On January 1, 2026, the World Economic Forum published its Global Cybersecurity Outlook identifying three forces that would define the year: AI acceleration, geopolitical fragmentation, and widening cyber inequity. Six months later, each of these forces has manifested in specific, documented, consequential events that have altered the cyber order in ways the January report could describe but not yet name. This is a midyear accounting.
By Vladimir Tsakanyan, PhD · Center for Cyber Diplomacy and International Security · cybercenter.space
The first half of 2026 has been the most consequential six-month period in the history of AI and cybersecurity governance — not because any single event was unprecedented in isolation, but because the volume, velocity, and interconnection of consequential developments exceeded what any prior period has produced. A US president cancelled and then signed an AI executive order within eleven days. The same administration suspended and then partially restored access to a frontier AI model through export control authority, within fifteen days of the suspension. A Five Eyes joint advisory warned, in public and in the plainest language such advisories use, that cyber risk assumptions could become outdated in months. Two quantum executive orders set binding timelines that placed the offensive capability target in 2028 and the defensive migration deadline in 2030-2031, with the margin between them narrower than any prior government assessment had acknowledged.
Beyond the United States: the European Commission was breached twice in ninety days. Singapore mounted its largest-ever cyber counteroperation to evict a China-linked actor from all four of its major telecommunications providers. Russia’s FortiBleed campaign exposed 86,644 working credentials across 194 countries from a vulnerability patched in 2022. Norway signed the Pax Silica initiative the day before the United States flew its most critical technology executives to Beijing for a summit with President Xi. And the UN Global Mechanism — the first permanent multilateral forum for cyber security — held its organisational session and scheduled its first substantive plenary for this month.
What follows is an assessment of where the six principal dynamics of the first half of 2026 leave the cyber order as the year enters its second half.
One: The AI Governance Inversion
The dominant story of the first half of 2026 in AI governance is not the legislation that was proposed or the executive orders that were signed. It is the inversion of the expected governance sequence — the emergence of enforcement before framework, precedent before rule, and bilateral negotiation before multilateral norm.
The voluntary AI executive order of June 2 established a pre-release review expectation without legal obligation. The export control directive of June 12 — issued three days after a frontier model’s public launch, suspending it globally, based on an undisclosed intelligence assessment, without published criteria or advance notice — was operationally more consequential than the voluntary framework and less predictable than any published regulatory standard. The partial restoration of June 27, creating a “trusted tier” of access with undisclosed eligibility criteria, established the operational precedent that has now been adopted by OpenAI in its GPT-5.6 staggered rollout.
<cite index=”8-1″>The White House’s stated policy is to promote AI innovation and security by working collaboratively with the private sector to modernise government and private sector information systems, protect American ingenuity from adversary exploitation, and cultivate America’s advanced AI-enabled capabilities.</cite> The mechanism through which this policy has been operationally implemented in the first half of 2026 is not the collaborative framework that language implies. It is export control authority, applied case by case, with trusted-tier access as the operational currency.
The Great American Artificial Intelligence Act discussion draft, introduced June 4, proposes a structured alternative: mandatory risk frameworks, IVO audits, and a formal pre-release review process. Its status as a discussion draft without an enactment timeline means the voluntary-then-enforcement architecture will govern frontier AI deployment for the remainder of 2026 regardless of the legislative debate’s outcome. The second half of the year will be shaped by whether the trusted-tier precedent is formalised into a coherent published standard, or whether it continues to function as an undisclosed access control mechanism exercised through bilateral negotiation.
Analyst note
The AI governance inversion has a specific geopolitical consequence that the domestic policy debate has not fully absorbed. <cite index=”9-1″>Geopolitics remains the top factor influencing overall cyber risk mitigation strategies, with 64% of organisations accounting for geopolitically motivated cyberattacks.</cite> Allied governments whose defensive cybersecurity operations depend on access to US frontier AI capability have experienced, in the first half of 2026, a live demonstration that such access is revocable without consultation and restorable on conditions they do not set. The alliance management implications of this demonstration will shape how allied governments approach their own AI infrastructure investment decisions in the second half — specifically, how much dependency on American AI capability they are willing to accept given the conditionality the Mythos 5 episode has made visible.
