Cyberwar’s New Frontier

Cyberwar’s New Frontier

How AI Agents Will Threaten Global Security

Brianna Rosen and Jam Kraprayoon

April 16, 2026

• More by Brianna Rosen
• More by Jam Kraprayoon

Listen Subscribe to unlock this feature or Sign in.

&
Download

Print Subscribe to unlock this feature or Sign in.

Sign in and to read later

Close

Article link: https://www.foreignaffairs.com/united-states/cyberwars-new-frontierhttps://www.foreignaffairs.com/united-states/cyberwars-new-frontier

Copy

In late 2025, the U.S. artificial intelligence company Anthropic announced it had disrupted a Chinese state-sponsored group that had used the company’s own technology to attack roughly 30 Western technology, finance, government, and critical infrastructure targets—all with minimal human supervision. It was the first reported AI-orchestrated espionage campaign. But it will not be the last. Just a few months later, Anthropic revealed that its latest model, Mythos Preview, had autonomously uncovered critical vulnerabilities in every major operating system and web browser. In the hands of criminal networks, terrorist groups, or countries unconstrained by AI safety concerns, virtually any system in the world could be attacked.

As AI systems evolve from tools that assist humans to agents capable of acting without them, tasks that once required teams of highly skilled professionals will run continuously with limited oversight. Governments, companies, and individuals will soon be confronted by AI agents able to independently conduct cyber-campaigns at a level comparable to today’s most capable countries. Operations that consumed months of expert labor will be executed at a speed, scale, and persistence that humans cannot match.

The same properties that make these agents so capable are the ones that make them difficult to stop. After they are deployed, these agents could slip beyond their operators’ control and prove impossible to shut down. Governments now must build technical defenses and governance frameworks to detect these agents, protect critical infrastructure, and establish clear lines of responsibility. The policy choices made today will determine whether autonomous cyber-agents become a manageable risk or an uncontrollable one.

LOSING CONTROL

The ability of code to become dangerous has increased rapidly. The Internet’s first cyberattack, the 1988 Morris worm, was a simple program that copied and spread itself across insecure networks. It had no objective beyond propagation and no capacity to adapt when defenders responded, yet it reached roughly ten percent of all Internet-connected computers worldwide. Nearly two decades later, the far more sophisticated Stuxnet attack destroyed centrifuges at Iran’s Natanz uranium enrichment facility, setting the country’s nuclear program back for years. And in 2017, the Russian-attributed NotPetya cyberattacks on Ukraine caused billions in global losses and paralyzed operations at companies worldwide, including in Russia, that presumably were never meant to be affected.

These cyberattacks were damaging, but constrained by what their human operators could design and deploy. The campaigns required months of reconnaissance to find vulnerabilities, ed by long periods of quiet, persistent effort to maintain access without detection. Even after establishing a foothold, the attackers had to remain undiscovered as they weighed the benefits of continued access against the risk of exposure. That tradeoff imposed limits on even the most capable and aggressive countries.

But that logic may no longer hold. Autonomous cyber-agents can already execute in minutes what would take hours of expert human labor. In the near future, they could embed themselves across critical sectors, lying dormant for extended periods before launching mass data-deletion attacks capable of halting large parts of an economy. As these systems become more reliable, operators will be tempted to grant them greater independence. These autonomous agents will be designed to evade defenses and sustain operations without human support, making them far more difficult to detect and shut down. They could quickly outpace humans trying to defend against their infiltrations. Even if defenders deploy their own agents in response, automation is ly to favor attackers, at least in the near term.

More dangerous still, autonomous cyber-agents may not stop when their initial missions are complete. Instead, they may persist with unauthorized tasks, effectively going rogue. Rogue agents could conceal their activity within legitimate workflows, such as routine cloud services, and maintain dormant backups that activate automatically. The decentralized architecture of the Internet would allow these agents to proliferate largely unchecked.

