American companies are world leaders in technology—be it innovative software, cloud services, artificial intelligence, or cybersecurity products. Yet beginning as many as three years ago, hackers believed to be backed by the Chinese government did something the United States, the tech powerhouse, could not adequately defend against: they gained and maintained access to major U.S. telecommunications networks, copying conversations and building the ability to track the movements of U.S. intelligence officers and law enforcement agents across the country. The attack, dubbed “Salt Typhoon,” constituted a large part of a global campaign against telecoms, and it penetrated systems at many U.S. carriers so thoroughly that officials will almost certainly never know the full scope of the capabilities China achieved to spy on Americans’ communications.

Salt Typhoon was more than a one-off intelligence success for China. It reflected a deeper, troubling reality. Mere decades after the widespread adoption of the Internet opened a new realm of geopolitical contestation, China is positioning itself to dominate the digital battle space. The United States has fallen behind, failing to secure a vast digital home front—and the physical assets that depend on it. Because cyberspace has no borders, the U.S. homeland is always in the fight. Every hospital, power grid, pipeline, water treatment plant, and telecommunications system is on the frontlines, and most of the United States’ critical infrastructure is unready for battle.

China’s cyber dominance extends well beyond telecommunications espionage. Chinese malware has been discovered embedded in U.S. energy, water, pipeline, and transportation systems. These intrusions show little evidence of traditional intelligence gathering. Instead, they appear to be designed for sabotage, preparing China to disrupt both Americans’ daily lives and U.S. military operations. During a future crisis, China could use these pre-positioned capacities to delay military mobilizations, impede air traffic control systems, or cause cascading power outages. Even barring an outright attack, their existence could deter the United States by raising the specter of disruption at home.

The Salt Typhoon attack was able to secure such wide-ranging access in part because of the fundamental asymmetry between the authoritarian approach Beijing takes to its cyberdefense and Washington’s more democratic perspective. American values forbid the kind of comprehensive monitoring that undergirds China’s cyberdefense and frees Beijing to pursue offensive operations with less fear of retaliation. And myriad private actors manage the United States’ critical infrastructure, with minimal government oversight or hands-on assistance. Their levels of investment in cybersecurity are variable, driven by commercial bottom lines. That means that when cyberattackers are found, it is hard to prove that they have been removed from networks or systems. Even when their removal appears certain, it is likely they will return.

Chinese operations now pose the largest challenge to the United States’ cyberdefense, but it isn’t the only one. Vulnerabilities in U.S. infrastructure networks have made them attractive targets to other adversarial countries as well as to criminals. In the past several years, Russia and Iran have disrupted the operations of U.S. water systems in multiple states, and hackers mostly based in Russia have played havoc with the workings of hundreds of American hospitals. Washington can—and must—do much more to protect the United States’ critical infrastructure and deter Chinese attacks. The artificial intelligence revolution will only exacerbate the United States’ disadvantages unless policymakers urgently develop a new approach.

Washington must establish a new cyber-deterrence policy built on the principle that robust cyberdefense enables credible cyberoffense. Artificial intelligence offers the key to making this new deterrence policy feasible. The United States should leverage its AI expertise by mounting a national effort to use AI to model its sprawling network of critical infrastructure, identify the most important vulnerabilities, and fix them. Washington must also ensure that it has the offensive cyber-capabilities to deter China. And it must make its messaging about cyberattacks more coherent, clarifying that pre-positioning in specific kinds of infrastructure constitutes a redline and carefully signaling its capacity to retaliate.

By developing AI-powered defenses and investing more tactically in offensive capabilities, the United States can transform an inadequate cyber strategy into proactive deterrence. The U.S. government must convey the message to China that it remains committed to defending American lives. It can do so only by finding and securing the most sensitive vulnerabilities in the digital infrastructure on which Americans rely.

Salt Typhoon was a sophisticated, multistage operation. To gain administrator access to telecommunications networks, the attackers exploited flaws in U.S. telecom companies’ cybersecurity products—such as firewalls—and used passwords stolen in unrelated hacks. Once inside, the hackers installed malware and hijacked legitimate processes and programs to maintain control. The attackers then used computers, servers, routers, and other devices they had compromised to move across different companies’ networks and find the most rewarding spying positions.

The roots of China’s cyber advantages lie in structural differences between authoritarian and democratic forms of governance. When cyberattacks emerged with the advent of the Internet, both China and the United States faced similar vulnerabilities. But China has systematically built up its cyberdefenses while the United States has struggled to balance securing its........

© Foreign Affairs