Watching · Cyber / Infrastructure
These are algorithmically-created hypotheses — not forecasts.
The central question is whether a state-linked cyber operation against US or EU critical infrastructure stays a localised, days-long disruption or cascades into a multi-week sectoral failure with kinetic-retaliation risk. The branches imply that a contained disruption is the most plausible outcome given mature incident-response playbooks, with a multi-week outage representing the principal downside path. A kinetic-retaliation cycle is the lowest-probability path but the highest tail risk for cross-asset volatility. Resolution may hinge on attribution speed, the affected sector, and whether the operation reads as signalling or as deliberate degradation.
Authored 2026-05-21 · OpenWatch editorial
Set at 35% grounded in CISA Annual Threat Assessment 2025 identifying Russia GRU, China Volt Typhoon, and Iranian IRGC as active OT-network pre-positioning actors. Dragos ICS/OT threat report documents a 50% year-on-year increase in OT-targeting ransomware variants 2023→2024. Held at 35% — not higher — because the scenario requires a multi-day public outage with verified attribution, a higher bar than observed incidents to date; most pre-positioning activity has not triggered publicly confirmed service disruption.
Twelve consecutive months without a CISA-attributed cyber operation against a US-EU critical-infrastructure sector that triggers a publicly reported multi-day service outage — would refute the "rising attack frequency" framing for that observation window.
Each branch below shows the most likely ways this plays out — with its own winners, losers, and supporting signals.
View possible paths ↓Not investment advice. Always verify independently with a qualified financial advisor.
Public prediction markets matched by AI to this scenario — agree or disagree, the bet is yours. OpenWatch does not recommend any position.
NATO Article 5 invocation is the direct institutional trigger for kinetic retaliation cycle; cascade initiates when member state formally triggers collective defense mechanism in response to cyber act of war or state-spo
Sabotage-triggered 250k+ power outage in U.S. megacity directly matches critical infrastructure cyber attack scenario with multi-week recovery implications and measurable outage duration.
Identical resolution condition as primary market; NATO Article 5 invocation before end of 2026 represents threshold event for kinetic retaliation cycle onset following critical infrastructure cyber attribution.
Ransomware campaign causing material harm to 100k people directly aligns with critical infrastructure cyber disruption scenarios. Ransomware is a primary attack vector against pipelines, grids, and essential services.
Deepfake/agent-driven cyber attack triggering NATO/UN emergency debate represents state-sponsored or sophisticated cyber operations against critical systems. Aligns with contained-disruption branch for coordinated cyber
Pipeline ransomware incidents like Colonial shut down fuel supply, causing acute price spikes. Gasoline exceeding $5/gallon in the US reflects supply disruption from critical infrastructure compromise.
Market prices are raw values. Political contracts may exhibit favourite-longshot bias.
If this scenario occurs — possible paths
Signal counts measure media attention over the last 7 days — not the likelihood of an outcome.
Branch % = conditional on this scenario occurring · Path % = joint probability of this exact path from today
Trade lens —Cyber primes (CRWD, PANW) capture incident-response and refresh demand; regulated utilities (NEE) carry a cyber-risk premium; Israeli cyber-export ecosystem bid. · meaningful · fast
Policy lens —CISA issues an Emergency Directive under FISMA mandating detection-and-response measures across federal civilian agencies and critical-infrastructure operators; the FBI opens a joint investigation with allied signals-intelligence partners; the White House Cyber Policy office convenes sector-specific tabletop exercises and accelerates CIRCIA implementation.
Trade lens —CRWD and platform consolidators (PANW) re-rate on multi-quarter capex pull-forward; cyber-insurance and utility multiples (NEE) carry sustained overhang. · meaningful · slow
Policy lens —The President invokes the National Emergencies Act and activates DHS Emergency Powers for critical-infrastructure restoration; Congress opens emergency hearings under NERC CIP authority; the White House convenes a Five Eyes intelligence-sharing emergency session on attribution.
Trade lens —Defense primes (LMT) and federal-cyber names (CRWD) bid; gold (GLD) and Treasuries take safe-haven flow; consumer-cyclicals and cyber insurers compress. · structural · slow
Policy lens —The White House invokes international law of self-defence under UN Charter Article 51 and authorises a proportional cyber-kinetic response; NATO convenes a North Atlantic Council session under Article 4 as allies assess Article 5 applicability; the UN Security Council holds an emergency session with the US citing attribution evidence.
Editorial framing — events outside our X→Y→Z partition. Authored as paired 'what if positive' / 'what if negative' to capture asymmetric tail outcomes. No probability is assigned; the lean indicator is directional only.
A US-led coalition publishes a binding attribution framework with technical-evidence standards and reciprocal-restraint norms; state-sponsored ICS targeting drops materially as deterrence credibility rises.
A self-propagating malware variant targeting common grid-SCADA stacks causes simultaneous regional outages across two or three G7 economies within 48 hours; recovery measured in weeks for the affected service territories.
Low-probability outcomes that do not belong to the conditional partition above. Surfaced alongside, never ranked, never given a probability. See the card for the trigger mechanism and the names that move if it materializes.
Mechanism: Article 5 deliberation reframes the event as state-actor warfare, not crime; reinsurance treaties trigger war-exclusion arguments that take years to resolve; cyber-insurance market function impairs.
A coordinated cyber-physical operation hits transmission control systems on both sides of the Atlantic within hours of each other — multi-state regional blackouts in PJM and continental Europe at once. The partition models a single high-impact event with a contained blast radius and a clear domestic response. A synchronized US+EU strike forces simultaneous attribution, NATO Article 5 deliberation, and a sustained dual-currency safe-haven move all at once — a regime the partition cannot describe.
Contingency note — Watch CISA / NSA / GCHQ joint advisories naming the same threat-actor cluster, and a sudden burst of utility-sector ICS vulnerability disclosures inside a 14-day window. Coordinated attribution within 72h of the incident is the tell.
Fewer than 5 historical episodes — tilts are indicative only. Use with extra caution.
Based on 3 modern pandemic/epidemic shocks with significant market impact (SARS 2003, H1N1 2009, COVID-19 2020); limited analog set — treat with caution. COVID-19 dominates weighting given its global market reach.
Countries and companies most at risk or with most upside across this scenario overall
Information cutoff: 2026-05-21 · Authored: AI-generated, council-reviewed · Live signal counts updated hourly