When federal agents walked into the municipal utility building in Littleton, Massachusetts, in late 2023, they carried a warning that should have wounded Americans’ sense of security. Chinese state-backed operators had penetrated the town’s water system, quietly compromising its control network for years. Their goal was not espionage or theft but leverage—the ability to sow chaos in the United States and deter U.S. action abroad in the event of a future conflict.

Littleton was not an isolated event. In February 2024, U.S. federal agencies disclosed new details about Volt Typhoon, a Chinese state-sponsored hacking group first identified in 2023, revealing that it had compromised critical infrastructure networks in the communications, energy, transportation, water, and government sectors. Using “living off the land” techniques that mimic legitimate network activity, the hackers set up their positions and remained undetected for years; Microsoft, which first documented the campaign in 2023, reported that it had been active since at least 2021. Other infrastructure hubs, including the Port of Houston and New York’s Metropolitan Transportation Authority, have also been targeted in separate but related campaigns that used similar intrusion methods. Although not all of these operations were directly linked to Volt Typhoon, they shared its hallmarks: stealthy network access, the exploitation of legitimate administrative tools such as PowerShell, Windows Management Instrumentation, remote desktop services, and network management utilities, and pre-positioning for potential future attacks. The U.S. government still lacks a full picture of how far such operations extend.

The pre-positioning approach of Littleton and Volt Typhoon is indicative of Beijing’s emerging interest in waging war against entire systems, attacking the connective tissue that allows an adversary to communicate, move, decide, and recover. Whereas Iran and Russia emphasize more traditional espionage tools, including ransomware, wipers, and coordinated disinformation, China hopes that by degrading the networks that bind military power to civilian life it can paralyze an adversary before combat begins.

This blurring of the line between peace and war also reflects a broader shift in the nature of global conflict, to what former Assistant Secretary of Defense Mara Karlin has called “the return of total war,” whereby countries mobilize entire societies and economies around war efforts. In this new reality, domestic crisis management has become the first theater of conflict. The civilian backbone of national defense, once defined by industrial production lines and civil defense drills, now runs through code and logistics, in data centers, pipelines, hospitals, telecom exchanges, and water plants.

While U.S. adversaries are systematically preparing the battlefield well before a potential conflict erupts, Washington has yet to catch up. The United States needs a strategy of total defense fit for total war. It must close the seam between national security and daily life and link federal, state, local, and private efforts to both prevent hostile incursions into critical systems and mitigate the fallout of a potential attack. If it fails to do so, the next war could begin on American soil before the first shot is fired.

The United States has recognized the threat posed by pre-positioned attacks and the need to protect the country’s networks against them. The Biden administration’s 2022 National Defense Strategy, for example, introduced the concept of deterrence by resilience, the idea that by strengthening its ability to absorb, adapt to, and recover from attacks, the United States can deny adversaries the strategic benefits of disruption and, as a result, deter aggression. Since then, Washington has directed the Cybersecurity and Infrastructure Security Agency, the Federal Emergency Management Agency, the Transportation Security Administration, and the Federal Energy Regulatory Commission to establish new cybersecurity performance goals, mandatory reporting rules, and incident-response systems. These efforts, which began in 2023, aim to harden critical infrastructure against pre-positioned threats and to reduce recovery times after major disruptions.

But U.S. efforts have been fragmented and uneven. Many key defenses, such as the electric grid’s industrial control systems, still rely on decades-old hardware and unencrypted communications, and have yet to be comprehensively and uniformly upgraded, leaving critical nodes of the country’s infrastructure network vulnerable.

In October 2025, Congress’s Cyberspace Solarium Commission 2.0 warned of “an across-the-board retreat” in federal cyber-posture. Senator Angus King, an independent from Maine and a........

© Foreign Affairs