Why I Thought a War Would be Helpful and how I was Disappointed

 Posted on January 5, 2026  |  brian

Working in Security, one of my core tasks is defending threats and attack vectors. Next to everybody tries to do downplay Security risks as improbable or irrelevant or simply wrong. Having a real world threat on the other side of the table should help, or at least I thought so…

This is one of these blog posts that has been on my mind for quite a while and that nearly got a title like „Why we’re all F…ed“ or „We’re all F…ed“. Both of them probably being better than the current one, but hey…

Why I Thought a War Would Make my Life Easier

Security, just as insurances, is a preventive measure which must be calculated against an often unproven risk and it usually costs a lot of money. As such arguments like „that has never happened before“ and „nobody would ever do that“ are hard to counter when there is no „general enemy“ or adversary available to which one can point. And even though there are a of criminals, their resources are limited and the amount of potential targets is large, thus the threat level for an individual company might just feel low enough to skip certain measures.
My imagination of war times was, an epiphany of „damn, there’s somebody out there trying to get us, so we need to be careful“. And even though nation states aren’t necessary targeting individual companies, I thought, that everybody feeling like playing a system relevant role would decided to increase their defense to be able to provide their services no matte what comes.
Seems this was a slightly too romantic view of the system.

So, are we all F…ed?

Sure! Let’s just look back at last year. And please note, the important aspect here are neither the companies, nation states nor potential adversaries. All I want to highlight here are the rections.

  • Microsoft announces that data stored in US clouds is not legally protected from access by the US government even when hosted / physically located in Europe and protected by contractural agreements. For most people working in Security not a surprise, for everybody else, well, who cares. Germany is carrying on to base sovereign systems on Azure, the city of Hannover is moving their schools from iServ to MS365 . Yay. Read Here and Here
  • The US government has the Microsoft 365 mailbox of the chief investigator of the United Nations International Criminal Court blocked, because of a feud. And well, more European companies switch over to MS, i.e. the European Union implements it’s sovereign CVE database on Azure . Read Here
  • A US president announces they’d take Greenland by military force, if necessary, because they need it to ensure world peace! And? Well, Greenland isn’t happy, Denmark officially rates the US a foreign threat . The US carefully start operations. Aaaaand the rest of Europe, naaa the US are our friends, they wouldn’t. Read Here and Here and Here
  • Russia attacks Ukraine, or did they? I’m still not sure whether there is sufficient proof to concvince everybody that it actually happened and is still going on.

On a personal note, I recently had multiple discussions with various friends on Desaster preparation, i.e. following the state issued guide to store water and food for 2..3..10 days. The opinions on the topic were partially devestating. Why? Either because there is no convincing threat, or one is sure „the system“ will compensate and protect from disasters. Ironically they rely on the system which itself is recommending just these measures. Additionally, from that fact that there is a right wing prepper scene , some seem to believe, that preparing is a right wing trait and thus they’re staying away from it…

Working in Security

So, I had to do a only psych test-thing a while back, for an assessment center, and was encountered with the statement „I always see things positively“, which I always gave the lowest priority. Thus, the system rated me as being pessimistic. Nicely my boss was able to confirm that this is part of my job. Preventing bad things from happening requires the acceptance of the existence of bad things. (I still want to write a blogpost on problem agnostic problem solving.) That said, paranoia does not help anybody, but certain actions and events need to be taken into account when drawing a threat landscape and threat related metrics.

As a reference, I had a discussion on the probability of somebody reverse engineering and publishing on a specific RF remote control system for a specific device quite a while back. The product has been on the market for over 30 years and comes from a global market leader. Being in a safety context, the involved people were used to doing proper maths based on reference values…
We fought through the following questions, which are open for you to answer:

  • Are all students in IT and electronic engineering part of the group of potential attackers?
  • Are students working on a bachelor or master thesis „highly motivated“?
  • When talking about previous events:
    • Do only attacks against industrial remote controls count?
    • Do attacks against model cars count?
    • Do attacks against mobile traffic lights count?
    • Does reverse engineering satellite communication count?
  • How close does a YouTube video have to be to count as hard proof?
  • What are the necessary skills for reversing a 30 year old protocol? Is it easier or harder than for a modern one?

For me as somebody who has worked on similar topics, I often treat them as trivial. I know, that while I might not have done the same thing, I always have a reference somewhere in one of my hundreds of boxes at home. (Admittingly, a constant dialog is vital to stop myself from overestimating things.) Many non-Security-people take a perspective limited by the exact use case and if there aren’t any one-to-one references, well, irrelevant.
Coming from here, the more you’ve seen in Security, the more you’ve done, the more trivial many similar attacks become. At the same time, the frustration about others not accepting threats as being significant simply grows. This has become so bad over the past few years that various people have given up on the blue side and defence. It simply takes a significant amount of energy and does not feel rewarding.
Or, looking back at a conversation with a Brian with a y instead of an i from probably 10 years ago: Wouldn’t it be better if things went wrong in peace times, rather than during war times? And who would be prepared to take the risk to create the necessary attention. Maybe by sorting all Ubers in city by color for an awesome drone photo, or maybe broadcasting warnings on a Zombie Apocalypse via Snapchat?

Peace and Threats

Ironically it seems the people enjoying their peace and freedom the most, are the ones talking down the threats against their most precious. Additionally they seem to forget that it takes up a significantly larger amount of energy / resources to keep order than to fall back into chaos.
Sadly enough, while writing this post (03.01.2026), I’m reading on what’s currently happening in Venezuela… so I guess I can skip the rest of this paragraph.

As always: And now?

The big question is whether „Are we F…ed?“ is the relevant question. Even if we are, the more important question is: Do you want to roll over and die or keep on going?
If it’s the latter, it might just be time to take on emerging threats and invest a little bit more energy and time into Resilience and Security. And honestly, it feels wrong to still have to preach baseline Security in 2026…
That said, hope you’ll have an awesome and safe new year!