The Question
An "act of war" is a formal, weighty designation: it is the legal and political judgment that another state has attacked you, opening the door to a military response. In the physical world the line is usually obvious — a missile, an invasion. In cyberspace it has been kept deliberately vague. For years, attacks that would be unmistakable acts of aggression if delivered by bombs have instead been treated as espionage, crime, or "incidents," and answered with sanctions and indictments rather than force.
The question this forecast weighs is whether that ambiguity holds through the next several years, or whether an attack finally forces a government or alliance to name a cyber operation for what it is: an act of war. We assess it is more likely than not that the threshold is formally crossed by 2032 — not because attacks are new, but because they are growing bolder and creeping closer to the kind of physical harm that makes ambiguity politically impossible to sustain.
What the Evidence Shows
The history of serious state-linked attacks is long and escalating. Stuxnet, revealed in 2010, physically damaged Iranian nuclear centrifuges — malicious code causing real-world destruction. Ukraine's power grid was hacked in 2015 and again in 2016, cutting electricity to civilians. Russia's NotPetya in 2017 spread worldwide and caused an estimated $10 billion in damage. The SolarWinds espionage campaign (2020) burrowed into US government networks, and the 2021 Colonial Pipeline ransomware attack shut a major American fuel line, triggering shortages along the East Coast.
More recently, the pattern has shifted from theft toward positioning. "Volt Typhoon," a China-linked group exposed in 2023 and 2024, was found to have quietly embedded itself inside US critical infrastructure — not to steal data, but apparently to be ready to disrupt it in a future crisis. That is a qualitatively different posture: pre-placing the means of sabotage inside the systems that run power, water, and communications. Yet even this has not been called an act of war.
"A cyberattack could reach the level of an armed attack and trigger Article 5 — but the alliance deliberately keeps the threshold undefined."
— Summarizing NATO's stated cyber-defense posture (cyberspace recognized as an operational domain, 2016)The legal scaffolding exists but stops short of a clear line. NATO recognized cyberspace as an operational domain in 2016 and has said a sufficiently serious cyberattack could invoke Article 5, its collective-defense clause — while pointedly never defining what would qualify. The Tallinn Manual, an influential expert study, maps how existing laws of war might apply online, but it is guidance, not binding law. The ambiguity is not an oversight; it is a choice, meant to preserve flexibility and keep attackers guessing.
"The vagueness is the strategy. Attacks stay 'below threshold' precisely so no one has to call them war."
Why This Is Happening
The "gray zone" rewards staying just below the line. States have learned they can inflict real costs — disruption, theft, fear — without provoking a military response, so long as they never quite tip into unambiguous destruction. That gray zone is deliberately exploited: an attack calibrated to fall short of "war" gets sanctions, not soldiers. The incentive is to keep operations ambiguous, which is exactly why the threshold has never been crossed on paper.
Attribution is hard, and doubt buys deniability. Proving who launched an attack, to a courtroom standard, can take months, and attackers route through other countries and deny everything. A government cannot easily declare war over an act it cannot publicly and confidently pin on a specific state. This forensic fog is a major reason even severe attacks get treated as crimes or espionage rather than casus belli.
But the trend points toward physical harm. The trajectory — from data theft, to grid disruption, to pre-positioning inside critical infrastructure — moves steadily closer to attacks that kill or cause large-scale physical damage. If an operation ever causes deaths or cripples essential services during a crisis, the pressure to name it an act of war may become irresistible. That rising ceiling of harm is what makes formal recognition, over a multi-year window, more likely than not.
What Could Happen
An attack causing deaths or major physical damage — a crippled grid in winter, a deadly infrastructure failure — is publicly attributed to a state and officially declared an act of war by a government or alliance, breaking the long-standing ambiguity for the first time.
Attacks continue and even intensify, but states keep choosing to answer them with sanctions, indictments, and quiet retaliation rather than the loaded language of war, preserving the strategic vagueness that has held for over a decade.
A cyberattack is declared an act of war not on its own but as one component of a broader armed conflict already underway, folding the cyber dimension into a conventional war rather than standing alone as the trigger.
What Can We Do
Cyber conflict feels abstract until the lights go out or the fuel stops flowing. Because so much of the vulnerable infrastructure is ordinary — power, water, hospitals, pipelines — public understanding and basic resilience genuinely matter here.
Understand the "below threshold" game. Grasping that states deliberately keep attacks ambiguous — and why — is the key to reading cyber news clearly. It explains why a $10 billion attack can be met with an indictment rather than a war, and helps separate genuine escalation from routine friction.
Follow authoritative trackers. The US Cybersecurity and Infrastructure Security Agency (CISA) issues plain-language advisories, and CSIS's "Significant Cyber Incidents" list and the Council on Foreign Relations' Cyber Operations Tracker catalog state-linked attacks. These beat rumor and hype when a scary headline breaks.
Take basic digital hygiene seriously. Strong, unique passwords, multi-factor authentication, and prompt updates are unglamorous but collectively harden the systems attackers probe. Individual resilience aggregates into national resilience, and the softest targets often invite the boldest operations.
Support clearer international norms. Efforts to define what counts as an act of cyber-war — and to protect civilian infrastructure — are contested but worthwhile. Backing transparency and agreed red lines is a concrete, non-partisan way to make the gray zone a little less dangerous for everyone.
- NATO Cooperative Cyber Defence Centre of Excellence — Tallinn Manual 2.0
- US Cybersecurity and Infrastructure Security Agency (CISA) — Advisories, 2023–2024
- Microsoft — Digital Defense Report, 2024
- Council on Foreign Relations — Cyber Operations Tracker
- CSIS — Significant Cyber Incidents, 2024
- Forecast The World Research Desk — 800+ data sources