In 2026, I believe federal cybersecurity will be defined by an increase in destructive attacks engineered to bypass modern defenses and disrupt national operations. Adversaries will exploit insider access, software supply chains, and legacy dependencies to compromise trusted systems at scale. As prevention alone cannot stop attacks, resilience and recovery by design will emerge as core measures of national security, deterrence, and government trust.
I also believe adversaries will exploit commercial and open‑source software supply chains by embedding malicious logic and leveraging insider access. Adversaries, often state-linked, systems-focused engineers, will accelerate long-term infiltration efforts through weaknesses across a target’s people, processes, legal frameworks, and technology stacks. We will then see them compromising trusted systems and exposing entire networks through a single weak link.
Surveys indicate that 75% of organizations reported at least one software supply chain attack in 2025, and third‑party breaches now account for about 30% of all data breaches. At the same time, attackers are exploiting new vulnerabilities faster, with more than 32% of known exploited vulnerabilities in early 2025 being attacked on or before public disclosure, underscoring how quickly tainted code or exposed flaws can be weaponized across open‑source ecosystems.
Recovery by Design
Governments will also deploy isolated, tamper-proof recovery systems that preserve clean, verified copies of critical data. Immutable systems allow responders to restore operations even if attackers attempt to corrupt backups. Rather than focusing only on bringing systems back online, security teams will measure success by how quickly essential services can be rebuilt from trusted data. The shift is captured in metrics like cyber Recovery Time Objective (RTO).
RTO will be viewed as a mark of national maturity and a core prediction this year. Federal leaders will also approach resilience as an integral part of their architecture, not a mere afterthought, by stress-testing infrastructure, preparing leaders for worst-case scenarios, and designing operations to withstand attacks.
Systems built to recover accept that disruption will happen and prioritize system resilience; weak systems pretend it won’t or can’t happen. Sadly, 2025 showed far too many federal systems are in the latter category. By planning for recovery, governments will signal to citizens, allies, and adversaries that they can have a disruption without spiraling into chaos or institutional failure.
Resilience therefore becomes a strategic advantage. It limits damage, maintains public trust, and discourages attacks that depend on fear and system collapse.
Lastly, rapid recovery will be the defining measure of national security and military dominance on the global stage. It will also start to become a priority to address a major gap in our cyber deterrence strategy. Denying the adversary the benefit of a disruptive attack is the missing piece of our national cyber deterrence strategy.
In practice, this reflects a reality where ransomware and destructive attacks regularly disrupt critical infrastructure and government networks, driving costly outages, and public disruption. This invites adversaries to disrupt our critical infrastructure and national security systems until we take action.
The 2026 National Cybersecurity Strategy
The FBI has reported that the Play ransomware group has breached approximately 900 organizations worldwide, including governments and critical infrastructure. As hackers like Play evolve toward more destructive, operationally disruptive attacks, policymakers will reframe cyber defense around resilience, prioritizing rapid recovery, and continuity of operations. I believe we’ll see this shift in the forthcoming 2026 national cybersecurity strategy, which is projected to emphasize deterrence by force (a shift I hope we will see in the final strategy), infrastructure resilience, and the ability to withstand and recover from sustained cyber campaigns.
The views expressed in these comments are those of the author and do not necessarily reflect the official policy or position of Rubrik. These comments are for informational purposes only and do not constitute business or legal advice. Organizations should consult with legal and compliance professionals to ensure their cybersecurity strategies meet all applicable federal, state, and international requirements.
Travis Rosiek currently serves as public sector chief technology officer (CTO) at Rubrik, helping government agencies become more cyber and data resilient. Rosiek is an accomplished cybersecurity executive with more than 20 years in the industry. His experience spans driving innovation as a cybersecurity leader for global organizations and CISOs to corporate executives building products and services. He has built and grown cybersecurity companies and led large cybersecurity programs within the Department of Defense (DoD). As a cyber leader at the DoD, he was awarded the Annual Individual Award for Defending the DoD’s Networks.
Prior to Rubrik, Travis held several leadership roles, including chief technology and strategy officer at BluVector, CTO at Tychon, federal CTO at FireEye, a principal at Intel Security/McAfee, and leader at the Defense Information Systems Agency (DISA). He has served on the National Security Telecommunications Advisory Committee (NSTAC) as an ICIT fellow and on multiple advisory boards.
Leave a Reply
You must be logged in to post a comment.