Until next time, stay safe, stay informed and stay curious.