China Is Winning the Cyberwar: America Needs a New Strategy of Deterrence

American companies are world leaders in technology—be it innovative software, cloud services, artificial intelligence, or cybersecurity products. Yet beginning as many as three years ago, hackers believed to be backed by the Chinese government did something the United States, the tech powerhouse, could not adequately defend against: they gained and maintained access to major U.S. telecommunications networks, copying conversations and building the ability to track the movements of U.S. intelligence officers and law enforcement agents across the country. The attack, dubbed “Salt Typhoon,” constituted a large part of a global campaign against telecoms, and it penetrated systems at many U.S. carriers so thoroughly that officials will almost certainly never know the full scope of the capabilities China achieved to spy on Americans’ communications.

Salt Typhoon was more than a one-off intelligence success for China. It reflected a deeper, troubling reality. Mere decades after the widespread adoption of the Internet opened a new realm of geopolitical contestation, China is positioning itself to dominate the digital battle space. The United States has fallen behind, failing to secure a vast digital home front—and the physical assets that depend on it. Because cyberspace has no borders, the U.S. homeland is always in the fight. Every hospital, power grid, pipeline, water treatment plant, and telecommunications system is on the frontlines, and most of the United States’ critical infrastructure is unready for battle.

China’s cyber dominance extends well beyond telecommunications espionage. Chinese malware has been discovered embedded in U.S. energy, water, pipeline, and transportation systems. These intrusions show little evidence of traditional intelligence gathering. Instead, they appear to be designed for sabotage, preparing China to disrupt both Americans’ daily lives and U.S. military operations. During a future crisis, China could use these pre-positioned capacities to delay military mobilizations, impede air traffic control systems, or cause cascading power outages. Even barring an outright attack, their existence could deter the United States by raising the specter of disruption at home.

The Salt Typhoon attack was able to secure such wide-ranging access in part because of the fundamental asymmetry between the authoritarian approach Beijing takes to its cyberdefense and Washington’s more democratic perspective. American values forbid the kind of comprehensive monitoring that undergirds China’s cyberdefense and frees Beijing to pursue offensive operations with less fear of retaliation. And myriad private actors manage the United States’ critical infrastructure, with minimal government oversight or hands-on assistance. Their levels of investment in cybersecurity are variable, driven by commercial bottom lines. That means that when cyberattackers are found, it is hard to prove that they have been removed from networks or systems. Even when their removal appears certain, it is likely they will return.

Chinese operations now pose the largest challenge to the United States’ cyberdefense, but it isn’t the only one. Vulnerabilities in U.S. infrastructure networks have made them attractive targets to other adversarial countries as well as to criminals. In the past several years, Russia and Iran have disrupted the operations of U.S. water systems in multiple states, and hackers mostly based in Russia have played havoc with the workings of hundreds of American hospitals. Washington can—and must—do much more to protect the United States’ critical infrastructure and deter Chinese attacks. The artificial intelligence revolution will only exacerbate the United States’ disadvantages unless policymakers urgently develop a new approach.

Washington must establish a new cyber-deterrence policy built on the principle that robust cyberdefense enables credible cyberoffense. Artificial intelligence offers the key to making this new deterrence policy feasible. The United States should leverage its AI expertise by mounting a national effort to use AI to model its sprawling network of critical infrastructure, identify the most important vulnerabilities, and fix them. Washington must also ensure that it has the offensive cyber-capabilities to deter China. And it must make its messaging about cyberattacks more coherent, clarifying that pre-positioning in specific kinds of infrastructure constitutes a redline and carefully signaling its capacity to retaliate.

By developing AI-powered defenses and investing more tactically in offensive capabilities, the United States can transform an inadequate cyber strategy into proactive deterrence. The U.S. government must convey the message to China that it remains committed to defending American lives. It can do so only by finding and securing the most sensitive vulnerabilities in the digital infrastructure on which Americans rely.
SECRET WEAPON

Salt Typhoon was a sophisticated, multistage operation. To gain administrator access to telecommunications networks, the attackers exploited flaws in U.S. telecom companies’ cybersecurity products—such as firewalls—and used passwords stolen in unrelated hacks. Once inside, the hackers installed malware and hijacked legitimate processes and programs to maintain control. The attackers then used computers, servers, routers, and other devices they had compromised to move across different companies’ networks and find the most rewarding spying positions.

The roots of China’s cyber advantages lie in structural differences between authoritarian and democratic forms of governance. When cyberattacks emerged with the advent of the Internet, both China and the United States faced similar vulnerabilities. But China has systematically built up its cyberdefenses while the United States has struggled to balance securing its cyberspace with its attention to civil liberties.

