Latest Audio
When federal agents walked into the municipal utility building in Littleton, Massachusetts, in late 2023, they carried a warning that should have wounded Americans’ sense of security. Chinese state-backed operators had penetrated the town’s water system, quietly compromising its control network for years. Their goal was not espionage or theft but leverage—the ability to sow chaos in the United States and deter U.S. action abroad in the event of a future conflict.
Littleton was not an isolated event. In February 2024, U.S. federal agencies disclosed new details about Volt Typhoon, a Chinese state-sponsored hacking group first identified in 2023, revealing that it had compromised critical infrastructure networks in the communications, energy, transportation, water, and government sectors. Using “living off the land” techniques that mimic legitimate network activity, the hackers set up their positions and remained undetected for years; Microsoft, which first documented the campaign in 2023, reported that it had been active since at least 2021. Other infrastructure hubs, including the Port of Houston and New York’s Metropolitan Transportation Authority, have also been targeted in separate but related campaigns that used similar intrusion methods. Although not all of these operations were directly linked to Volt Typhoon, they shared its hallmarks: stealthy network access, the exploitation of legitimate administrative tools such as PowerShell, Windows Management Instrumentation, remote desktop services, and network management utilities, and pre-positioning for potential future attacks. The U.S. government still lacks a full picture of how far such operations extend.
The pre-positioning approach of Littleton and Volt Typhoon is indicative of Beijing’s emerging interest in waging war against entire systems, attacking the connective tissue that allows an adversary to communicate, move, decide, and recover. Whereas Iran and Russia emphasize more traditional espionage tools, including ransomware, wipers, and coordinated disinformation, China hopes that by degrading the networks that bind military power to civilian life it can paralyze an adversary before combat begins.
This blurring of the line between peace and war also reflects a broader shift in the nature of global conflict, to what former Assistant Secretary of Defense Mara Karlin has called “the return of total war,” whereby countries mobilize entire societies and economies around war efforts. In this new reality, domestic crisis management has become the first theater of conflict. The civilian backbone of national defense, once defined by industrial production lines and civil defense drills, now runs through code and logistics, in data centers, pipelines, hospitals, telecom exchanges, and water plants.
While U.S. adversaries are systematically preparing the battlefield well before a potential conflict erupts, Washington has yet to catch up. The United States needs a strategy of total defense fit for total war. It must close the seam between national security and daily life and link federal, state, local, and private efforts to both prevent hostile incursions into critical systems and mitigate the fallout of a potential attack. If it fails to do so, the next war could begin on American soil before the first shot is fired.
STUDY ABROAD
The United States has recognized the threat posed by pre-positioned attacks and the need to protect the country’s networks against them. The Biden administration’s 2022 National Defense Strategy, for example, introduced the concept of deterrence by resilience, the idea that by strengthening its ability to absorb, adapt to, and recover from attacks, the United States can deny adversaries the strategic benefits of disruption and, as a result, deter aggression. Since then, Washington has directed the Cybersecurity and Infrastructure Security Agency, the Federal Emergency Management Agency, the Transportation Security Administration, and the Federal Energy Regulatory Commission to establish new cybersecurity performance goals, mandatory reporting rules, and incident-response systems. These efforts, which began in 2023, aim to harden critical infrastructure against pre-positioned threats and to reduce recovery times after major disruptions.
But U.S. efforts have been fragmented and uneven. Many key defenses, such as the electric grid’s industrial control systems, still rely on decades-old hardware and unencrypted communications, and have yet to be comprehensively and uniformly upgraded, leaving critical nodes of the country’s infrastructure network vulnerable.
In October 2025, Congress’s Cyberspace Solarium Commission 2.0 warned of “an across-the-board retreat” in federal cyber-posture. Senator Angus King, an independent from Maine and a co-chair of the commission, lamented that progress made since the original Cyberspace Solarium Commission’s establishment, in 2019, had eroded just as threats were accelerating. “We have taken our eye off the ball at precisely the wrong time,” he warned.
That same month, with agencies understaffed and contractors unpaid during the government shutdown, phishing and credential attacks increased by more than 80 percent, according to data from the Cybersecurity and Infrastructure Security Agency.
The deeper flaw is conceptual. The United States has not updated its understanding of coercion since the Cold War, when the architects of deterrence theory fretted over the threat of nuclear retaliation and assumed clear boundaries between war and peace. That framework made sense in an era of visible military buildups and clear, discrete escalation decisions but fails to account for today’s gray-zone campaigns that exploit civilian systems long before open conflict begins. And unlike the Soviet Union, modern adversaries have already embedded themselves in civilian networks. Retaliation after the fact cannot restore confidence by itself; deterrence now also depends on making aggression too unprofitable to even attempt.
The United States has not updated its understanding of coercion since the Cold War.
