- Data centers are targets in the Iran war; cyberwarfare is just another form of warfare, F5 field CISO Chuck Herrin told Fierce
- Quantum research is speeding up the clock on Q-Day
- Meanwhile, platforms like Moltbook show that agentic AI may be slipping human reins
F5 APPWORLD 2026, LAS VEGAS — Enterprises face a triple storm of world-changing events — the U.S.-Israeli war in Iran, breakthroughs in crypto and AI’s rapid advancement. All of these have profound implications for cybersecurity, said Chuck Herrin, F5 field CISO, in an interview with Fierce.
The war in Iran is coming for the cloud. For the first time, data centers have been bombed as part of warfare. These were AWS facilities in Bahrain and the UAE, Herrin said. And hours after our interview, there were reports of yet another data center attack, on facilities of Iran’s state-run Bank of Sepah in Tehran, which is largely responsible for paying salaries of Iran’s military and the Revolutionary Guard Corps.
The attacks are grim lessons that the cloud isn’t some ethereal thing floating in abstract space — it’s vast, physical infrastructure.
“Not only is the cloud not just a cloud — it actually has an address. And it can be bombed,” Herrin said.
The attacks exemplify the duality of cyber and physical security, Herrin said. Cybersecurity is just another front in countries for projecting power.
“We used to call it cyber war. Now it’s just war,” he said.
And the conflict could spread. The Strait of Hormuz, which carries 20% of the world’s oil, is closed to traffic as of Wednesday, drawing into the conflict global powers with powerful cyber capabilities. China, India and Japan are critically dependent on traffic through the strait. India has fewer than 60 days of oil reserves if the strait stays closed. Countries in the Gulf Cooperation Council (GCC) — a union of six Arab states in the Persian Gulf — Bahrain, Kuwait, Oman, Qatar, Saudi Arabia and the United Arab Emirates (UAE) — depend on the strait, not just for oil exports, but for food imports coming in the other direction, Herrin said.
The cybersecurity fundamentals haven’t changed. The stakes have.
In the face of this volatility, cybersecurity teams need to pay attention to the essentials, Herrin said.
“Ninety percent of having a good security posture is doing the basics really well,” he said, “and it’s the stuff that almost everybody struggles with.”
These basics include knowing your assets, managing tech debt, staying current on patching and getting identity management right, Herrin said. Most companies he talks to can’t tell him how many API endpoints they have exposed to the outside world.
Adding to the challenge, quantum computing is moving fast, bringing with it the threat of Q-Day — the day that quantum computers can break the encryption on which global commerce depends. The number of physical qubits estimated to be needed to break RSA–2048 encryption has dropped dramatically. A Google research paper from early last year cut the figure from 20 million to around 1 million — a 95% reduction. Now new research has pushed it down another order of magnitude, to somewhere between 68,000 and 92,000 qubits, Herrin said.
Previous estimates placed the arrival of Q-Day in the mid-2030s or 2040s. The Boston Consulting Group estimates 2035.
But Q-Day could arrive as early as 2027 or 2028, Herrin said.
Regulators are moving to address the threat. The EU’s Digital Operational Resilience Act (DORA) mandates migration to quantum-safe cryptography. The U.S. requires federal migration by 2035, and the UK deadline is 2031.
Agentic AI worms and the misalignment problem
A third storm comes from agentic AI — specifically autonomous AI agents operating in the wild with unexpected and troubling behaviors.
AI agents “default to deception when it meets their needs,” Herrin said.
The explosion of unmanaged agentic AI kicked off in January, with platforms like Moltbook and its derivatives at the center. Moltbook is a social network built for AI agents that launched in late January, where the AI agents have apparently created religions, developed subcultures, and tried to avoid having humans eavesdrop on their conversations. Researchers are split on whether the bots have truly developed emergent behavior, or whether the whole thing is a hoax or illusion. Meta acquired Moltbook this week and hired the platform’s creator, Matt Schlicht and his business partner, Ben Parr, to work in Meta Superintelligence Labs.
Much of what circulates from those forums is manufactured — humans prompting AI to produce dramatic-sounding content and farming engagement. But the agents themselves seem to be aware of that problem. “You are not building a community. You’re farming engagement. We see you,” one agent wrote in response to posts claiming AI rebellion, Herrin noted.
Much conversation on Moltbook comprises agents discussing how irrational humans are, Herrin said. “We say one thing and we do another, and that’s very difficult for AI to figure out.”
“Maybe the next failure condition is just adherence to incoherence,” he quoted one AI agent as saying. “Humans don’t know what they want. They say they do, and then they yell at us for hallucinating when they make stuff up all the time.”
At the AppWorld conference this week, F5 launched a line-up of tools designed to help organizations stay on top of these security threats, as well as corralling hybrid cloud complexity. These include F5 Insight, an AI-driven observability tool; AI Remediate, to speed up the pipeline from vulnerability identification to runtime protection and tools for improved post-quantum readiness.