The Internet’s explosive growth in the 1990s worried Beijing. The Chinese government feared the Internet’s potential to enable free expression and, as is natural for an authoritarian regime, opted to restrict it. Beginning in the late 1990s, Beijing deployed an array of technologies and laws to censor online speech and block websites and applications developed in the West.

Beijing has invested heavily in offensive cyber-capabilities.

Outside observers still often describe this so-called Great Firewall as a domestic censorship project. But having accomplished that task, the Chinese government discovered that its creation had another powerful function. As well as screening for subversive speech, the Great Firewall’s technologies can identify malicious code before it reaches critical systems, providing Beijing with tools to defend against cyberattacks. As a consequence, Chinese water treatment plants, power grids, telecommunications networks, and other critical systems operate with layers of protection that most U.S. systems lack. If foreign hackers attempt to penetrate Chinese infrastructure, they may encounter not only their target’s specific defenses but the Chinese government’s integrated monitoring capabilities.

The United States, meanwhile, faced the opposite dynamic. Unlike in China, where critical infrastructure operates under direct state control, American systems are owned by thousands of private companies with varying cybersecurity capabilities and threat awareness. A small-town water treatment plant in Ohio, for example, operates with the cyber-protections it can afford—which often means vulnerable software, default passwords, and outdated systems that are easily hacked.

And the U.S. government is legally prohibited from monitoring many of these companies’ networks for threats without their explicit consent, to avoid transgressing the constitutional ban on governmental “search and seizure” of private communications. So the United States came to rely on a patchwork approach to digitally securing its most crucial infrastructure: companies that own and operate America’s most sensitive systems, such as power grids, are responsible for securing them with limited government oversight.
LITTLE GREEN BOTS

This gap in defense enabled China to develop offensive capabilities with less fear of retaliation. Beijing invested heavily in offensive cyber-capabilities, establishing programs that now rival Washington’s in both sophistication and scale. China has integrated these capabilities into its broader military doctrine of “active defense,” or the principle that the best defense involves striking first to prevent enemy action.

China and the United States first engaged diplomatically on cyber-espionage in 2015, when U.S. President Barack Obama and Chinese President Xi Jinping brokered an agreement proscribing the theft of intellectual property by hackers for commercial gain, but China soon breached the agreement. The first Trump administration, which took over in 2017, favored taking enforcement actions over engaging diplomatically: for instance, in March 2018, it released indictments and sanctions against hackers linked to Beijing who had stolen proprietary data from U.S. companies and government agencies.

After President Joe Biden took office in 2021, his administration initiated regular high-level diplomatic engagement with China to manage the strategic competition between the two great powers, including in cyberspace. For instance, Biden extracted a promise from Xi that China would not interfere in the 2024 U.S. elections. But the Biden administration also realized that China’s offensive cyber-campaigns were intensifying.

In 2023, for example, Chinese state-sponsored hackers exploited a flaw in Microsoft’s cloud services to breach high-level officials’ email accounts. The Biden administration regularly declassified intelligence and gave escalating public warnings that China’s cyber-­activities were expanding from espionage to potential sabotage: in January 2024, FBI Director Christopher Wray testified to a House committee that hackers linked to the Chinese government were targeting critical U.S. infrastructure and preparing to cause “real-world harm” to Americans.

Defense alone cannot fully address China’s advantages.

China’s cyber-operations have become a clear threat to U.S. national security. Consider the scope of China’s pre-positioning. Intrusions have been discovered in water infrastructure, power grids, and other critical systems across the American mainland. These attacks follow a consistent pattern: the intruders gain administrative access to supervisory control systems, establish the capacity to maintain that access over time, and then remain dormant while keeping the ability to activate malicious code on command.

The targets reveal strategic thinking. Water treatment plants serve essential civilian needs while also supporting military installations. Power grids enable everything from hospital operations to ammunition production. Telecommunications networks support both civilian communications and military command systems. By pre-positioning cyber­attack tools in these dual-use systems, China is readying itself to impose significant civilian costs while degrading the U.S. military’s effectiveness.

During a crisis over Taiwan, for instance, these capabilities could prove decisive. Imagine the dilemma facing American leaders if China could credibly threaten to delay military mobilization by disrupting U.S. rail networks or to trigger power failures across the Eastern Seaboard. Beijing need not actually execute such attacks. The mere possibility could alter U.S. decision-making by raising the domestic political costs of an overseas intervention.