The Cold War does, however, remain instructive in one important way: it was the last time the United States mobilized its society to prepare for a large-scale confrontation with an adversary. Families drilled for a nuclear attack, schools taught children to “duck and cover,” and federal agencies ran exercises to test how government operations would continue after a major strike. President John F. Kennedy called civil defense “an essential part of our defense effort and of the security of every family in America” and urged households to take basic preparedness steps such as storing food, water, and medical supplies and identifying shelter locations. That ethos has since faded, as Washington honed its nuclear deterrence strategy and the fight against terrorism, waged largely overseas and far removed from most Americans’ daily lives, replaced existential conflict with Moscow.
Other democracies whose present threats feel more immediate—particularly those who fear a Russian attack—have shown how to make whole-of-society readiness routine. Finland’s “comprehensive security” model, formalized in 2010 after decades of total defense–style planning developed in the wake of the Winter War and shaped by fears of Russian territorial aggression and political pressure, coordinates hundreds of public and private organizations in nationwide preparedness exercises. It requires every ministry to maintain continuity plans that ensure that essential services, supply chains, and communications can function during crises.
Sweden revived its total defense system after Russia invaded Crimea in 2014. The government mailed a simple booklet, titled “If Crisis or War Comes,” to every household, explaining what to expect and how to respond to disruptions such as power outages, supply shortages, cyberattacks, and military emergencies. Since 2016, Poland has expanded its territorial defense units to support both military and humanitarian missions, linking national defense with community resilience. Finland and Sweden, along with Japan, which faces the urgent threat of large-scale natural disaster and regional instability from China and North Korea, also integrate resilience education into school curricula, mandating programs that teach critical thinking, media literacy, and civic responsibility to strengthen psychological resistance and social cohesion during crises.
The United States should learn from these examples that cultivating a resilient public is both possible and essential. In an era in which adversaries target societies as much as militaries, preparing civilians to contribute to a total defense effort is a prerequisite for national security.
HARD TARGETS
Any effort to prepare American society for total war must begin by cleaning up the country’s existing infrastructure. Washington must systematically block Chinese and other malicious actors’ access to critical infrastructure such as the electric grid, water systems, pipelines, ports, and telecommunications networks through a coordinated campaign, led by the Departments of Homeland Security and Energy, that targets individual facilities and points of failure rather than entire sectors. Such a campaign has never been undertaken because no single agency currently has the authority or funding to compel private operators to audit their systems. But these departments together can conduct detailed inventories of control systems—the hardware and software that operate industrial processes—to identify foreign-sourced or compromised components and replace them at scale. The Trump administration should bar high-risk vendors, including Chinese suppliers of transformers, industrial controllers, and telecommunications equipment, from participating in federal or state infrastructure contracts. Utilities and grid operators should be required to replace Chinese-manufactured components with domestic alternatives and conduct joint exercises with federal agencies to confirm that vulnerabilities have been identified and removed. Economic and investment regulators should tighten reviews of foreign ownership stakes, supply chain dependencies, and shell distributors to prevent sanctioned foreign firms and their cutouts from reentering U.S. markets under new names.
Foreign pre-positioning operations are acts of preparation for a larger attack and must be treated as such. Washington should draw an unmistakable line on these intrusions. Crossing it should trigger automatic consequences: offensive cyber-actions that disrupt the command-and-control servers, malware infrastructure, and operational networks used to conduct such attacks. These measures would be paired with economic penalties against the responsible countries, including targeted sanctions, technology export bans, and trade restrictions designed to degrade cyber and industrial capabilities.
These moves will signal Washington’s seriousness about deterrence by both denial and punishment, but they alone will not prevent adversaries from testing the United States’ critical infrastructure. Real deterrence will require a coordinated effort to stitch together existing denial efforts and new initiatives into a connected defense system. A National Resilience Council, led by a national resilience coordinator with budget alignment authority modeled on that of the national cyber director, would have the power to coordinate funding across agencies and ensure that resilience programs in energy, health, transportation, and homeland security are strategically aligned rather than siloed and in competition for limited federal resources. The council could set measurable national performance goals tracking the resilience of critical infrastructure systems, emergency response times, and recovery capacity; coordinate grant criteria for federal programs that fund community preparedness and infrastructure and cybersecurity improvements; and conduct an annual review to identify gaps in interagency coordination, state and local readiness, and private-sector compliance with national resilience standards.
Centralizing the authority of a total defense system in Washington risks creating additional bureaucratic steps and slowing local response during crises. To avoid those problems, the federal government should focus on lifeline functions such as energy, communications, transportation, and water, while incentivizing state and local governments to take the lead on regional preparedness, emergency coordination, and public communication.
Total defense relies on trust.
States including Colorado, Louisiana, and New Jersey have already benefited from the appointment of resilience officers, who have coordinated across agencies during wildfires, hurricanes, and floods to sequence emergency response, infrastructure repair, and long-term community planning. Washington should encourage other states to follow suit by giving priority access to matching grants to states that appoint such officers, publish continuity standards, and conduct annual “black-sky” exercises simulating prolonged grid failures, water contamination, hospital surges, and disinformation campaigns.
