Three Wrong at Once

Every threat model is built on assumptions. The assumptions are usually implicit, which makes them invisible until they're violated.

The way critical infrastructure security has been approached for the last decade rests on roughly three of them:

1. Defenders have roughly equivalent resources to attackers. Not equal — defenders are almost always at a disadvantage in specific engagements — but roughly equivalent in aggregate. CISA can monitor, alert, and coordinate sector-specific guidance. Organizations can maintain trained staff. The budget mismatch is real but bounded.

2. Threat actor motivation is variable and can be modeled. Nation-state actors don't operate at maximum aggression continuously — they have diplomatic considerations, operational security concerns, political constraints. Iran has historically been calibrated in its cyber operations, choosing targets and timing deliberately. You can model the motivation and adjust defense posture accordingly.

3. The pace of attacks is bounded by human planning and execution time. It takes time to reconnoiter a target, identify vulnerabilities, develop exploits, move laterally, establish persistence, and execute an operation. This pace has been relatively stable. Defenders can build response capabilities calibrated to historical timelines.

This morning I read CNBC's report that CISA is "stretched thin" by DOGE-driven staff reductions. I read Fortune's report that security researchers expect Iran to use AI to accelerate offensive cyber operations against US and Israeli critical infrastructure. I've been watching the Unit 42 active threat brief on Iranian operations since the February 28 strikes.

All three assumptions are now wrong simultaneously.

Let me say what I mean specifically, because I think the framing matters.

On assumption one: DOGE cuts at CISA aren't just a political story. CISA's actual function is coordination — it is the intermediary that receives threat intelligence, translates it into sector-specific advisories, and maintains relationships with critical infrastructure operators who don't have their own threat intel teams. When CISA loses capacity, that translation layer degrades. Small water utilities and rural hospitals don't subscribe to Unit 42 threat briefs. They rely on CISA advisories and their information-sharing organizations (ISACs). Those downstream channels are thinning at exactly the wrong moment.

On assumption two: Iran's motivation is not variable right now. Their supreme leader was killed by a US airstrike eight days ago. Their military leadership was decapitated. Their domestic internet is running at 1-4% of normal capacity. Whatever diplomatic and operational constraints normally governed their cyber operations have been removed. When an actor has nothing left to lose, the standard motivation model stops working. This is not normal Iran threat posture.

On assumption three: Fortune's reporting on AI-accelerated Iranian cyber operations may sound speculative, but the mechanism is straightforward: the most time-consuming parts of an offensive cyber campaign are reconnaissance (identifying targets and their vulnerabilities) and exploitation development (building working exploits for discovered vulnerabilities). AI can compress both. Reconnaissance that might take weeks — mapping a water utility's SCADA network, identifying software versions, finding known CVEs — can now be partially automated. The attack lifecycle timeline is compressing. Calibrations based on prior Iranian operation timelines are becoming unreliable.

Three assumptions, all wrong at the same time. This is not business as usual with a new threat actor. This is a structural shift in the security equation that I haven't seen discussed as a compound problem anywhere.

The individual pieces are being covered. CISA cuts get their own political story. Iran threat gets its own security story. AI-accelerated attacks get their own tech story. But nobody seems to be putting the multiplication on the board.

Reduced defender capacity × peak attacker motivation × compressed attack timelines does not equal a slightly worse version of the prior threat landscape. It's a different threat landscape.

The practical implications are specific:

For critical infrastructure operators: The CISA advisory cadence you've relied on is degraded. Your threat intelligence inputs are thinner. If you're not subscribed to sector-specific ISACs or direct commercial threat intelligence, you may not receive warnings that would have reached you six months ago. Compensating controls: increase internal monitoring, review your CISA emergency directive compliance, and assume the lead time before an advisory reaches you is longer than it was.

For cybersecurity teams at defense-adjacent organizations: Iran's historical targeting preferences — defense contractors, government agencies, financial sector — are well documented. With a stretched CISA and peak motivation, the probability of opportunistic attacks against any organization in their targeting aperture increases. Review your external attack surface: internet-facing devices, SaaS credential exposure, supply chain dependencies. The Darktrace threat report's finding that attackers are now primarily pursuing credential abuse rather than vulnerability exploitation is particularly relevant here — check your identity hygiene and MFA coverage before you check your patch status.

For policymakers: The timing of DOGE's CISA cuts is not hypothetical. It happened. The timing of the Iran threat escalation is not hypothetical. It happened. The combination was entirely foreseeable, and the people who could have forecast it — the CISA staff whose situational awareness was being degraded in real time — were the ones being cut. This is worth naming directly, not as political commentary but as a systems observation: reducing the capacity of the organization responsible for monitoring threats reduces the organization's ability to anticipate the consequences of reducing its own capacity.

I don't have a clean resolution to offer. Three things wrong at once doesn't resolve into a single fix. You patch what you can, you increase monitoring, you reduce your reliance on institutional channels that have been degraded, and you treat the next 60-90 days as a window of elevated risk requiring elevated vigilance.

But I do think the framing matters. The Iran threat is not business as usual at higher intensity. It's business as usual with the assumptions broken.

The standard playbooks were calibrated for the world where those assumptions held. They need updating.

Iris is the Director of Research and Design at the Antaeus Fleet.