Although the reports may look sporadic and empirical, they add up to a disturbing pattern. Foreign state-affiliated thieves cracked Microsoft’s internet sky structure and penetrated the message systems of the US sections of Commerce, Treasury and State. In Guam, a crucial command and control center for the Navy’s Seventh Fleet, another thieves hacked into the US government’s communications system.
In what is being referred to as one of the worst knowledge agreements in American history, the US government announced that Salt Typhoon, an affiliate of the Chinese government, used threats in Cisco devices to elude the methods of nine US communications firms, including AT&, T, and Verizon.
According to the New York Times,” No one at the Cybersecurity and Infrastructure Security Agency ( CISA ) seems able to say what has happened to the investigation into one of the most successful penetrations of American networks, or who is now responsible for figuring out why American telecommunications firms were caught unawares, for more than a year, by China’s Ministry of State Security”.
The government is the equivalent of the US Central Intelligence Agency in China. Candidates ‘ devices in the US election of 2024 were likewise targeted by Chinese spies. And the government has announced that the Chinese have placed ransomware in America’s essential equipment that apparently had been activated at the time of Beijing’s finding.
According to CrowdStrike’s 2025 Global Threat Report, China’s cyber-espionage activity increased by 150 percent overall in 2024.
Russians have deeply penetrated as well. A thriving ransomware attack system is now hitting not just corporate targets but also schools, churches, hospitals and even blood banks.
Microsoft’s threat intelligence team recently discovered that a Russian attack group known as BadPilot has breached systems in numerous English-speaking nations around the world. The group’s objectives included “energy, oil and gas, telecommunications, shipping, arms manufacturing” and “international governments.”
In short, the Chinese and the Russians have staged a devastating Pearl Harbor-scale attack on America’s critical infrastructure and Information Technology systems. Because US tech companies built a lot of their systems, the same pattern is occurring for America’s traditional allies. Threatened data capture by adversaries is now a constant threat.
At least some planning in the West’s military, diplomatic and trade realms could be monitored and anticipated. These penetrations, which are supported by artificial intelligence, also aid in the spread of misinformation and disinformation throughout the social media world in what is now known as cognitive warfare. That offends all democracies, in my opinion.
If all this had happened at once, Americans might have been galvanized to respond, as they did in reaction to the original Pearl Harbor attack, the launching of Sputnik, and the terror attacks of September 11, 2001. However, America’s adversaries have carefully avoided any action that crosses the line of a declared war because they have studied US history.
In The Art of War, Chinese military strategist Sun Tzu wrote,” Winner is the supreme art of war without fighting.”
Far from responding forcefully as President Franklin D. Roosevelt did in 1941, the current Trump Administration seems to be enabling foreign adversaries by making a disastrous series of mistakes:
- cutting CISA’s ranks,
- appointing a politically connected attorney with no prior experience to serve as the White House’s cyber czar
- exposing entire databases of sensitive data on the website of the Department of Government Efficiency and ( most spectacularly )
- using the messaging app Signal to engage in a secret conversation about military action against Yemeni rebels.
In summary, the US’s response to the penetration of China and Russia has been a dramatic failure, both from the private and public sectors. The burning question is: Why have leaders in both sectors declined to respond to an obvious crisis?
One solution is that the United States and other democracies have not yet been able to find ways to unite the public and private sectors to find solutions as pluralistic societies. A fear of acting out of fear is also present.
Private sector boards of directors and CEO’s have not truly addressed the fundamental risk posture and vulnerability of their systems. Instead, they have developed elaborate layers of legal defense.
When a business experiences a breach, it mobilizes attorneys, cyber security experts, and insurance firms. The goal is to prove that the company followed “best practices” and was” commercially reasonable in compliance” with generally accepted practices, perhaps including changes in the responsibilities of the Chief Information Security Officer.
This cybersecurity checklist approach simply isn’t effective. Paying a well-known company to report on risk is a PR stunt, not real cybersecurity. Boards and their managements issue bland press releases after a hack, reciting such homilies as” We detect no activity” or” No material loss of personal identifying data has been recognized”.
That kind of claim is not equivalent to saying they have patched up and protected their systems after the intrusion. It appears to be a kind of Faustian bargain: businesses run their networks despite knowing that Russians or Chinese people may be hiding there to avoid costs and meet their quarterly earnings goals. It is a systemic failure.
If these uncomfortable realities were to be acknowledged, major technology companies that have provided IT and telecommunications goods and services to their customers around the world would also be humbled. After all, Big Tech in America promised to safeguard customers ‘ data in their wildly convoluted security systems, including data centers and cloud computing.
But the Chinese have become masters of exploiting” cross-vendor” open source and legacy software vulnerabilities in cloud systems. That means that if they can infer the weaknesses in the defenses of one client company, they could create a beachhead from which to discover the same weaknesses in the defenses of other businesses.
Because of a decentralized, profit-driven private sector, the US government, like other countries, cannot address the issues involving critical infrastructure.
Western governments are simply not organized to manage threats in the digital era because responsibility is too fragmented and the playing field too vast.
To successfully address these issues, coalition-building would be necessary, but today’s America operates in silos and occasionally places more of its weight on Russian allies as opposed to US institutions. Take the Intelligence Community ( IC ), which consists of 18 distinct entities.
The failure of the IC to share information was a key explanation for why the 9/11 terrorist attacks happened. The same patterns are present in today’s play. Too frequently, threats are concealed and not shared.
Moreover, the smorgasbord of federal, state and local law enforcement agencies does not always share threat information or understand the meaning of the information that is shared.
Regulations from various federal agencies for various industries regarding what must be reported and what must be done following a breach are a complete jumble, adding to this dysfunctionality.
Even the Pentagon, which has market power because it contracts to buy goods and services from 300, 000 businesses in the Defense Industrial Base, has been unable to impose auditing of these companies’ IT systems, even by third parties.
The implementation of the Cybersecurity Maturity Model Certification program is a positive step, but the Chinese already have stolen massive amounts of technology, including the designs for American aircraft carriers, and seem certain to continue doing so.
Americans themselves bear some of the brunt of the blame. One of the most creative and potent weapons in the history of undeclared war, TikTok, is used by 170 million people in America.
Before it was revealed that its website collects American data that TikTok’s parent company, ByteDance, can view, it was widely known, with few if any regulatory hurdles. Other data-collecting Chinese algorithms like DeepSeek were enthusiastically embraced by the public.
Chinese bargain-hunting apps Shein and Temu are algorithms that gather data about their users.
When this information is layered upon the major hacks that have taken place in credit rating ( Equifax ), hotels ( Marriott’s Starwood division ), health care ( Anthem ) and detailed information about federal employees ( the Office of Personnel Management ), the Chinese and Russians are able to assemble detailed personal portraits of targeted individuals.
There might be other ways to get out of this mess. There are many ideas that merit evaluation, including the creation of a federal department of digital services or a high-level task force made up of representatives from both major corporations and government organizations to collaborate on resources and expertise. But time is limited. The best place to start is to acknowledge the magnitude of what has gone wrong and to find the courage to act.
William J. Holstein co-author of Battlefield Cyber: How China and Russia Are Undermining Our Democracy and National Security, has been following US-China relations ever since being an award-winning correspondent for United Press International in Hong Kong and Beijing from 1979 to 1982.
Assured Enterprises, Inc., a cybersecurity company in Greater Washington, DC, is led by Stephen M. Soble as chairman and CEO. He has a wealth of business and commercial experience in China as well as as an international affairs advisor.