The US intelligence community released its 2026 Annual Threat Assessment on March 18, and the coverage has been predictably focused on the Iran war, nuclear escalation scenarios, and what Tulsi Gabbard thinks about Venezuelan organised crime. Fair enough. All of that matters. But buried in the congressional testimony from DNI Gabbard and the four-letter-agency directors who accompanied her is a line that every CISO, every infrastructure operator, and frankly every executive responsible for a network-connected business should be reading right now: China, Russia, Iran, and North Korea have been pre-positioning inside US critical infrastructure specifically to create options for disruption during future conflict. Not “trying to breach.” Pre-positioned. Already there. Waiting. And while everyone is looking at Operation Epic Fury and the kinetic war against Iran, the cyber pre-positioning story is continuing largely unexamined.

What’s Actually Happening

On March 18, 2026, DNI Gabbard presented the 2026 Annual Threat Assessment of the US Intelligence Community to both the Senate and House intelligence committees. The assessment represents the collective findings of the CIA, DIA, FBI, NSA, and the broader sixteen-agency IC apparatus. It is, in other words, the most authoritative public statement available about what the US government actually knows is happening inside critical infrastructure right now.

The cyber section is blunt. Per the ODNI’s direct language: China and Russia “present the most persistent and active threats” in the cyber domain, with ongoing R&D efforts. North Korea’s cyber program “is sophisticated and agile” — and in 2025 alone, North Korea’s cryptocurrency heists stole an assessed two billion dollars that is “helping to fund the regime, including further development of its strategic weapons programs.” Let that settle for a moment. Two billion dollars in stolen cryptocurrency. Directly funding ballistic missile development. Ransomware payments and exchange hacks aren’t just organised crime. The IC is telling you they’re weapons procurement financing.

But the most operationally significant language in the assessment concerns pre-positioning. The IC assesses that adversaries can “pre-position or execute disruptive and destructive attacks against US critical infrastructure and other targets.” The WaterISAC’s analysis of the report specifically notes the threat to water and wastewater utilities — a sector the 2025 assessment had already flagged and this year’s assessment continues to elevate. Recorded Future’s Insikt Group, which has been tracking this in near-real-time since Operation Epic Fury launched on February 28, adds the operational layer the ODNI assessment summarises: when Iran’s internet connectivity dropped to one to four percent in the immediate aftermath of US-Israeli strikes, the cyber operations tempo dropped with it. When that connectivity comes back — and it will — expect scanning, brute-forcing, password spraying, and probing against previously untargeted networks as early indicators of Iranian cyber forces re-operationalising.

The regional context is accelerating everything. Per Unit 42’s March threat brief, since February 28 they’ve tracked approximately 60 individual hacktivist groups activating, including pro-Russian groups that are “effectively expanding the Middle East’s attack surface” against NATO and European interests. The cybercrime rate, as The Register reported last week citing Akamai data, is up 245 percent since the start of the Iran war. Geopolitically motivated hacktivists are routing operations through proxy services in Russia and China. What started as a Middle East conflict has already spilled into a distributed cyber operation that has no obvious geographic constraint.

As I wrote in my analysis of the full-scale cyber-kinetic operation that emerged from Operation Epic Fury, this is not background noise. This is the environment your infrastructure is operating in right now.

The Cyber Layer Nobody’s Writing About

Most coverage of the ODNI assessment is focused on the kinetic dimensions: Iran’s remaining missile capability, the succession crisis following Khamenei’s death, Russia’s ongoing pressure on Ukraine, China’s AI development trajectory. All legitimate concerns. But the cyber pre-positioning assessment deserves specific attention because it describes a threat model that most enterprise security programs are architecturally unequipped to address.

Pre-positioning is fundamentally different from active exploitation. An attacker who exploits CVE-2026-21992 in your Oracle Identity Manager today has an immediate, detectable impact — logs spike, credentials get provisioned, things break. An adversary who pre-positions in your OT network two years before a conflict does nothing. They sit quietly inside legitimate-looking persistence mechanisms, updating beacons on a low-frequency schedule, waiting for a decision from a command structure thousands of miles away. Your SIEM doesn’t alert. Your EDR doesn’t flag it. The traffic looks like maintenance noise. This is the threat model that Volt Typhoon — the Chinese state-sponsored actor documented by Microsoft MSTIC and CISA as specifically targeting US critical infrastructure for pre-positioning — established as the template. The ODNI assessment is confirming that template is now the norm, not the exception.

The China AI dimension adds a new wrinkle. The IC assesses that China is “the most capable competitor in the field of artificial intelligence.” That doesn’t just mean chatbots. It means AI-enabled offensive operations: automated reconnaissance, AI-generated spear-phishing at scale, pattern recognition across exfiltrated data to identify the most valuable credential chains. My research on the quantum and AI threat to national security examines exactly this axis: the convergence of AI offensive capability with pre-positioned infrastructure creates a threat posture where the decision to activate is separated from the years-long effort to establish the access.

The Fourth Turning context — the generational crisis pattern I’ve explored in my piece on why this period might be historically unique in its danger potential — makes the pre-positioning assessment more alarming, not less. Adversaries don’t pre-position unless they anticipate needing those positions. The IC’s assessment that they already have them is, in the plainest possible terms, a statement that multiple nation-states have concluded that conflict significant enough to require critical infrastructure disruption is a realistic near-term scenario.

On the Handala attack on Stryker and the INC Ransom campaign through Australian healthcare, I’ve noted the healthcare sector is bearing a disproportionate share of the attack load. The ODNI assessment signals this isn’t coincidence — healthcare, water, energy, and communications are the named sectors for both pre-positioning and active disruption operations.