China’s pre-positioning also serves tactical military objectives. U.S. military bases depend on surrounding civilian infrastructure for power, water, and communications. By threatening these systems, China could impede U.S. military mobilization without directly attacking military targets—avoiding the clear escalation that bombing American bases would represent. Similarly, disrupting seaports and airports could delay reinforcement deployments to the Pacific while appearing to target civilian infrastructure with nonlethal tactics.

Chinese military theorists explicitly embrace this logic, describing offensive cyber-operations as a form of “strategic deterrence.” More than most conventional forms of deterrence, cyber-­operations offer plausible deniability. China can threaten civilian infrastructure while maintaining that any disruptions might result from the targeted country’s own system failures rather than a deliberate attack. Indeed, the Chinese government has consistently denied that it was behind Salt Typhoon or the malware discovered in U.S. infrastructure.
DOUBLE VISION

That deniability has made traditional diplomacy a weak tool to manage cyberwarfare. The United States cannot rely on direct negotiations. It must turn urgently to bolstering its defenses. The Biden administration used emergency authorities to impose new minimum cybersecurity requirements on pipelines, rail systems, airports, and water utilities, overcoming decades of bipartisan resistance to mandating private-sector security standards. These requirements did drive improvements in basic protections. And they allowed government regulators such as the Transportation Security Administration, which regulates pipelines, to periodically inspect infrastructure owners’ cyberdefenses and offer guidance.

Although this represented an important step, even these enhanced requirements cannot match Beijing’s direct monitoring of equivalent networks in China. Biden mandated that U.S. pipelines, water systems, rail networks, and health-care industry firms report cyber-incidents to the government, but only after they occur; Chinese authorities can monitor their systems in real time to prevent incidents from occurring in the first place. New cybersecurity mandates on U.S. water utilities, meanwhile, were paused after several states challenged their legality, leaving this sector exposed.

Cyber-operations do resemble conventional warfare—airstrikes, naval battles, or ground combat—in that they involve both offense and defense. The United States deters conventional threats through superior military power, but it completely lacks that dominance in cyberspace, where defense and offense are inextricably linked. Currently, U.S. presidents face an impossible problem: they cannot make persuasive deterrent threats because they lack enough confidence that U.S. defenses could withstand a potentially escalatory tit-for-tat battle in cyberspace. The United States needs a policy that acknowledges the reality of cyberconflict while aggressively leveraging American technological advantages to restore strategic balance.

Traditional diplomacy is a weak tool to manage cyberwarfare.

First and foremost, Washington must understand the vulnerabilities in its cyberdefenses. In conventional warfare, force-on-force comparisons guide strategy: for instance, the U.S. military runs regular tests and simulations to see whether its defenses can protect against Russia’s missile-launch capacities. But the government cannot assess how the United States’ critical infrastructure could withstand Chinese cyberattacks because it cannot even see what defenses secure its thousands of privately owned systems.

Artificial intelligence, with its rapidly growing abilities to synthesize a vast amount of data, offers a new opportunity to take on this sprawling problem. Indeed, it can be the key to a new U.S. cyber-deterrence policy—specifically, so-called AI-generated digital twins. A digital twin is a virtual replica of a physical object (such as a wind turbine) or a system (such as a power grid) that uses real-time data and sensors to mirror its real-world counterpart’s behavior and performance. These dynamic digital models allow organizations to monitor, analyze, and optimize their physical assets remotely.

Recent advances in AI have turbocharged digital twins’ usefulness by dramatically improving their ability to model ever-larger and more complex entities. Industry is rapidly adopting digital twins to advance product safety—Rolls-Royce, for instance, now operates digital twins of its jet engines to monitor safety and performance. Ford and BMW have created digital twins of manufacturing processes to improve efficiency. And governments are exploring their potential: Singapore, for instance, has created a digital twin as well as test beds for its water and power plants. NATO has used these systems in its annual, large-scale cyberdefense exercise, during which security teams simulated attacking and defending Singaporean infrastructure.

In the United States, a national effort to create digital twins for several hundred of the most sensitive critical infrastructure systems—done with private-sector owners’ cooperation and consent—would allow these systems’ security teams to safely test dangerous attack scenarios without risking the actual provision of core services. The teams could simulate cyberattacks against various system components within the digital twin to understand which vulnerabilities, if exploited, would cause major disruptions. This information would allow companies to focus their limited resources on fixing the vulnerabilities that pose the greatest threat rather than attempting to address every security flaw equally.

