Finally getting Chinese hackers out of U.S. critical infrastructure should start at the Trump-Xi meeting, but it can’t end there
As President Trump meets President Xi in Beijing this week, one of Beijing’s top items for discussion will be the PRC’s concerns about Taiwan. What President Xi will not bring up is the insidious presence of Chinese military hackers in U.S. water plants, transportation systems, and power stations. Following the logic of the March 2026 National Cyber Strategy, the President should make it clear that the United States will no longer tolerate adversaries holding civilian infrastructure hostage; then, the administration must be ready to robustly and swiftly impose costs if Chinese hackers continue to maintain the ability to disrupt civilian critical infrastructure.Deterrence by Cost Imposition
In the National Cyber Strategy, the Trump Administration committed to cyber deterrence through cost imposition: namely, that the administration will make the cost of attempts to harm the United States through cyber means so painful on malicious actors that they stop trying to do so. Deterrence by cost imposition is different from the practice of “deterrence by denial,” achieved by creating more resilience and tightening cybersecurity practices. Deterrence by cost imposition seeks to warn malicious actors that whatever they stand to gain from their cyber operations will not be worth the reprisals that they will suffer in return. It is longstanding U.S. policy to implement both deterrence by denial and deterrence by cost imposition at the same time, but the 2026 strategy’s articulation of the latter is more rhetorically ferocious than any past strategy. The United States already has a baseline level of deterrence by cost imposition. Multiple statements by the United States – alone and with allies and partners – note that the government stands ready to respond with force when malicious cyber rises to the level of an armed attack. While criminal ransomware gangs have temporarily shut down hospitals and leaked sensitive data, the United States has largely deterred similar activity directed by state actors. However, where deterrence by cost imposition has failed is at lower levels of severity, when malicious cyber activity causes harms that do not quite justify going to war, but can still cause substantial costs to the U.S. economy or national security. Chinese government-sponsored hackers are some of the worst offenders. To effectively deter them, we need to take two concrete steps.Step One: Draw Clear Redlines
First, we need to articulate redlines that clearly outline activities that go beyond the pale. One redline should be clear: access to systems that have zero espionage value and could only be useful to cause harm to civilians will no longer be tolerated. A prohibition against deliberately harming civilian critical infrastructure is a basic tenet of international law. It has also been repeatedly affirmed as a peacetime norm of cyberspace operations by all United Nations members, including China. The United States should also articulate that holding infrastructure at risk during peacetime in advance of a time of crisis or conflict is, in itself, inherently destabilizing. The United States would not accept Chinese military units physically preparing to sabotage U.S. infrastructure. Why should it accept cyber units doing the same? When military units are accessing civilian utilities, that can only be understood as unacceptable activity. And, unlike past failed attempts at redlines, it removes the element of harmful intent. Regardless of intent, mere presence is enough.Step Two: Impose Appropriate, Proportional Costs
Second, the United States needs to actually use its levers of power to impose appropriate, proportional costs. This is where U.S. policymakers face painful tradeoffs in using levers of persuasion. There are always competing priorities for using tools like countermeasure cyber effects operations or non-cyber costs like sanctions and travel bans. None of these levers are free, and they are useful for multiple purposes that go far beyond cyberspace. Holding to the commitment to impose costs is difficult, and deterrence has faltered here in the past. In mid-2021, President Biden sent a clear message that the United States would impose countermeasures on the Russian Federation if it continued to harbor ransomware actors in its territory. However, by the beginning of 2022, the U.S. government had focused its cost imposition on efforts to deter and then punish Russia for its full-scale invasion of Ukraine. By the time we reached 2023, ransomware attacks had resurged in U.S. critical infrastructure, and the administration failed to follow through on the cost imposition it had promised. With the hollowness of the threats exposed, ransomware criminals were free to conduct continued hacks with impunity, and U.S. schoolchildren, hospital patients, and business owners paid the price. To avoid this pitfall, the administration must develop a range of consequences, and then be willing to swiftly deploy them in response to unacceptable cyber activity—regardless of other dynamics at play in the U.S.-China relationship. In order to actually deter through cost imposition, Chinese leaders must know that these types of destabilizing cyber operations will always produce a sharply negative response.What’s Next
What might a response look like? Those costs should be carefully calibrated so as to respond effectively without escalating tensions. They should be transparent, and easy to turn on and off. And they should be conducted in collaboration with our closest allies, who face similar pressures from China and who similarly want to evict Chinese actors off of their infrastructure and avoid escalation. It could include enhanced implementation of the 2022 Uyghur Forced Labor Prevention Act (UFLPA) in order to stifle imports of specific goods from China to the United States, or expanded efforts to interdict sanctioned oil bound for China. President Trump’s visit to Beijing is an opportunity to make clear to President Xi his resolve to deter through cost imposition. And once made clear, President Trump also needs to be ready to follow through—with costs that make the Chinese government back swiftly away from our critical infrastructure.This commentary is written and published in accordance with IST’s Intellectual Independence Policy. The authors are solely responsible for its analysis and recommendations. The Institute for Security and Technology and its supporters do not determine, nor do they necessarily endorse or advocate for, any of this blog’s conclusions.
