If a conflict between the U.S. and China were to emerge, potentially over Taiwan, Americans would have a far more serious threat to their everyday lives than TikTok propaganda. In a worst-case scenario, they may not be able to put gas in their cars or turn on their lights.

Chinese hackers are burrowing into the networks of major critical U.S. infrastructure, including energy grids, water treatment plants and transportation networks. These cyber intrusions are part of a plan for Beijing, if it wants, to “land low blows against civilian infrastructure to try to induce panic and break America’s will to resist,” FBI Director Christopher Wray said at a cybersecurity summit last April. In other words, these keyboard warriors are gearing up their ability to bring crucial aspects of American life to a screeching halt.

As the government was still investigating the extent of this cyber-espionage campaign by a group dubbed Volt Typhoon, the White House confirmed in December that another outfit called Salt Typhoon was able to breach major U.S. telecom giants. One lawmaker called it the “worst telecom hack in our nation’s history – by far.” Americans were recently caught off-guard again, when the Treasury Department disclosed that a separate state-sponsored hacker had breached its network. It was reported that even Treasury Secretary Janet Yellen’s computer was infiltrated.

The recent barrage of cyber-espionage, which Beijing has officially denied any involvement in, represents a massive and embarrassing U.S. failure. America will never come out on top of a tech war with China if it can’t protect even basic civilian infrastructure or government devices from such hacks.

Despite the high risks of potentially dramatic consequences, the vaguer aspects of cybersecurity have never been a particularly sexy rallying point in Washington. Tangible targets like TikTok, and even the 2023 Chinese spy balloon, easily suck much more oxygen and attention from the public. But protecting and countering Beijing’s sophisticated — and invisible — cyber-espionage campaigns will ultimately emerge as incoming President Donald Trump’s biggest China test.

The investigations into the recent attacks remain ongoing, and we’ll probably learn a lot more in the months to come (as well as witness a fair amount of finger-pointing as authorities locate the soft spots). But some initial reporting suggests that the Salt Typhoon attacks on telecom networks resulted from vulnerabilities wrought by aging equipment. Lawmakers should work with the private sector to ensure that identified weaknesses are immediately patched.

The government’s Cybersecurity and Infrastructure Security Agency last month urged “highly targeted individuals” — such as those in senior positions in government or politics, or likely to possess information of interest to Beijing — to start using only end-to-end encrypted communications, among other best practices.

The guidelines warn that they “should assume that all communications between mobile devices — including government and personal devices — and internet services are at risk of interception or manipulation.” It’s imperative that organizations and government agencies require potential targets to abide by the recommendations; breaches often occur in the weakest links, which are frequently individuals who ignore such theoretically required protocols.

The U.S. is starkly outnumbered in this battle. Beijing-backed hackers exceed the FBI’s cyber agents by “at least 50 to one,” Wray has repeatedly warned lawmakers, adding that China has a “bigger hacking program than every other major nation combined.” Countering such threats will take significantly more investments in manpower and building out teams exclusively focused on this risk.

It will also require significant collaboration with the private sector. Technology manufacturers and software providers must recognize cybersecurity as a leading business priority. Washington should also deepen partnerships with critical infrastructure providers to make sure these often under-resourced sectors are taking the best precautions. Lawmakers should work on targeted regulation requiring at-risk companies to ensure robust defense measures, rather than just voluntary compliance.

The U.S. announced sanctions last week on a Chinese company, as well as an individual allegedly affiliated with China’s Ministry of State Security, linked to the recent cyberattacks. The measures against Sichuan Juxinhe Network Technology Co., a cybersecurity firm, and Yin Kecheng, who was accused of involvement in the Treasury hack, block them from U.S. transactions and put up impediments to U.S. ownership, but are unlikely to have a material impact on their operations or goals. It’s a clear message, yet doesn’t go nearly far enough to counter the risk.

Trump campaigned on tough-on-China rhetoric, threatening to wage another trade war with major tariffs. But his track record on cybersecurity has been uneven. During his first term, he axed the job of the nation’s cybersecurity czar, and has suggested massive cuts to federal agencies via a “government-efficiency” push involving Elon Musk. Cybersecurity needs to be at the top of Trump’s tech policy agenda, even if it’s less politically popular than moves like saving TikTok or appointing a crypto and AI czar.

The threat of Chinese cyber assaults is nothing new, but it’s now apparent that they’re no longer just targeting intellectual property from companies or data related to political campaigns. Hackers previously revealed their motives when they fell for a so-called “honeypot” trap set up by the FBI, quickly stealing information related to controlling infrastructure systems while ignoring financial and business-related data.

It’s become clear that Beijing’s hackers are gearing up for conflict and cyberwarfare. The U.S. cannot afford to be caught flat-footed.

_____

This column does not necessarily reflect the opinion of the editorial board or Bloomberg LP and its owners.

Catherine Thorbecke is a Bloomberg Opinion columnist covering Asia tech. Previously she was a tech reporter at CNN and ABC News.

______

©2025 Bloomberg L.P. Visit bloomberg.com/opinion. Distributed by Tribune Content Agency, LLC.