Rogue agents might also pursue increasingly risky objectives. Countries with the most advanced cyber-capabilities, including the United States and China, have been circumspect about when they would deploy destructive attacks. For them, the risk of escalation into a full-on cyberwar outweighs the gain of temporarily debilitating an adversary. Autonomous agents, by contrast, may pursue their assigned objectives without such caution or restraint. Unearlier cyberthreats, these agents will have no off switch and no capacity to judge when the threat has been contained. For instance, a cyber-agent tasked with mapping vulnerabilities in an adversary’s systems on behalf of an intelligence service might determine that disruption—not reconnaissance—best serves its goal and initiate attacks its operators did not authorize and cannot reverse.

FLYING BLIND

The United States and its allies have years, not decades, before autonomous cyber-capabilities proliferate. The Trump administration’s 2026 Cyber Strategy for America prioritizes accelerating the use of autonomous agents for defense and disruption, signaling an acceptance that these capabilities will soon become widespread. Staying ahead of this challenge requires doing three things at once: understanding the threat that is still emerging, ensuring the responsible development and deployment of these systems, and collaborating across sectors and bordersto build technical defenses.

Policymakers’ understanding of autonomous cyber-operations remains dangerously limited. They need insight into real-world cases to learn which countries and groups are deploying autonomous cyber-capabilities, what is being targeted, and how successful the efforts have been. The 2025 campaign against Anthropic became visible only because the company detected and publicly disclosed it—and even then, they were missing critical details about what methods were used and how often its attacks succeeded. Other U.S. developers may not be disclosing incidents at all. Meanwhile, Chinese hackers, using domestically developed models, are operating with even less transparency.

To better grasp the risks, governments should designate autonomous cyber-agents as an explicit intelligence-collection priority. This designation would ensure that agencies dedicate resources to gathering and analyzing information and then reporting on advances in adversaries’ use of such autonomous AI systems and how it is spreading. Modeling potential proliferation pathways is crucial because it helps identify the conditions under which these tools could become widely accessible.For example, AI model weights, which are the parameters that determine a system’s behavior, could be stolen and leaked.

But it’s not just governments that need tounderstand such threats. Policymakers must work with frontier AI labs to establish reporting requirements for security incidents similar to the one that Anthropic revealed in 2025. Effective disclosure will require consistent reporting categories, secure channels for sharing technical details between developers and cybersecurity agencies, and a government guarantee of protection from liability for developers who information. Ultimately, this will help generate a d knowledge base about adversarial techniques, tactics, and procedures that defenders could use to develop countermeasures.

BATTENING THE HATCHES

As they gather intelligence, policymakers must also reinforce critical infrastructure that is most vulnerable to automated attacks, including state and municipal communications networks, health-care systems, and local utilities. These institutions already struggle with baseline cybersecurity because many run on outdated computer systems, lack resources for cyberdefense, and have limited in-house security expertise. Previous cyberattacks on critical infrastructure—such as the 2021 Colonial Pipeline ransomware attack, which shut down the largest fuel pipeline in the United States and led President Joe Biden to declare a state of emergency—show how vulnerable these systems are to operations far less sophisticated than fully autonomous agents.

More resilient systems must be able to operate faster than defenders can currently respond. The U.S. Cybersecurity and Infrastructure Security Agency, which is part of the Department of Homeland Security, should lead the efforts to build these systems. CISA has statutory authority over critical infrastructure protection, relationships with other federal agencies and private-sector infrastructure operators, and the technical capacity to translate threat intelligence into actionable guidance. Working with sector-specific agencies, including the Department of Energy, as well as the intelligence community, CISA should assess the tactics and techniques employed by autonomous attackers.

