Month: January 2026

Cyber Effects in Irregular Warfare: Lessons from Caracas

In early January 2026, there was news describing a U.S. operation (dubbed “Operation Absolute Resolve”) in Caracas that captured Nicolás Maduro. Reuters reported a power outage in parts of Caracas during the operation (https://www.reuters.com/world/americas/loud-noises-heard-venezuela-capital-southern-area-without-electricity-2026-01-03/). This could be an example of cyber effects in Irregular Warfare (IW), or at least it has relevant lessons for the cyber space.

Early coverage and commentary hinted at cyber involvement, but subsequent reporting and reconstructions increasingly emphasize suppression of air defenses through conventional strike and Electronic Warfare (EW), with cyber details remaining unconfirmed in public.

Personally, my family risked everything to escape the oppression of a communist regime, so the operational headlines matter to me. Professionally, the lesson for CISOs is bigger than attribution: modern crises blend kinetic, EW, information operations, and digital disruption to compress decision time and degrade trust.

What reporting supports (and what it does not)

Verified reporting supports the following points:

Bottom Line

Public reporting supports that U.S. leaders referenced “effects” and participation by Cyber Command, but public evidence does not confirm a discrete, cyber-caused blackout. In fact, available reporting increasingly points to a blended Suppression of Enemy Air Defenses (SEAD)/EW plus kinetic picture, with cyber remaining unspecified.

IW or just conventional strikes

The Department of Defense (DoD) defines IW as campaigns that use indirect, non-attributable, or asymmetric activities. Sometimes these are standalone and sometimes alongside conventional combat forces. The Congressional Research Service echoes the same concept and stresses that IW spans domains and the information environment (https://www.congress.gov/crs-product/IF12565).

The Caracas operation looked conventional on the surface. However, the disclosed non-kinetic effects framing points to something else: a gray-zone playbook that prioritizes advantage through ambiguity.

IW often aims to:

  • Create dilemmas
  • Create uncertainty
  • Compress response time
  • Degrade legitimacy and confidence

Cyber does those things extremely well. Whether the lights went out because of cyber, EW, physical sabotage, or kinetic strikes, the IW lesson is the same: operators win by creating short windows where defenders see less, trust less, and coordinate worse.

This is why “effects-first” thinking matters. If your team argues about whether an outage is cyber or physical while your business stalls, the adversary already achieved the goal: decision delay.

“Suppression of defenses” – a cyber context

People hear “suppression” and picture a citywide blackout.

Modern suppression usually looks smaller, sharper, and more temporary. It focuses on windows: short time slots where defenders see less, trust less, and coordinate worse.

When leaders describe “non-kinetic effects,” the cyber contribution often targets outcomes like these:

  • Reduce sensor confidence – attackers only need to inject doubt into enough sensors that commanders hesitate. Not every radar needs to be tampered with.
  • Slow decision loops – the window to act matters if a decision loop takes too much time.
  • Break coordination between sensors and weapons – integrated air defense relies on connectivity, signals, and timing. A fractured or flooded network can function, but it becomes ineffective and stops working as a system.
  • Degrade communications at the worst moment – a short disruption in command communications can matter more than a long outage at some other stage in a campaign.

This is why cyber plays so well within the IW realm. Cyber creates these outcomes without turning a whole country off.

Noteworthy IW patterns

Long cycle preparing, short execution

Modern IW is often months of planning and coordination (shaping) for minutes of decisive action. Cyber shaping often includes reconnaissance, analysis, sometimes custom development, and long-lived pre-positioning that looks like quiet intrusion (attacker deliberately keeps their activity low-noise and low-impact so defenders don’t notice them) until activation.

Weaponized ambiguity

In reading through eyewitness accounts there were reported outages and loud blasts during this campaign; public commentary debated causes. When multiple domains (e.g., kinetic, electronic, cyber, space) collide, defenders often struggle to identify the failure mode (what component failed, how it failed, etc). That uncertainty delays response.

