Estimated reading time: 6 minutes
A manufacturer whose devices touch millions of patients a year gets hit by a cyberattack. Ordering, manufacturing, and shipping are disrupted. Some patient-specific procedures are rescheduled. Suddenly, a surgery schedule is no longer just tied to hospital capacity or clinical need; it is tied to the recovery timeline of a hacked supplier. This is the nation-state cyber threat reality.
In broad strokes, that’s the March 2026 attack on Stryker. An Iran-linked hacking group penetrated the medical device manufacturer’s Microsoft environment and wiped 10s of thousands of corporate devices. The disruption hit ordering, manufacturing, and shipping instead, which was enough to ripple into hospital surgery schedules.
This was not a smash-and-grab. According to Michael Crean, SVP at SonicWall, speaking on the Cyber Insurance News Podcast, attackers like these “knew what they were looking for.” They picked a target with global reach and direct lines to human consequence, then executed.
That is the uncomfortable starting point for understanding the nation-state cyber threat: it is patient, deliberate, and increasingly indifferent to the line between military objective and civilian inconvenience.
Get Our Nation-State Cyber Threat Podcast Here:
YouTube
Spotify
Apple
Amazon
War Without Borders, or Front Lines
Crean’s framing borrows from an older military logic. Kinetic warfare used to stay contained to where bombs fell and bullets flew. Digital warfare does not have that limitation. “To reach 10,000 miles away and take that kinetic action that used to be contained… it no longer stays,” he said.
Iran is one current example, not the only one. Crean pointed to Iranian-backed activity against critical sectors, but the broader pattern, hitting infrastructure that “makes their people hurt” without firing a shot, applies across multiple state actors. Nations without large militaries can still project power through a keyboard. The objective is the same one militaries have pursued for decades: degrade an adversary’s ability to function. The tools have changed.
Already Inside, Waiting
Perhaps the most underappreciated detail in nation-state cyber operations is timing. Forensic teams investigating major breaches routinely find that attackers had access for months, sometimes years, before doing anything visible.
We drew a direct comparison to invasions like D-Day. Allied forces did not simply land on the beaches; they had spies and commandos embedded behind enemy lines well before the invasion began. Digital intrusions increasingly follow the same model. Sleeper access sits dormant inside networks tied to power, water, and transportation, waiting for a moment to matter.
That dwell time is also why “we have no evidence of compromise” is a weaker reassurance than it sounds. Absence of detected activity is not the same as absence of access.
The Same Crack in the Wall
Here is where the nation-state cyber threat reality stops being remote. The vulnerabilities that let state actors sit inside critical infrastructure for months are not exotic. They are the same gaps that compromise small businesses every day, just exploited with more patience and a different objective.
Crean’s own example was personal, not geopolitical: his family’s Disney account was taken over years ago. The cause, in his words, was “100% attributed to strong password, no MFA.” No nation-state involvement required. Just an open door.
Cyber Insurance News has previously reported that 48 percent of SMB breaches trace back to compromised VPN credentials, and that ransomware was present in 88 percent of small business breaches last year, compared to 39 percent at large enterprises. Small businesses are not typically the nation-state’s intended target. But they sit inside supply chains, vendor networks, and shared infrastructure that nation-states do target, and they are exposed to identical failures: missing MFA, unpatched systems, and accounts nobody is watching.
A carrier underwriting either scenario asks the same questions. The attacker’s flag does not change the control gap.
Colonial Pipeline, Writ Small
Crean returned repeatedly to Colonial Pipeline as the cautionary tale that should have changed behavior industry-wide. East Coast fuel lines shut down. Panic buying followed. The root cause was unglamorous: an old account, still active, without multi-factor authentication.
“Good hygiene, MFA, patch management,” Crean said, framing these not as best practices but as table stakes. He cited a statistic worth repeating to any CFO who thinks cybersecurity spending is discretionary: organizations that enforce MFA and stay current on patches see a 70-some percent reduction in the likelihood of compromise. Crean was careful to caveat that no control eliminates risk entirely. But a 70 percent reduction from two unglamorous actions is not a marginal improvement; it is the difference between a contained incident and a headline.
From Questionnaire to Audit
The insurance implication is direct, and Crean did not soften it. Cyber insurers spent years relying on self-attested questionnaires: confirm you have MFA, confirm you have backups, collect the premium. “They found out that people were lying,” Crean said.
His prescription is blunt. Insurers need, in his words, not skin in the game but “teeth in the game.” If a policyholder attests to controls that justify their premium, insurers should be able to verify those controls, not simply accept the checkbox. That shift, from periodic attestation to continuous verification, is already changing how policies get written and renewed, and it applies whether the threat behind a future claim turns out to be a criminal syndicate or a nation-state proxy.
What Carriers, Brokers, and GCs Should Take From This
The nation-state threat is real, and it is patient in ways that should worry anyone responsible for critical infrastructure exposure. But the actionable takeaway is not “prepare for war.” It is narrower and more useful: the controls that matter against a nation-state are the same controls that matter against a criminal ransomware crew. MFA, patch discipline, and account hygiene are not glamorous, and they were never going to be. They are also, per Crean’s numbers, the highest-leverage spend available.
As Crean put it, closing the conversation: “This is a team effort. This is not an individual sport.”
FAQ – Nation-State Cyber Threat
Not typically, based on this conversation. Crean’s examples involve critical infrastructure and large enterprises. Small businesses face the same vulnerabilities, but usually from criminal rather than state actors, or as exposure points within larger supply chains.
Dwell time is how long an attacker has network access before taking visible action. Long dwell times mean a clean security audit today does not guarantee an organization is uncompromised.
Multi-factor authentication and consistent patch management, which he cited as reducing compromise likelihood by roughly 70 percent.
Carriers found that self-attested control claims were frequently inaccurate. Continuous monitoring and audit rights are replacing point-in-time attestation.
The root cause, an orphaned account without MFA, is sector-agnostic. The same gap exists in any organization that does not actively manage the account lifecycle and authentication.
The transcript has been checked for accuracy, but verify elements against the recording
Related Cyber Insurance Posts
- Resilience Says Edge Clients Cut Extreme Cyber Loss Exposure by $1 Billion
- Alarming Shift: 2025 Sophos Report Reveals Cyberattackers Are Adapting Faster(Opens in a new browser tab)
- The Call Is Coming from Inside the Office: Tackling Insider Cybersecurity Threats(Opens in a new browser tab)
- OpenText Report Reveals Cybercrime’s Shift: Nation-States Join Forces with Criminal Gangs(Opens in a new browser tab)
- CISOs Urge Shift to Proactive Cybersecurity Strategy Amid Rising Threats(Opens in a new browser tab)