Two: The Rules-Based Order in Retreat
The Trump administration’s March 2026 Cyber Strategy — seven pages, no named adversaries, no international engagement commitments, and an explicit preference for offensive capability over normative governance — marked the most significant withdrawal of the United States from the multilateral cyber governance framework since that framework’s construction began with the first GGE reports in 2010.
The consequences of this withdrawal are not primarily domestic. They are structural in the international governance architecture. The UN Global Mechanism — which held its organisational session in March and will convene its first substantive plenary this month — is meeting without the active multilateral leadership of the state that created the normative framework the mechanism has inherited. Russia and China, whose consistent objective has been to redirect the UN cyber governance process toward state sovereignty over digital infrastructure and away from norms constraining state offensive behaviour, find the US posture in 2026 significantly less resistant to that redirection than it was under the Biden administration’s active multilateral engagement.
The seven-page Trump Cyber Strategy is not, in isolation, the abandonment of the rules-based cyber order. It is the most visible indicator of a broader shift in US posture whose cumulative effect — reduced CISA institutional capacity, reduced multilateral engagement, reduced consistency in allied cyber coordination — is to create a governance vacuum that the states most invested in its exploitation are best positioned to fill. <cite index=”2-1″>The convergence of geopolitical instability and AI has become the primary driver of systemic risk, necessitating a shift toward verifiable digital sovereignty and architectural resilience.</cite> The shift toward digital sovereignty is, in part, a response to the reduced reliability of the American security guarantee in the cyber domain — allies investing in their own capacity because the US framework’s dependability has declined.
Three: The Institutional Erosion and Its Consequences
CISA — the agency whose operational effectiveness is the foundation of US critical infrastructure cybersecurity — entered 2026 having lost more than a third of its workforce, with most of its senior leadership replaced and its budget reduced by approximately $500 million. The first half of 2026 produced multiple documented consequences of this institutional condition.
The Private-CISA repository, discovered in May 2026, sat publicly accessible for six months on a commercial code hosting platform — containing administrative credentials for three AWS GovCloud environments, cryptographic keys, and documentation of CISA’s internal software development architecture — and was identified not by CISA’s own monitoring systems but by a private sector firm’s automated scanning. The agency’s acting director was reassigned in February after uploading sensitive files to ChatGPT, the week before the AI cybersecurity strategy it nominally guided was published. Both incidents reflect an institution managing its national security responsibilities with institutional capacity below what those responsibilities require.
The FortiBleed campaign, which exposed 86,644 working credentials from a vulnerability patched in 2022 through a sustained campaign of 1.16 billion credential attempts, was addressed through a CISA emergency advisory whose compliance requirement — comprehensive credential rotation across affected environments — exceeds the operational capacity of many of the organisations that received it. <cite index=”5-1″>Confidence in national cyber preparedness is slipping, with 31% of survey respondents reporting low confidence in their nation’s ability to respond to major cyber incidents, up from 26% last year.</cite> In the United States, the institutional basis for that confidence has been materially reduced by deliberate policy decisions whose reversal is not currently under active consideration.
The June 2 AI executive order directed CISA to issue Binding Operational Directives within 30 days to expedite cyber defence of federal government systems and facilitate access to AI-enabled defensive tools and frontier models for agencies, state and local authorities, and critical infrastructure operators. Whether an institution at reduced capacity can implement directives of this scope within the specified timelines, while simultaneously managing the credential rotation requirements of the FortiBleed emergency advisory and the post-quantum cryptography migration planning the June 22 executive order has mandated, is a question whose answer will become visible in the second half.