The narrative battlefield moves at machine speed

Information operations begin immediately after high-visibility events. Analysts and security reporters quickly framed the Caracas blackout question as an open cyber possibility. In IW, perception controls the political and public temperature.

Infrastructure dependence creates coercion

BankInfoSecurity highlighted a claimed cyber incident affecting Venezuela’s oil and gas ecosystem (Petróleos de Venezuela’s own statement characterized it as a cyberattack) (https://www.bankinfosecurity.com/us-action-in-venezuela-provokes-cyberattack-speculation-a-30439). Even without definitive attribution, the lesson stands: critical infrastructure fragility turns into strategic leverage.

Why CISOs should care

Resilience beats attribution. Most CISOs don’t run an air defense network. Nor are they nation-state targets. But, they don’t need to run a nation-state air defense network to learn from this. CISOs should treat this as a case study in resilience under ambiguity. The question you need to answer is not “was it cyber?”, consider these:

  • Degraded-mode continuity – can you run operations safely when core systems are unstable and/or unreliable?
  • Decision advantage – can you separate signal from noise when dashboards lie and rumors spread fast?
  • Time-to-control – how quickly can you re-establish trusted communications, trusted identity, and trusted telemetry?

Degraded-mode operations (not just incident response)

Write, and rehearse, how the business runs when you lose one or more of the following: cloud control plane access, identity provider availability, network visibility, corporate communications, or power at a critical location. The key is to rehearse under chaos conditions to closely simulate reality. Incident Response (IR) focuses on finding, containing, eradicating, and recovering from an adversary; degraded-mode operations focus on continuing the business safely when critical systems are untrusted or unavailable, even while IR is still running.

  • Document manual fallbacks for critical workflows (financial transactions, customer support, OT safety, payroll).
  • Pre-authorize “safe shutdown” criteria for OT/ICS and safety-critical operations.
  • Keep offline copies of runbooks, contact trees, and key network diagrams. These need to be available in the face of communication failures.

Treat identity as a first-strike dependency

  • Protect privileged access paths (e.g., PAM, break-glass accounts, administrative tokens, API keys).
  • Hunt for quiet intrusion signals in identity telemetry (e.g., leaked session objects, new OAuth app consents, unusual token grants, anomalous administrative role assignments).
  • Design for IdP failure (e.g., local admin recovery, limited-function authentication, and documented manual approvals).

Validate telemetry integrity, not just intrusion

In blended operations, you can lose trust in dashboards before you lose systems. Disinformation is a very real issue and its impacts can be traced way back in time. Add controls and drills that detect seemingly “false normal.”

  • Cross-check critical sensors (EDR vs. network telemetry vs. cloud logs) and alert on anomalies intelligently. This assumes solid baselines and visibility where it matters.
  • Protect logging pipelines and time synchronization, treat them as Tier-0 or critical infrastructure.
  • Practice operating with partial visibility, chaos, and pre-defined decision thresholds.

Prepare for communication disruption and narrative pressure

  • Stand up out-of-band comms (phone directories, secure messaging, satellite options for critical leaders).
  • Pre-stage “first 30/60 minutes” messaging for employees, customers, and regulators.
  • Run communications war-games that include synthetic content, deepfake audio/video, and forged internal memos.

The transferable IW lesson is: in a modern crisis, cyber won’t arrive as a separate incident, it will arrive as one layer in a blended campaign. Attackers will not separate cyber incidents from business disruption.

Key executive takeaways

  • Treat disruption as “effects” – rehearse crisis leadership decisions regularly, to include business decisions in order to reduce downtime exposure.
  • Build degraded-mode operations – drill quarterly with operational leaders in order to protect revenue continuity.
  • Harden identity pathways – review privileges monthly so as to cut breach-driven operational disruption.
  • Validate telemetry integrity – test sensors regularly to prevent false-normal blind spots.
  • Govern narrative risk – run communications war-games at regular intervals so as to limit reputational and market fallout.