The reports may seem fragmentary and anecdotal but they add up to a devastating pattern. Chinese state-affiliated hackers cracked Microsoft’s email cloud system and penetrated the email systems of the US departments of Commerce, Treasury and State. Other hackers penetrated the US military’s communications in Guam, a key command and control center for the Navy’s Seventh Fleet.
The US government has announced that the Chinese attack group Salt Typhoon, affiliated with the Chinese government, used vulnerabilities in Cisco routers to penetrate the systems of nine US telecommunications companies, including AT&T and Verizon, in what is being called one of the worst intelligence compromises in American history.
According to the New York Times, “No one at the Cybersecurity and Infrastructure Security Agency (CISA) seems able to say what has happened to the investigation into one of the most successful penetrations of American networks, or who is now responsible for figuring out why American telecommunications firms were caught unawares, for more than a year, by China’s Ministry of State Security.”
The ministry is China’s equivalent of the US Central Intelligence Agency. Chinese spies also targeted the phones of candidates in the 2024 US election. And the government has announced that the Chinese have placed malware in America’s critical infrastructure that presumably could be activated at the time of Beijing’s choosing.
Overall, China’s cyber espionage activities surged by 150 percent in 2024, according to CrowdStrike’s 2025 Global Threat Report.
The Russians also have penetrated deeply. A thriving ransomware attack system is now hitting not just corporate targets but also schools, churches, hospitals and even blood banks.
Microsoft’s threat intelligence team has recently revealed that a Russian attack group called BadPilot has breached systems in numerous English-speaking countries around the world. The group’s targets have included “energy, oil and gas, telecommunications, shipping, arms manufacturing” and “international governments.”
In short, the Chinese and the Russians have staged a devastating Pearl Harbor-scale attack on America’s critical infrastructure and Information Technology systems. Much the same pattern is playing out for America’s traditional allies because US tech companies built large parts of their systems. Targeted data capture by adversaries is now a persistent threat.
At least some planning in the West’s military, diplomatic and trade realms could be monitored and anticipated. Aided by artificial intelligence, these penetrations also help to sow misinformation and disinformation throughout the social media universe in what has come to be called cognitive warfare. That represents an assault on all democracies.
If all this had happened at once, Americans might have been galvanized to respond, as they did in reaction to the original Pearl Harbor attack, the launching of Sputnik, and the terror attacks of September 11, 2001. But America’s adversaries have studied US history and have studiously avoided a single action that crosses the line of a declared war.
“The supreme art of war is to win without fighting,” the Chinese military strategist Sun Tzu wrote in The Art of War.
Far from responding forcefully as President Franklin D. Roosevelt did in 1941, the current Trump Administration seems to be enabling foreign adversaries by making a disastrous series of mistakes:
- slashing the ranks of CISA,
- appointing a politically connected lawyer with no cyber experience to be the White House’s cyber czar,
- exposing entire databases of sensitive data on the website of the Department of Government Efficiency and (most spectacularly)
- conducting a classified conversation about military action against Houthi rebels in Yemen on the messaging application Signal.
In short, the US response to Chinese and Russian penetration has been a dramatic failure, both from the private and public sectors. The burning question is: Why have leaders in both sectors declined to respond to an obvious crisis?
One answer is that, as pluralistic societies, the United States and other democracies have not yet been able to find ways to bring private and public sectors together to create solutions. There is also a wall of denial, a fear of acting out of fear.
Private sector boards of directors and CEO’s have not truly addressed the fundamental risk posture and vulnerability of their systems. Instead, they have created elaborate layers of defense – against litigation.
When a company suffers a breach, it mobilizes attorneys, cyber security firms and insurance companies. The goal is to prove that the company followed “best practices” and was “commercially reasonable in compliance” with generally accepted practices, perhaps including changes in the responsibilities of the Chief Information Security Officer.
This checklist approach to cybersecurity just doesn’t work. Paying a big-name company to report on risk is a public relations strategy, not real cybersecurity. Boards and their managements issue bland press releases after a hack, reciting such homilies as “We detect no activity” or “No material loss of personal identifying data has been recognized.”
That type of statement is not the same as saying they have eliminated the intrusion and have reconfigured and protected their systems. It appears to be a kind of Faustian bargain – companies operate their networks, despite knowing the Chinese or Russians may be hiding inside, so that they can avoid costs and achieve their quarterly earnings targets. It is a systemic failure.
Major technology companies that have provided IT and telecommunications goods and services to their clients around the world also would be humbled if these uncomfortable truths were to be acknowledged. After all, America’s Big Tech promised to protect customers’ data in their highly vaunted, and often convoluted, security systems including cloud computing and data center storage systems.
But the Chinese have become masters of exploiting “cross-vendor” open source and legacy software vulnerabilities in cloud systems. That means if they can crack one client company’s defenses, they may establish a beachhead from which to find the same defects in other companies’ defenses.
The US government, like others, cannot address the problems of critical infrastructure because water, electricity, finance, telecommunications, food distribution, airlines and railroads, health care and other essential services are managed by a decentralized, profit-driven private sector.
Western governments are simply not organized to manage threats in the digital era because responsibility is too fragmented and the playing field too vast.
Successfully attacking these problems would require coalition-building, but today’s America operates in silos and sometimes places more trust in adversaries such as Russia than in competing US institutions. Take the Intelligence Community (IC), which consists of 18 different agencies.
The failure of the IC to share information was a key explanation for why the 9/11 terrorist attacks happened. The same patterns are playing out today. Too often, information about threats is withheld, not shared.
Moreover, the smorgasbord of federal, state and local law enforcement agencies does not always share threat information or understand the meaning of the information that is shared.
To compound this dysfunctionality, regulations from different federal agencies for different industries regarding what must be reported and what must be done after a breach are a complete jumble.
Even the Pentagon, which has market power because it contracts to procure goods and services from 300,000 companies in the Defense Industrial Base, has not been able to impose auditing of these companies’ IT systems, even by third parties.
The implementation of the Cybersecurity Maturity Model Certification program is a positive step, but the Chinese already have stolen massive amounts of technology, including the designs for American aircraft carriers, and seem certain to continue doing so.
Americans themselves also bear some of the responsibility. China’s TikTok, one of the most clever and powerful weapons in the history of undeclared warfare, has been embraced by half the American population – some 170 million users.
Other data-collecting Chinese algorithms such as DeepSeek were enthusiastically received, with few if any regulatory hurdles, before it was revealed that its website collects American data that can be seen by TikTok’s parent company, ByteDance, in China.
Shein and Temu, Chinese applications aimed at bargain shoppers, also are algorithms that collect information about their users.
When this information is layered upon the major hacks that have taken place in credit rating (Equifax), hotels (Marriott’s Starwood division), health care (Anthem) and detailed information about federal employees (the Office of Personnel Management), the Chinese and Russians are able to assemble detailed personal portraits of targeted individuals.
There may be ways out of this morass. Many suggestions are worthy of evaluation such as creating a federal Department of Digital Services or a high-level task force including representatives from both major companies and government agencies to pool resources and expertise. But time is limited. The place to begin is to acknowledge the depths of what has gone wrong – and to find the will to respond.
William J. Holstein. co-author of Battlefield Cyber: How China and Russia Are Undermining Our Democracy and National Security, has been following US-China relations ever since being an award-winning correspondent for United Press International in Hong Kong and Beijing from 1979 to 1982.
Stephen M. Soble is chairman and chief executive officer of Assured Enterprises, Inc., a Greater Washington, DC cybersecurity company. He has had extensive experience in China as a commercial attorney, international affairs advisor and businessman.