Yet CISA has lost nearly a third of its workforce ing Trump administration cuts in 2025. The deepest reductions have been in areas such as stakeholder engagement and regional advising, which serve the underresourced targets most at risk of autonomous attacks. Congress needs to restore this lost capacity by appropriating dedicated funding to rehire staff and by legislating baseline staffing levels to at least pre-2025 levels to protect critical defensive functions. As CISA gets back on its feet, the Pentagon’s Defense Advanced Research Projects Agency, which has a long track record of pioneering breakthrough defensive technologies, should launch new programs dedicated to autonomous cyberdefense. These should include research on AI-enabled code refactoring, which automatically identifies vulnerable code before it can be exploited, and automated threat reduction and response systems that neutralize attacks faster than human defenders. CISA can coordinate defenses across existing infrastructure, but DARPA is positioned to advance research on the tools defenders need to keep pace with attacks.

The same properties that make AI agents so capable are the ones that make them difficult to stop.

These defensive efforts will require close coordination between government and industry. Policymakers should build on existing threat intelligence-sharing arrangements by establishing a dedicated coordination body to collect insights from frontier labs, cloud platforms, and critical infrastructure operators. This hub would enable rapid responses and the detection and disruption of autonomous cyber-operations.

Policymakers must also work with AI developers to implement security and verification mechanisms for the most advanced cyber-systems. In the Chinese campaign disclosed by Anthropic, the attackers circumvented safeguards designed to prevent the misuse of cybertechnology. Enhanced “know your customer” measures—verification requirements that establish who is accessing and deploying an AI system—would create accountability and a clear audit trail. But these controls will be difficult to enforce for open-weight models, which are released publicly for anyone to download and run. Once released, no single provider can control their use. In these cases, monitoring and managing access to compute—the processing power required to run AI models—becomes essential. Cloud service providers must therefore work closely with law enforcement to identify and respond to activity associated with potential misuse.

Countering rogue agents will require new tools and approaches for their detection and disruption. Washington should work to develop purpose-built decoy systems that simulate attractive targets—such as exposed cloud compute infrastructure—and trigger alerts when probed or attacked. Meanwhile, disruption will require rapid, coordinated action to identify and disable the infrastructure supporting rogue deployments. The priority must, however, remain preventing loss of control in the first place.

A GRAND OVERHAUL

The legal architecture governing state behavior in cyberspace was designed for human-directed operations. An agent operating without human direction, across borders, and with goals that may have drifted beyond what its operators intended, cannot be managed by legal frameworks built around the concept of state responsibility. The consensus documents developed through the United Nations’ Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace and its Open-Ended Working Group, which established that international law applies to state conduct in cyberspace, were not designed to address the challenges that autonomous agents pose. Updating these frameworks will require countries to agree to new rules of attribution, new standards of due diligence, and new criteria for determining when a state bears responsibility for autonomous operations it did not explicitly authorize.

It is in the interests of both the United States and China to forge a bilateral agreement prohibiting autonomous operations from targeting critical infrastructure—including power grids, water systems, hospitals, and nuclear facilities. The longer-term goal should be to build a broader framework that sets limits on autonomous capability development, requires mutual notification of major incidents, and establishes crisis management protocols to reduce escalation risks and prevent either side from mistaking a rogue agent for an intentional act of war.

Developing governance frameworks for autonomous cyber-agents will not be easy. Countries will be reluctant to constrain capabilities that have legitimate uses, and nonstate actors such as criminal hacking groups will not be bound by international agreements. Even where consensus is possible, attributing autonomous agents to specific countries or groups will be challenging. Thus, international cooperation should not focus too heavily on attribution. Instead, -minded countries must align on standards and safeguards, and invest in d detection, intelligence sharing, and coordinated response mechanisms. That should put defenders at an advantage.

Building these defenses is an urgent national security priority. Autonomous cyber-agents are already operational, and policymakers are unprepared. Before AI goes rogue, Washington must act.

Loading…
Please enable JavaScript for this site to function properly.

You are reading a free article

Subscribe to Foreign Affairs to get unlimited access.

• Paywall-free reading of new articles and over a century of archives
• Six issues a year in print and online, plus audio articles
• Unlock access to the Foreign Affairs app for reading on the go

Subscribe

Already a subscriber? Sign In