The 2026 forecast: Deepfakes overtake identity, and speed becomes the new security currency

By 2026, the biggest threat to your organization may not be a stolen password, but a call from a CEO who isn’t actually there. As the U.S. government shifts toward a more aggressive, offensive cyber posture, the private sector faces a stark new reality: move fast or become a “have-not.”

That is a recurring theme from the McCrary Institute’s senior fellows, who gathered for the 100th episode of Cyber Focus to predict the policy, technology and threat landscapes of 2026. While artificial intelligence and China remain perennial concerns, the experts warn that the nature of these threats is fundamentally changing the rules of engagement – from Washington’s policy decisions to the day-to-day realities of how employees get deceived.

On the policy front, the fellows pointed to a near-term Washington test that could shape how quickly defenders can share threat information in 2026: the reauthorization of CISA 2015, the law that underpins key protections for voluntary cyber threat indicator sharing between the private sector and government. As one fellow put it, “The policy issue [of 2026] … is the reauthorization of CISA 2015.” They also cautioned that even when the technical case is clear, the harder problem is getting legislation across the finish line – at a moment when state and local systems, critical infrastructure operators and smaller organizations are already struggling to keep pace with faster-moving threats.

On the threat side, the shift may be most visible in how intrusions begin. For years, identity – logins, passwords, and single sign-on – has been the primary vector for compromise. But Cynthia Kaiser, formerly of the FBI’s Cyber Division and now the head of Halcyon’s Ransomware Research Center, predicts a pivot. “What I believe is going to overtake identity just in general is deepfake social engineering,” Kaiser said.

The threat goes beyond phishing emails; it involves real-time impersonation. Kaiser describes scenarios in which employees receive urgent calls that appear to be from their executives. “I think I’d click on that if I didn’t know better,” Kaiser admitted, noting that if security professionals can be fooled, the risk to the general workforce is even greater.

As threats accelerate, the dividing line between secure and vulnerable organizations will no longer be about budget, but velocity. Matt Hayden, VP at GDIT, warns of a broader dividing line between haves and have-nots defined entirely by the measure of speed.

“If you’re someone that can’t receive new information and immediately improve your defensive posture, you’re probably a have-not,” Hayden stated. By 2026, organizations burdened by tech debt or slow decision loops won’t just be inefficient – they may be undefendable against AI-driven attacks.

Beyond legislation, some fellows also expect a sharper U.S. posture – one that puts more emphasis on imposing costs on adversaries. Christopher Roberti of the U.S. Chamber of Commerce noted that the government has “telegraphed” a more aggressive posture, showing an interest in “taking the fight to the adversaries.”

While the ultimate goal is deterrence – imposing costs on adversaries to slow them down – this shift requires the private sector to brace for potential retaliation in the midst of a conflict.

Looming over these predictions is the threat of nation-state pre-positioning. Former National Counterintelligence and Security Center Director Bill Evanina, referencing the “Salt Typhoon” and “Volt Typhoon” campaigns, posed the question that will define the defensive roadmap for 2026: “What is the next Typhoon we’re going to uncover?”

According to Bob Kolasky, Senior VP at Exiger, the answer likely lies in the same direction it does today. “I started with China and I’m gonna end with China,” Kolasky said, urging the industry not to let economic deals obscure the reality of a “potential geopolitical conflict with a near-peer nation-state adversary.”