Four: The Commercial Infrastructure Vulnerability
The first half of 2026 has provided the clearest evidence yet that the primary attack surface of contemporary state-sponsored operations is not government networks — which are, by design, more hardened than most commercial alternatives — but the commercial infrastructure on which government operations depend.
The March 2026 Iranian drone strikes on AWS data centers in the UAE — the first confirmed kinetic attack on hyperscale cloud infrastructure — demonstrated that the dual-use reality of commercial cloud (banking applications and military intelligence workloads coexisting on the same physical infrastructure) has become a targeting rationale. The Singapore CYBER GUARDIAN operation revealed that China-linked actors had achieved persistent access to all four major Singaporean telecommunications providers simultaneously, using an eleven-month counteroperation to achieve complete eviction. The April vendor compromise that simultaneously exposed 3.4 million customer records from Citizens Financial and 250,000 from Frost Bank through a single shared document processing supplier demonstrated the supply chain entry point that requires no penetration of either target’s own infrastructure. <cite index=”3-1″>The growing dependency on a small number of critical digital providers remains a concern for cyber leaders, as it amplifies concentration risk across the ecosystem.</cite>
The governance response to commercial infrastructure vulnerability is the dimension of 2026’s cybersecurity policy that has received the largest number of distinct regulatory instruments: the EU Cloud and AI Development Act (June 3), the post-quantum cryptography executive order’s critical infrastructure provisions (June 22), the AI cybersecurity clearinghouse established by the June 2 AI executive order, and the Great American Artificial Intelligence Act’s open-source security grant provisions. The institutional capacity to implement these instruments simultaneously — across the regulatory bodies, the companies, and the infrastructure operators that each instrument addresses — is the constraint that will determine whether the regulatory ambition of the first half translates into operational resilience in the second.
Five: The Quantum Timeline Compression
The most consequential strategic development of the first half of 2026 is one that produced no breach, no advisory, and no visible incident: the compression of the quantum computing capability timeline relative to the post-quantum cryptography migration timeline.
The Trump administration’s June 22 quantum innovation executive order set a 2028 target for a commercially relevant quantum computer. The same day’s post-quantum cryptography executive order set 2030 and 2031 deadlines for federal agency migration to quantum-resistant standards. Google’s internal planning estimate places cryptographically relevant quantum computing in 2029. The Cloud Security Alliance estimates Q-Day — the moment at which a quantum computer can break current public-key encryption at operational scale — in April 2030.
These numbers, read together, describe a margin between the offensive capability’s potential arrival and the defensive migration’s required completion that is measured in months rather than years — and that assumes both the offensive capability develops on schedule and the defensive migration completes on schedule, with no delays in either direction. <cite index=”10-1″>AI vulnerabilities are accelerating at an unprecedented pace, with 87% of respondents identifying AI-related vulnerabilities as the fastest-growing cyber risk.</cite> The same acceleration dynamic applies to quantum capability development: the 2028 government target is more aggressive than most independent assessments, and the migration timeline faces implementation challenges — cryptographic inventory complexity, skills gaps, vendor dependency — that the executive orders acknowledge without resolving.
The harvest-now-decrypt-later archives assembled by sophisticated state actors are growing with every day that sensitive communications traverse quantum-vulnerable encryption. The first half of 2026 established the policy framework for addressing this dynamic. The second half must produce the operational implementation — the pilot completion, the agency migration leads’ appointment, the cryptographic inventories — before the policy framework’s binding deadlines make the implementation gap visible in regulatory consequences.
Six: The Fragmentation of the International Digital Order
The most structurally significant development across the entire first half of 2026 is one that appears not in any single incident but in the aggregate of the developments this series has documented: the progressive fragmentation of the international digital order into discrete, governed-differently, interoperating-less-well ecosystems whose trajectory is toward further separation rather than convergence.
