1
… America Needs a New Strategy of Deterrence
American companies are world leaders in technology—be it innovative software, cloud services, artificial intelligence, or cybersecurity products. Yet beginning as many as three years ago, hackers believed to be backed by the Chinese government did something the United States, the tech powerhouse, could not adequately defend against: they gained and maintained access to major U.S. telecommunications networks, copying conversations and building the ability to track the movements of U.S. intelligence officers and law enforcement agents across the country. The attack, dubbed “Salt Typhoon,” constituted a large part of a global campaign against telecoms, and it penetrated systems at many U.S. carriers so thoroughly that officials will almost certainly never know the full scope of the capabilities China achieved to spy on Americans’ communications.
Salt Typhoon was more than a one-off intelligence success for China. It reflected a deeper, troubling reality. Mere decades after the widespread adoption of the Internet opened a new realm of geopolitical contestation, China is positioning itself to dominate the digital battle space. The United States has fallen behind, failing to secure a vast digital home front—and the physical assets that depend on it. Because cyberspace has no borders, the U.S. homeland is always in the fight. Every hospital, power grid, pipeline, water treatment plant, and telecommunications system is on the frontlines, and most of the United States’ critical infrastructure is unready for battle.
China’s cyber dominance extends well beyond telecommunications espionage. Chinese malware has been discovered embedded in U.S. energy, water, pipeline, and transportation systems. These intrusions show little evidence of traditional intelligence gathering. Instead, they appear to be designed for sabotage, preparing China to disrupt both Americans’ daily lives and U.S. military operations. During a future crisis, China could use these pre-positioned capacities to delay military mobilizations, impede air traffic control systems, or cause cascading power outages. Even barring an outright attack, their existence could deter the United States by raising the specter of disruption at home.
The Salt Typhoon attack was able to secure such wide-ranging access in part because of the fundamental asymmetry between the authoritarian approach Beijing takes to its cyberdefense and Washington’s more democratic perspective. American values forbid the kind of comprehensive monitoring that undergirds China’s cyberdefense and frees Beijing to pursue offensive operations with less fear of retaliation. And myriad private actors manage the United States’ critical infrastructure, with minimal government oversight or hands-on assistance. Their levels of investment in cybersecurity are variable, driven by commercial bottom lines. That means that when cyberattackers are found, it is hard to prove that they have been removed from networks or systems. Even when their removal appears certain, it is likely they will return.
Chinese operations now pose the largest challenge to the United States’ cyberdefense, but it isn’t the only one. Vulnerabilities in U.S. infrastructure networks have made them attractive targets to other adversarial countries as well as to criminals. In the past several years, Russia and Iran have disrupted the operations of U.S. water systems in multiple states, and hackers mostly based in Russia have played havoc with the workings of hundreds of American hospitals. Washington can—and must— do much more to protect the United States’ critical infrastructure and deter Chinese attacks. The artificial intelligence revolution will only exacerbate the United States’ disadvantages unless policymakers urgently develop a new approach.
Washington must establish a new cyber-deterrence policy built on the principle that robust cyberdefense enables credible cyberoffense. Artificial intelligence offers the key to making this new deterrence policy feasible. The United States should leverage its AI expertise by mounting a national effort to use AI to model its sprawling network of critical infrastructure, identify the most important vulnerabilities, and fix them. Washington must also ensure that it has the offensive cyber-capabilities to deter China. And it must make its messaging about cyberattacks more coherent, clarifying that pre-positioning in specific kinds of infrastructure constitutes a redline and carefully signaling its capacity to retaliate.
By developing AI-powered defenses and investing more tactically in offensive capabilities, the United States can transform an inadequate cyber strategy into proactive deterrence. The U.S. government must convey the message to China that it remains committed to defending American lives. It can do so only by finding and securing the most sensitive vulnerabilities in the digital infrastructure on which Americans rely.
SECRET WEAPON
Salt Typhoon was a sophisticated, multistage operation. To gain administrator access to telecommunications networks, the attackers exploited flaws in U.S. telecom companies’ cybersecurity products—such as firewalls—and used passwords stolen in unrelated hacks. Once inside, the hackers installed malware and hijacked legitimate processes and programs to maintain control. The attackers then used computers, servers, routers, and other devices they had compromised to move across different companies’ networks and find the most rewarding spying positions.
The roots of China’s cyber advantages lie in structural differences between authoritarian and democratic forms of governance. When cyberattacks emerged with the advent of the Internet, both China and the United States faced similar vulnerabilities. But China has systematically built up its cyberdefenses while the United States has struggled to balance securing its cyberspace with its attention to civil liberties.
The Internet’s explosive growth in the 1990s worried Beijing. The Chinese government feared the Internet’s potential to enable free expression and, as is natural for an authoritarian regime, opted to restrict it. Beginning in the late 1990s, Beijing deployed an array of technologies and laws to censor online speech and block websites and applications developed in the West.
