If 2025 was marked by the rise of Salt Typhoon cyberattacks on public agencies, 2026 could be considered the year of these assaults on steroids.
Multiple state-sponsored groups affiliated with China, Russia and other U.S. adversaries planted spyware and stole sensitive data from critical infrastructure, telecommunications and IT assets in coordinated cyber campaigns.
Security experts worry a wave of powerful threats, some driven by artificial intelligence (AI), might overwhelm ill-prepared agency IT departments next year.
“Adept adversaries don’t ‘break in,’” says Cristian Rodriguez, Americas field CTO at CrowdStrike. “They log in.”
Below are three threats experts are watching for in 2026.
STUDY UP: Here are four more security trends to look for in the new year.
The Big 3 Cyberthreats to Agencies Next Year
The OAuth Strike: You’ve heard of the well-known practice of gaining access to thousands of passwords and trying to bypass multifactor identification shields. Now bad actors are looking to get digital keys, such as access and refresh tokens, that give third-party applications permission to access data on a user's behalf — without sharing passwords.
“These attackers are driven by speed, and in seconds they can get access to a thousand mailboxes,” says Sean Frazier, federal chief security officer for Okta. “It’s a sign of them moving upstream to break in and have a greater impact.”
Shadow AI: Accessibility, one of the advantages of AI, is also one of its weaknesses. Many AI solutions are built to allow non-IT people to build agents to help them do their jobs, but they may be bypassing security oversight and creating risks such as data leaks and intellectual property theft in the process. IT departments are guilty of this too.
“Developers are uploading terabytes of sensitive data to cloud storage to empower AI use cases, but they may not follow best security practices,” says Evan Gordenker, consulting director for AI security at Palo Alto Networks’ Unit 42. “I worry that the hard lessons we learned during the early days of cloud computing are going to have to be relearned with AI.”
Click the banner below to start implementing smarter security.
Automated Discovery of Vulnerabilities: Attackers are becoming more comfortable using AI in their efforts, including creating maps to find lingering pockets of implicit trust in networks, roles and services.
“These seams, where modernization hasn’t fully caught up, will become primary discovery targets,” says Sean Connelly, executive director of global zero trust strategy and policy at Zscaler.
Expert-Recommended Preventive Security Steps
Addressing these growing threats requires vigilance and training to educate agency staff about the dangers of cybercriminals getting into government systems. Experts recommend taking action in several ways:
Close Off Old Third-Party Access: It’s easy to forget about an app your agency added a few years ago that didn’t work out. No one uses it anymore, but the app may still have permission to access sensitive databases. If a bad actor gets control of it, they have easy passage to wreak havoc.
Click the banner below for the latest federal IT and cybersecurity insights.
Maintain the Zero-Trust Environment: While not perfect, zero-trust security’s emphasis on continuous monitoring, rather than basic identity checks, can counter AI threats and insider risks by focusing on the granular access of both agents and humans.
Continuously Update Software: Even though experts have recommended being vigilant about updates for half a century, many agencies have not been doing so. Adhering to strict schedules for security patches on all systems and devices may be inconvenient, but the result of a data breach or ransomware attack could be devastating.