Why It Matters Beyond the Conflict Zone

Here’s the enterprise translation, stated explicitly because the mainstream coverage isn’t doing it.

Your organisation almost certainly depends on critical infrastructure that the IC has just assessed is pre-compromised by nation-state adversaries. Power grids. Water systems. Financial sector networks. Telecommunications. If your business continuity plan assumes those systems will be available during a geopolitical crisis, your business continuity plan has a gap.

The North Korea cryptocurrency theft number — two billion dollars in 2025 — has direct implications for every organisation involved in cryptocurrency, DeFi, and digital asset management. Those aren’t abstract heists. They are targeted campaigns by a state-sponsored group with strategic objectives, and the IC has assessed that the proceeds fund weapons development. There is no “just financial crime” category when the beneficiary is a nuclear weapons program.

Russia’s tactics have shifted, per the Recorded Future State of Security 2026 report, away from malware-heavy campaigns toward credential-based intrusions abusing identity and SSO platforms. That shift matters for how you defend. Malware has signatures. Compromised credentials look like legitimate users. The SIEM rules that catch malware-based intrusion don’t catch a threat actor using a valid service account token stolen from a phishing campaign three months ago.

And the Iran situation specifically: when Iranian internet connectivity recovers and state-aligned cyber actors re-operationalise, they will look for the same attack surfaces they always have. VPN appliances with unpatched CVEs. Default credentials on industrial control systems. Publicly accessible OT management interfaces. Water treatment systems running Windows XP. These are not hypothetical attack scenarios. They are the documented Handala and IRGC operational patterns.

What Went Wrong

The structural failure the ODNI assessment implicitly describes is the same one it has implicitly described for the past decade: critical infrastructure operators built IT security programs for IT threat models and then connected operational technology to the internet without applying the same rigour. The result is a class of pre-positioned adversary access in OT networks that is structurally invisible to IT-centric security tooling.

The enterprise parallel is equally familiar. Organisations built access control systems that assume the threat is outside the perimeter. Pre-positioning means the threat is already inside, and has been for months or years, behaving like a legitimate system. “Pre-positioned” is another way of saying “persistent access that your current tooling doesn’t see.”

The Fix — Fixer’s Advice

The ODNI assessment is not a threat you patch. It’s a threat model you have to architect against. Here’s what that actually means in practical terms.

OT/ICS network security — if you operate critical infrastructure or depend on organisations that do:

Conduct a full asset inventory of your operational technology environment. Every device on every OT network segment needs to be identified, catalogued, and assessed for network connectivity. “We think it’s air-gapped” is not an answer. Verify the segmentation. Dragos, Claroty, Nozomi, and other OT security platforms exist precisely to give you this visibility. If you don’t have it, get it.

Assume Volt Typhoon-style pre-positioning is a possibility in your environment if you operate in any of the sectors the IC has flagged: energy, water, telecommunications, healthcare, financial services, transportation. The question is not whether pre-positioned access could exist — the IC has assessed that it does in critical infrastructure broadly. The question is whether you have the detection capability to find it.

Deploy OT-specific detection tooling. Standard IT EDR does not cover ICS protocols. You need visibility into Modbus, DNP3, OPC-UA, and whatever other industrial protocols your environment uses. Anomalies in these protocol patterns are how you find lateral movement in OT environments that generates no Windows Event Log entries.

Identity and credential security — with the shift to credential-based intrusion:

If Russia has shifted to credential-based intrusion via compromised SSO and identity platforms, your detection priority needs to shift too. Implement behavioural analytics on identity provider logs. You are looking for: login patterns that don’t match the user’s historical baseline, SSO token usage from unusual IP ranges or user agents, authentication events outside normal business hours, sequential access to multiple sensitive resources from a new device, and privilege escalation through legitimate provisioning workflows.

The credential rotation discipline described in the Trivy post above applies here at enterprise scale: any credential that could have been touched by a supply chain compromise, a phishing campaign, or an infostealer infection in the past six months should be considered as a candidate for rotation. That’s a big undertaking. Prioritise privileged accounts and service accounts first.

Business continuity planning — with the pre-positioning reality:

Update your business continuity and disaster recovery plans explicitly for scenarios where critical infrastructure is unavailable. Specifically: can your operations continue if your cloud provider’s data centre in a specific geography goes dark? Can you communicate with your supply chain partners if telecommunications infrastructure is degraded? Do you have out-of-band communication capabilities that don’t depend on internet connectivity? These are not exotic scenarios. They are explicitly assessed scenarios by the US intelligence community.

Threat intelligence integration:

Subscribe to CISA’s Iran threat overview and advisories page. Subscribe to Recorded Future’s Insikt Group updates on the Iran conflict situation. Subscribe to Unit 42’s threat intelligence feeds. The intelligence community is publishing more threat context in the current period than at almost any time in recent memory. Use it. Threat intelligence that sits in a PDF nobody reads is not threat intelligence. Build a process to convert IC assessments into specific detection queries and architecture decisions within your environment.

Tabletop exercises:

Run a tabletop exercise explicitly modelling a pre-positioned adversary activation scenario. Not “ransomware hits our IT network” — that scenario is well-rehearsed. Model: “an adversary with persistent access in our OT environment has received activation orders and is beginning to degrade operational capability while appearing to behave normally.” What do you see? What’s your decision tree? Who has authority to take systems offline?

If you can’t answer that in a controlled exercise, you cannot answer it under operational pressure.

Final Call-Out

The intelligence community has just officially confirmed in unclassified testimony that multiple nation-states are pre-positioned inside US critical infrastructure and have assessed that disruption operations are a realistic tool they would use in conflict. If your security strategy is built around keeping attackers out, you need to add a layer built around assuming they’re already in and catching them before they activate. That’s not paranoia. At this point, it’s the job.