Outside observers still often describe this so-called Great Firewall as a domestic censorship project. But having accomplished that task, the Chinese government discovered that its creation had another powerful function. As well as screening for subversive speech, the Great Firewall’s technologies can identify malicious code before it reaches critical systems, providing Beijing with tools to defend against cyberattacks. As a consequence, Chinese water treatment plants, power grids, telecommunications networks, and other critical systems operate with layers of protection that most U.S. systems lack. If foreign hackers attempt to penetrate Chinese infrastructure, they may encounter not only their target’s specific defenses but the Chinese government’s integrated monitoring capabilities.
The United States, meanwhile, faced the opposite dynamic. Unlike in China, where critical infrastructure operates under direct state control, American systems are owned by thousands of private companies with varying cybersecurity capabilities and threat awareness. A small-town water treatment plant in Ohio, for example, operates with the cyber-protections it can afford—which often means vulnerable software, default passwords, and outdated systems that are easily hacked.
And the U.S. government is legally prohibited from monitoring many of these companies’ networks for threats without their explicit consent, to avoid transgressing the constitutional ban on governmental “search and seizure” of private communications. So the United States came to rely on a patchwork approach to digitally securing its most crucial infrastructure: companies that own and operate America’s most sensitive systems, such as power grids, are responsible for securing them with limited government oversight.
LITTLE GREEN BOTS
This gap in defense enabled China to develop offensive capabilities with less fear of retaliation. Beijing invested heavily in offensive cyber-capabilities, establishing programs that now rival Washington’s in both sophistication and scale. China has integrated these capabilities into its broader military doctrine of “active defense,” or the principle that the best defense involves striking first to prevent enemy action.
China and the United States first engaged diplomatically on cyber-espionage in 2015, when U.S. President Barack Obama and Chinese President Xi Jinping brokered an agreement proscribing the theft of intellectual property by hackers for commercial gain, but China soon breached the agreement. The first Trump administration, which took over in 2017, favored taking enforcement actions over engaging diplomatically: for instance, in March 2018, it released indictments and sanctions against hackers linked to Beijing who had stolen proprietary data from U.S. companies and government agencies.
After President Joe Biden took office in 2021, his administration initiated regular high-level diplomatic engagement with China to manage the strategic competition between the two great powers, including in cyberspace. For instance, Biden extracted a promise from Xi that China would not interfere in the 2024 U.S. elections. But the Biden administration also realized that China’s offensive cyber-campaigns were intensifying.
In 2023, for example, Chinese state-sponsored hackers exploited a flaw in Microsoft’s cloud services to breach high-level officials’ email accounts. The Biden administration regularly declassified intelligence and gave escalating public warnings that China’s cyber-activities were expanding from espionage to potential sabotage: in January 2024, FBI Director Christopher Wray testified to a House committee that hackers linked to the Chinese government were targeting critical U.S. infrastructure and preparing to cause “real-world harm” to Americans.
China’s cyber-operations have become a clear threat to U.S. national security. Consider the scope of China’s pre-positioning. Intrusions have been discovered in water infrastructure, power grids, and other critical systems across the American mainland. These attacks follow a consistent pattern: the intruders gain administrative access to supervisory control systems, establish the capacity to maintain that access over time, and then remain dormant while keeping the ability to activate malicious code on command.
The targets reveal strategic thinking. Water treatment plants serve essential civilian needs while also supporting military installations. Power grids enable everything from hospital operations to ammunition production. Telecommunications networks support both civilian communications and military command systems. By pre-positioning cyberattack tools in these dual-use systems, China is readying itself to impose significant civilian costs while degrading the U.S. military’s effectiveness.
During a crisis over Taiwan, for instance, these capabilities could prove decisive. Imagine the dilemma facing American leaders if China could credibly threaten to delay military mobilization by disrupting U.S. rail networks or to trigger power failures across the Eastern Seaboard. Beijing need not actually execute such attacks. The mere possibility could alter U.S. decision-making by raising the domestic political costs of an overseas intervention.
China’s pre-positioning also serves tactical military objectives. U.S. military bases depend on surrounding civilian infrastructure for power, water, and communications. By threatening these systems, China could impede U.S. military mobilization without directly attacking military targets—avoiding the clear escalation that bombing American bases would represent. Similarly, disrupting seaports and airports could delay reinforcement deployments to the Pacific while appearing to target civilian infrastructure with nonlethal tactics.
Chinese military theorists explicitly embrace this logic, describing offensive cyber-operations as a form of “strategic deterrence.” More than most conventional forms of deterrence, cyber-operations offer plausible deniability. China can threaten civilian infrastructure while maintaining that any disruptions might result from the targeted country’s own system failures rather than a deliberate attack. Indeed, the Chinese government has consistently denied that it was behind Salt Typhoon or the malware discovered in U.S. infrastructure.
ANNE NEUBERGER is Frank E. and Arthur W. Payne Distinguished Lecturer at Stanford University and a Distinguished Visiting Fellow at the Hoover Institution. Before serving as Deputy National Security Adviser for Cyber and Emerging Technology on the U.S. National Security Council in the Biden administration, she spent over a decade in various leadership roles at the U.S. National Security Agency.
Continues in FOREIGN AFFAIRS (www. foreignaffairs.com), August 13, 2025.