Quick Answer
Cyber warfare blends espionage, disruption, and psychological operations across networks and devices to achieve political or military goals without crossing the line to open kinetic conflict. NATO treats cyberspace as a domain of operations, meaning severe cyber attacks could trigger collective defense, and leading legal scholars map how existing international law applies through guides like the Tallinn Manual.
Why cyber warfare matters in 2025
Adversary activity is rising in scope and sophistication. Microsoft’s 2025 analysis reports a surge in state and state-aligned operations, with Russia, China, Iran, and North Korea increasingly using AI to scale espionage and influence. Separate coverage this month notes Russian targeting of NATO members increased by about 25 percent year over year. These trends confirm that cyber is a permanent front in modern competition, not a sideshow.
What this guide covers
- A clear definition of cyber warfare and how it differs from cybercrime
- Landmark incidents that shaped doctrine and defenses
- The evolving rules of the game, from NATO policy to the Tallinn Manual and UN talks
- A practical defense playbook for boards, CISOs, and public leaders
- Recommended resources and partners for independent validation
What is cyber warfare, really
Cyber warfare refers to the use of computer network operations by or on behalf of a state to achieve strategic effects. Actions run from stealthy espionage to disruptive operations and pre-positioning inside critical networks. NATO has recognized cyberspace as an operational domain since 2016, and has stated that a severe cyber attack may qualify to trigger Article 5 collective defense. This does not make every intrusion an act of war. It sets a high threshold tied to scale and impact.
How it differs from cybercrime: criminal groups chase profit. States pursue political leverage, deterrence, or battlefield advantage. Reality is messy, since states can enable or task criminal affiliates. Recent reporting describes this blend, including campaigns that pair espionage with ransomware for pressure and cover.
Landmark events that defined the invisible battlefield
Stuxnet and the birth of cyber-physical operations
In 2010, Stuxnet targeted Iranian industrial controllers and demonstrated that software could manipulate physical systems. Stuxnet popularized the idea of malware that crosses the digital and physical boundary and remains a reference point for industrial defense.
Ukraine’s power grid attacks
In December 2015, coordinated intrusions cut power to hundreds of thousands in Ukraine, with investigators documenting hands-on control and wiper malware. This was the first known blackout caused by a cyber attack against a public utility, a watershed moment for critical infrastructure risk.
NotPetya’s economic shock
In 2017, NotPetya spread rapidly via Ukrainian software supply chains and caused billions in global losses. Estimates vary by methodology, but it remains a benchmark for how a state-linked operation can cascade far beyond its initial theater and create macroeconomic effects.
From hybrid war to daily reality
Open reporting through 2025 shows constant targeting of governments, embassies, and civil society, often tied to broader geopolitical crises. Microsoft details FSB-linked espionage at the ISP level in Moscow, a sign of how deeply some services can operate inside national infrastructure.
The rules, who sets them, and why they matter
NATO policy
NATO recognizes cyberspace as a domain of operations and has clarified that a cyber attack could meet the threshold for Article 5. Policy language remains intentionally flexible, which preserves deterrence while avoiding red lines that adversaries could game. NATO+1
Tallinn Manual 2.0
The Tallinn Manual, produced by an independent group of experts, interprets how existing international law applies to cyber operations. It discusses sovereignty, due diligence, and use of force in detail, and is widely cited by practitioners and scholars. It is not binding law, but it shapes debate and state practice.
UN process
At the UN, the Open-Ended Working Group has continued discussions on norms and confidence building, with limited progress noted in late 2024. Despite slow movement, these forums provide a venue for clarifying expectations and documenting state views, which matters for attribution narratives and coalition responses.
Regional regulation that raises the floor
The EU’s NIS2 directive expands obligations across 18 sectors and pushes coordinated enforcement timelines through 2024 and into 2025. National transposition trackers show countries entering enforcement and setting registration and self assessment milestones for entities in scope. These measures are not war policy. They do reduce the soft underbelly adversaries often exploit.
Tactics on this battlefield
Pre-positioning and access operations. Long dwell times inside government and utility networks enable fast pivot when tensions rise.
Supply chain and MSP targeting. One compromise yields many.
Information operations. AI accelerates narrative warfare and spearphishing.
Cyber-physical effects. ICS focus, from grid operations to water and transport.
“Defend forward” and persistent engagement. The U.S. states it will disrupt malicious activity at its source, even below armed conflict. That doctrine aims to impose friction before adversaries hit domestic networks.
What leaders can do now, a practical defense playbook
1) Start with identity and access
Credential theft remains the most common initial path. Enforce phishing resistant MFA, least privilege, and conditional access on identity providers and cloud control planes. Shorten token lifetimes for sensitive apps. These steps blunt intrusions whether adversaries are criminal or state-linked. Pair with red team validation. Consider expert cyber security testing to pressure test account recovery, federation, and admin workflows against modern phishing and token replay.
2) Threat informed detection and rehearsals
Use current threat intelligence and knowledge bases to focus on techniques that matter. Test detections and response through purple team exercises that simulate grid, water, or transport scenarios if you operate critical infrastructure. The Ukraine power grid case shows why operator playbooks and comms procedures are as important as malware signatures. nsarchive.gwu.edu
3) Segment, monitor, and harden critical systems
Separate business IT from operational technology networks. Enforce allow lists and unidirectional flows where possible. Maintain offline, immutable backups and practice restoration. Stuxnet made clear that PLCs and engineering workstations require exceptional hygiene and change control. en.wikipedia.org
4) Build coalition response paths before you need them
Know how to share indicators with national CSIRTs, sector ISACs, and allied agencies. The UN and regional efforts are slow, but coordination works best when trust and formats are set in peacetime. Digital Watch Observatory
5) Raise the regulatory floor
If you operate in the EU, map your program to NIS2 and plan for audit checkpoints that begin in 2025. Even outside the EU, NIS2 style obligations signal how buyers and insurers will shape expectations. Build a single control baseline and reuse evidence across frameworks. digital-strategy.ec.europa.eu+1
6) Validate with independent operators
Run annual enterprise pentests that include identity, cloud, and SaaS. Add scenario based testing that mirrors state tradecraft, such as supply chain pivots or long dwell access operations. If you need market context to select a partner, compare providers in this roundup of top rated penetration testing companies in the US 2025.
By the numbers, to brief your board
- Microsoft reports a sharp uptick in AI enabled operations from Russia, China, Iran, and North Korea. This includes influence content, phishing, and automation.
- Open reporting in October 2025 notes Russian targeting of NATO states up about 25 percent year over year. Government, research, and NGOs are primary targets.
- NIS2 transposition and enforcement milestones entered force across several member states in late 2024 and early 2025, with registration and self assessment deadlines during 2025.
Conclusion
Cyber warfare is the use of cyber operations by states or their proxies to achieve strategic effects such as espionage, disruption, or coercion, often below the threshold of open armed conflict, and governed by existing international law as interpreted in resources like the Tallinn Manual, with NATO recognizing cyberspace as a domain of operations