Federal agencies can still lend their expertise and funding to state and local governments. The Department of Homeland Security, which currently focuses primarily on information sharing with states and businesses, can send technical teams to help states and private operators assess vulnerabilities, secure industrial control systems, and deploy cybersecurity and physical upgrades. The Federal Emergency Management Agency can dedicate more funding to pre-disaster mitigation and continuity planning efforts to develop strategies to maintain essential services and governance even when primary facilities or networks are disrupted through its Building Resilient Infrastructure and Communities program. As part of a government-wide effort to improve communication and accountability, Congress can require these agencies to report progress and issue public scorecards so lawmakers and citizens can see which jurisdictions are reducing vulnerabilities and which are falling behind.
These reforms will be insufficient without the cooperation of the private sector. The federal government should compel utilities and critical suppliers to sign “resilience contracts” by tying eligibility for public grants and procurement opportunities to the agreements. The companies would commit to maintaining verified continuity plans, built-in redundancies, and secure communications that can operate under stress in exchange for access to federal and state infrastructure funding. The model can borrow from the financial sector, where public-private coordination and conditional standards—requirements that firms meet specific capital, risk-management, and reporting thresholds—reduce systemic risk. To qualify for government funding, utilities and hospitals should also be required to complete independent stress tests measuring black-start capability, or the ability to restart power generation after a complete grid outage, along with backup communications capacity and recovery time.
When a population understands its role, adversaries find it harder to divide or frighten. The United States’ tradition of citizen readiness and self-reliance can be harnessed to cultivate an engaged public invested in the national defense. In addition to expanding existing programs such as AmeriCorps and the Civil Air Patrol, which engage Americans in volunteer search-and-rescue missions, disaster relief operations, and aerospace education, the United States should establish a Resilience Defense Corps and other opportunities for national service focused on conflict preparedness and civic response. Drawing on programs in other democracies, a dedicated corps integrated with state emergency agencies could help keep communities functional when systems come under stress. Participants would receive training in emergency response, counter-disinformation, crisis communication, and coordination among community leaders, emergency managers, and volunteer organizations, as well as first aid and tasks such as maintaining emergency shelters, distributing supplies, and sustaining essential services during disruptions. In parallel, expanding programs such as the Cyber Service Academy, a scholarship-for-service initiative that covers full tuition in exchange for subsequent civilian employment in cyber-positions in the Department of Defense, would build a pipeline of skilled cyber-advisers capable of defending critical networks and infrastructure. By fusing top-down institutional coordination with bottom-up civic initiative, the corps would strengthen public trust and practical resilience across the country.
SPEND TO SAVE
Total defense relies on trust. Confidence in the federal government is at near-historic lows, weakening compliance with emergency guidance, making rumor more potent, and opening the door for the spread of conspiracy theories and disinformation during disruptions. Foreign adversaries exploit those conditions. Public assessments from the Office of the Director of National Intelligence describe Russian and Chinese influence operations that amplify domestic divisions and erode faith in elections, public health, and critical infrastructure. Today, the United States is as vulnerable socially and politically as it is technically.
Here, stable leadership matters. Deterrence requires institutions that persist and leaders who can plan and exercise across years. A rotating cast cannot build the muscle memory that resilience demands. The Trump administration’s removal of senior continuity and cybersecurity officials and the partisan fights that followed risks politicizing essential security roles and further eroding already limited institutional capacity.
Building a more resilient state and society will require large-scale mobilization, and it will not be cheap. But prevention costs far less than recovery. Studies by the National Institute of Building Sciences show that every dollar invested in disaster mitigation—reinforcing infrastructure, upgrading electrical systems, improving flood defenses—saves an average of six dollars in avoided losses. Washington’s current spending suggests that it understands that calculation. The Department of Energy’s Grid Resilience and Innovation Partnerships program dedicates more than $10 billion to harden transmission and distribution systems by replacing aging equipment, installing smart sensors, and expanding underground lines. It also supports microgrids that can disconnect from the main electric grid when necessary, reducing outage duration by maintaining localized power during disruptions. The 2021 Infrastructure Investment and Jobs Act adds over $50 billion for climate and hazard mitigation, including flood control, wildfire prevention, and upgrades to highways, bridges, and rail lines to withstand extreme weather. What remains missing is a coherent strategy that ties these efforts across sectors and agencies into a unified national resilience system.
The next war will not announce itself with a salvo. It will begin with flickering screens, silent phones, and control rooms that suddenly do not respond. The United States must act now to close existing vulnerabilities before they are exploited and to prevent new ones from emerging. By embracing a strategy of total defense fit for a world of total war, Washington can help prevent future Littlefields—and the chaos that would follow.
Comments
Post a Comment