Digital twins could also establish baseline behavioral patterns that help detect anomalies that could indicate cyberattacks. When a water system’s digital twin, for instance, suddenly shows unusual valve operations or pressure fluctuations, its security team could quickly identify potential intrusions before they cause physical damage. The potential impact goes beyond individual companies. Virtual replicas of regional power grids could be used to simulate cascading failure scenarios, identifying nodes whose protection would prevent widespread outages. Digital twins of urban water systems could model contamination attacks, suggesting potential technical countermeasures and emergency response procedures. And over time, digital twins would enable the kind of force-on-force comparisons that the national security community routinely conducts in conventional domains. A digital twin of the Hoover Dam’s control systems, for example, could simulate attack scenarios, helping its operators develop more precise and sophisticated defenses, as well as ways to recover more quickly if an attack does occur.

A national effort to create digital twins of critical national infrastructure could be piloted quickly for the U.S. energy grid by the Department of Energy. The department already possesses models of the grid and could draw on classified insights regarding China’s cyberwarfare capabilities, as well as the AI expertise at institutions such as the Lawrence Livermore National Laboratory and Sandia and its close partnerships with U.S. energy firms. The lessons learned while establishing that pilot could then be used to build digital twins for other critical sectors.

Creating comprehensive digital twins will involve substantial technical challenges. It requires a detailed knowledge of infrastructure systems and network data that owners may consider proprietary. It will take time for government AI and intelligence experts to forge new kinds of partnerships with private owners and operators. But the United States needs a bridge between its physical and digital worlds. It cannot and should not simply mimic China’s cyber-­barriers, which rely on an intrusive surveillance state. Digital twins, however, would give U.S. national security officials a continuous picture of American cyberdefenses and provide decision-makers with real-time assessments of the country’s readiness to foil cyberattacks. A future president contemplating a response to Chinese aggression could access complex modeling of how U.S. infrastructure would perform under sustained attack nearly immediately—the kind of tactical intelligence that is sorely lacking today.
SEND A DM

Even AI-enhanced defenses cannot entirely overcome the cyberdefense gap that gives China its structural advantage. Current U.S. law gives infrastructure operators full authority to monitor their networks, and federal legislation adopted in 2015 ensures that these operators are able to share information with their peers and with the federal government to facilitate collaborative defense. Still lacking in some key sectors, however, is any requirement that owners and operators actually monitor their networks. In sectors that have these requirements, regulators need to conduct more consistent oversight to ensure that operators are maintaining their cyberdefenses and collaborating with peers and the federal government.

And defense alone, however sophisticated, cannot fully address China’s advantages. True deterrence requires the capacity to continuously undermine an adversary’s capabilities and prepare to impose unacceptable costs. The United States must ensure that it builds and maintains offensive cyber-­capabilities that can hold at risk targets that Beijing values—and clearly communicate that it can and will strike if China crosses American redlines. Instead of attempting tit-for-tat intrusions into Chinese civilian infrastructure, the United States could focus on targeting military assets that China depends on during crises, which would conform with international law and may have a greater effect on the Chinese government’s strategy.

Finally, the United States must strengthen its messaging. It must clarify that targeting specific critical civilian infrastructure whose disruption would cause major societal impact, even with pre-positioning attacks, is unacceptable. This would build on the Biden administration’s message to China that cyberattacks with physical impacts would be treated as an act of war. The United States should communicate three core principles: We will attribute attacks to their perpetrators. We are resilient. We will retaliate. Specificity matters for credibility—vague threats invite probing and miscalculation.

Washington must communicate that it will strike if China crosses U.S. redlines.

The message must be credible and persistent, including enough detail to prove that the United States’ offensive capabilities are real but not enough to let an adversary fix its vulnerabilities. Russia’s decision to use cyberattacks to induce blackouts in Ukraine years before its 2022 full invasion illustrates the danger in signaling cyber-­capabilities too explicitly: the demonstration convinced Ukraine to significantly improve its power grid defenses.

There are reasons the United States has lagged in bolstering its cyberdefenses—political obstacles as well as technological ones. Congress has shown little appetite for extending the legal authority and sustained investment that comprehensive cyberdefense requires. Private companies resist mandated security requirements that increase costs.

Yet a wait-and-see approach has become unacceptable. If Washington does not move fast, artificial intelligence will only accelerate China’s advantages. The United States possesses the technical capabilities, economic resources, and innovative capacity to reclaim the advantage in the digital battle space. What the United States needs now is the vision and political will to take comprehensive action. Countries all around the world are watching. If the United States succeeds, it can serve as an example of how to achieve the benefits of digitization and a free Internet without compromising its national security. If it fails, the world will also take away a lesson: that democracies are less capable of defending against cyberthreats. And China’s strategy of “active deterrence” will only gain more global power.