Pax Silica has grown to fifteen members, building a minerals-to-models supply chain architecture among trusted allies that explicitly excludes China. The EU Cloud and AI Development Act has established a four-tier sovereignty framework that places US hyperscalers outside the highest assurance tiers for European public sector work. The Trump administration’s Cyber Strategy has withdrawn US active engagement from the multilateral normative framework that the UN Global Mechanism is now attempting to sustain without its primary architect. China’s influence operations have targeted US domestic debates about AI infrastructure as a competitive instrument. The Armenia-Azerbaijan telecom agreement — two companies routing internet traffic across a border that politics has not formally reopened — represents the exception that illuminates the rule: infrastructure normally follows the politics, and the politics of 2026 is toward fragmentation.
<cite index=”4-1″>Geopolitical realignment, the weaponisation of critical supply chains, and the rapid diffusion of generative AI are redefining what it means to manage exposure. Those that integrate geopolitical, operational, and digital intelligence into a unified resilience strategy will be best positioned to navigate the uncertainty of 2026.</cite> The organisations and governments best positioned for the second half are those that have understood the first half not as a series of discrete incidents but as the expression of a structural condition: a digital order fragmenting under the combined pressure of great power competition, AI capability acceleration, and the progressive failure of multilateral governance frameworks to operate at the speed the environment requires.
What the Second Half Requires
The six dynamics assessed above produce a set of specific requirements for the second half of 2026 — not predictions, but the logical continuation of the trajectories the first half has established.
The AI governance trajectory requires the trusted-tier access framework to be formalised into published criteria or to generate a legislative alternative through the GAAIA process — the current opacity is sustainable for a single episode but not for the industry-wide standard it is becoming. The multilateral governance trajectory requires the UN Global Mechanism’s July substantive plenary to produce something more operationally useful than the declaratory commitments the OEWG process generated — a test the mechanism’s early sessions have not yet been subjected to. The institutional capacity trajectory requires CISA to demonstrate, through the implementation of its June 2 directive responsibilities and the FortiBleed advisory’s remediation framework, that an institution at reduced staffing can perform the oversight functions its national security responsibilities require.
The quantum timeline trajectory requires the Commerce Department pilot completion by December 31, 2027 — eighteen months from now — to proceed with the urgency that the proximity of the capability and migration timelines demands. The commercial infrastructure trajectory requires the third-party risk governance frameworks that multiple regulatory instruments have mandated to be implemented with the operational specificity and continuous monitoring discipline that the 2026 vendor compromise record has demonstrated is the only adequate response. And the fragmentation trajectory requires allied governments to develop, in the second half, their own clear-eyed assessment of the access conditionality that American frontier AI capability now carries — and to make their digital sovereignty and resilience investments accordingly.
Bottom Line Assessment
The first half of 2026 has produced a cyber order that is simultaneously more capable and more fragile than the order that existed at the start of the year. More capable because AI-enabled defensive tools have demonstrated genuine value in vulnerability identification and threat detection; because the quantum policy architecture has been formalised at a level of specificity without precedent; and because the governance failures of the first half have produced regulatory responses whose ambition, if implemented, would address real structural vulnerabilities. More fragile because the institutional capacity to implement those responses has been reduced precisely when the threat environment’s demands on that capacity are highest; because the multilateral framework that previously constrained adversary behaviour in cyberspace has been weakened by its primary architect’s withdrawal; and because the fragmentation of the international digital order is proceeding faster than any governance mechanism is moving to address it.
<cite index=”9-1″>Cybersecurity has become a defining frontier where technology, geopolitics, economics, and societal trust intersect. While the threat landscape is accelerating, one message stands out clearly: collaboration remains not only possible, but powerful. Disruptions now move across borders at unprecedented speed, while innovation promises resilience — if governance, skills, and cooperation can keep pace.</cite>
The first half of 2026 has established what the cyber order is. The second half will establish whether the governance architecture being constructed is adequate to sustain it.
Midyear Assessment · AI Governance · Quantum Computing · CISA · Geopolitics · Pax Silica · UN Global Mechanism · Frontier AI · Cyber Order · Digital Fragmentation · Vladimir Tsakanyan


Leave a comment