The federal government is screaming into a void, and the void is just reflecting back their own incompetence. When the FBI and CISA issue "urgent warnings" about Volt Typhoon or state-sponsored Chinese hacking groups infiltrating our water, power, and telecommunications, they are performing a ritual. It is a dance of bureaucratic CYA (Cover Your Assets) designed to mask a fundamental, ugly truth: the battle for the perimeter was lost a decade ago.
We are currently witnessing the death rattle of the "castle and moat" strategy. The federal plea for "greater protection" is a polite way of asking private utilities to spend more on digital locks for doors that have already been unhinged. If you are a CISO at a major utility and you are still focusing on keeping them out, you aren't just behind the curve. You are the reason the curve exists.
The Myth of the Unbroken Perimeter
The standard narrative suggests that if we just patch enough vulnerabilities and hire enough analysts, we can achieve a "secure" state. This is a lie sold by vendors and echoed by regulators who need a metric to track.
State-sponsored actors, particularly those from the People’s Republic of China (PRC), do not "hack" in the way Hollywood portrays it. They do not smash through firewalls with brute force. They reside in the "living off the land" (LOTL) space. They use your own administrative tools—PowerShell, WMI, and legitimate VPN credentials—to move through your network like ghosts. To your security software, they look exactly like your best senior engineer performing a routine midnight update.
When the government urges "greater protection," they are usually asking for more compliance. But compliance is a floor, not a ceiling, and in the world of advanced persistent threats (APTs), that floor is made of wet cardboard. I have watched organizations spend $50 million on "state-of-the-art" security suites only to be compromised via a $15 smart thermometer in a breakroom or a neglected, unpatched printer at a satellite office.
Stop Trying to "Secure" and Start Learning to Fail
The obsession with prevention is a psychological safety blanket. It feels good to say, "We blocked 10 million attacks today." It means nothing if the 10,000,001st attack succeeded and has been sitting in your active directory for eighteen months.
The contrarian shift required here is moving from Cybersecurity to Cyber Resilience.
Cybersecurity is about preventing a breach. It is fragile.
Cyber Resilience is about how well you operate while being actively compromised. It is antifragile.
If a Chinese state actor gains access to a municipal water treatment plant’s SCADA system, the goal shouldn't just be "detect the intruder." The goal must be "ensure the chemical levels cannot be altered regardless of who is logged into the console." This requires hardware-level interlocks and physical "air gaps" that no amount of clever coding can bypass.
We have digitized everything for the sake of "efficiency" and "remote management," but in doing so, we have traded safety for convenience. The most secure critical infrastructure in the world is the one that requires a human being to physically turn a valve to cause a catastrophe.
The Vendor-Industrial Complex is Part of the Problem
Why is the advice from the feds always so toothless? Because the solution—true resilience—is expensive, inconvenient, and doesn't involve buying a monthly subscription from a Silicon Valley firm.
The "protection" being urged often boils down to buying more software. This creates a bloated "security stack" that adds complexity. In systems theory, complexity is the enemy of security. Every new tool you add to your network is itself a potential entry point. We saw this with the SolarWinds hack. The very tool used to monitor and secure the network was the Trojan horse.
The industry needs to stop adding layers and start stripping them away. We need a "scorched earth" approach to legacy systems. If a piece of critical infrastructure is running on Windows XP or has an exposed RDP (Remote Desktop Protocol) port, it shouldn't be "protected." It should be destroyed and replaced with a hardened, purpose-built system that doesn't share a kernel with a glorified gaming PC.
Why China's Strategy is Smarter Than Our Defense
The PRC isn't looking for a "digital Pearl Harbor" to happen tomorrow. That’s a Western projection of how we think war works. Their strategy is "pre-positioning." They want to be the "ghost in the machine" so that if a conflict over Taiwan or trade ever reaches a boiling point, they don't have to attack us. They just have to turn us off.
They are playing a game of Go while we are playing a game of Whac-A-Mole.
By the time the FBI identifies a set of IP addresses associated with a group like Volt Typhoon, those actors have already migrated to new infrastructure, likely using compromised home routers (SOHO devices) in the very country they are targeting. They are using our own citizens' bandwidth to attack our own citizens' power grids.
The Hard Truth: We Need More Friction, Not Less
We have spent the last twenty years making the internet "seamless." That was a mistake.
To protect critical infrastructure, we need to re-introduce friction.
- Physical Isolation: Not every sensor needs to be on the public cloud.
- Manual Overrides: If a digital system fails or is hijacked, a manual backup must be mandatory and regularly tested.
- Zero Trust, Actually: Not the "Zero Trust" marketed by vendors, but the architectural reality where no device, user, or packet is trusted by default, even if it’s already inside the perimeter.
This approach is unpopular because it’s slow. It makes it harder for the CEO to check the plant's output from their iPhone while on a golf course. It makes it harder for IT to push updates. But "greater protection" without a sacrifice in convenience is just theater.
A Scenario of True Resilience
Imagine a regional power grid. Instead of relying on a centralized, highly connected command center, the grid is partitioned into autonomous micro-grids. Each micro-grid has the capability to "island" itself—to physically disconnect from the broader network the moment an anomaly is detected.
In this scenario, a Chinese hack might take down a single neighborhood, but it cannot cascade into a multi-state blackout. The "protection" isn't a better firewall; it’s a better scissors. We need the ability to cut the cord.
The False Hope of Attribution
The federal government spends an enormous amount of time on "attribution"—naming and shaming the specific units of the PLA (People's Liberation Army) responsible for hacks. While this is great for intelligence reports and political posturing, it does zero for the operator of a local electrical co-op.
Knowing that "Unit 61398" stole your data doesn't get your data back. It doesn't fix the hole. We need to stop obsessing over the who and start obsessing over the how.
If your defense strategy depends on the identity of the attacker, you don't have a defense strategy; you have a grievance list. A robust system assumes the attacker is already the highest-level admin and builds safeguards from there.
The Actionable Pivot
If you are responsible for any piece of the "critical infrastructure" the feds are so worried about, stop reading their memos and start doing the following:
- Map the Physical, Not Just the Logical: Do you know where every physical wire goes? Do you know which "smart" devices are actually connected to your core switches? You probably don't. Find them. Kill the ones that don't need to exist.
- Assume Breach as a Constant: Conduct "Red Team" exercises where the starting premise is "The hackers have the admin password. Now, how do we keep the lights on?"
- Kill Remote Access for ICS: Industrial Control Systems (ICS) have no business being accessible via the public internet. If you need to manage it remotely, build a dedicated, encrypted, point-to-point fiber line. If you can't afford that, you can't afford to be "smart."
- Invest in People, Not Platforms: A highly skilled, paranoid sysadmin with a "deny all" mindset is worth ten "AI-powered" security platforms.
The feds are right to be worried, but they are wrong about the solution. More "protection" in the current framework is just adding more fuel to the fire. We don't need better shields; we need a completely different way of building the ship.
Stop trying to patch a sinking boat. Build a submarine.
If your "critical infrastructure" can be toppled by a few lines of code from six thousand miles away, it wasn't "critical"—it was an accident waiting to happen. The PRC didn't create our vulnerabilities; they just found them. We are the ones who left the keys in the ignition and the engine running.
The warning isn't about what might happen. It's an autopsy of what has already occurred. Act accordingly.
