Behind the pageantry that will be on display during President Trump’s meeting with President Xi Jinping of China this week is a less pleasant reality. For at least the last decade, Beijing has been actively targeting America’s telecommunications networks, intellectual property and electrical and water utilities in a sustained campaign of intrusion.
The summit provides an opportunity to raise the issue more forcefully with Mr. Xi than American leaders have in the past. But America also has its own unpleasant reality to face: Protecting the country from bad actors in cyberspace is a job for Americans, and we haven’t been doing enough to defeat China’s efforts.
The good news is that the United States has a huge advantage in today’s cybercompetitions: the extraordinary concentration of technical capability, network reach and institutional knowledge embedded in American industry. Our cybersecurity companies monitor billions of devices globally, observing adversary activity faster and more precisely than any intelligence service. American cloud and telecommunications providers power the preponderance of global commerce. U.S. technology firms operate at a scale no government entity can replicate.
Part of the challenge has been engaging American technology companies in the fight. The tech industry can no longer accept the status quo of vulnerabilities across its networks. But the government can take steps to fix things, too, by rewriting opaque laws, helping states and municipal systems patch vulnerabilities, and investing in countermeasures to defend against the most dangerous emerging cyberthreats.
We need a system with shared responsibility for defending America in cyberspace. Voluntary information sharing between private companies and the government — the default approach to cyberdefense until now — is not enough. Here’s how industry, local, state and federal government can get serious about defending against cyberattacks.
It’s important to understand the scale of the problem. Through its hacking proxy, Volt Typhoon, China has sought to pre-position malware in hundreds of local utility systems with the intent to disrupt Americans’ critical water and electrical supplies. With Salt Typhoon, which gained access to networks nationwide, it has tapped the phones of senior American officials and the telecommunications providers serving millions of Americans. Every year, China-sponsored actors steal intellectual property from U.S.-based companies worth between $225 billion and $600 billion, according to a 2017 report from the Commission on the Theft of American Intellectual Property.
Fortunately, the model for how to fight back already exists. In February 2026, Google disrupted a Chinese espionage campaign that targeted 53 organizations across 42 nations. By terminating the attackers’ use of cloud storage, revoking their access to networks and neutralizing the programs they used to control and activate their plots, Google accomplished in days what years of government advisories could not. That operation is the template: Companies should identify malicious activity on their platforms and remove it.
The challenge is enabling major technology and cybersecurity firms to follow it. In theory, it is not hard: The ability to spot bad actors and the tools to neutralize them are present across the private sector. What has been missing is a clear expectation that this is part of the job, not an optional public service. The model should be more akin to the banking industry’s relationship to fraud: When fraud is detected, industry stops it.
To encourage industry to step up the way Google did, Congress should update the legal architecture governing cyberoperations to remove ambiguity that some private companies say makes it hard to defend themselves. Explicitly authorizing coordinated disruption operations by U.S. industry on its own networks against foreign state actors would free tech companies to use tools they already have. Another positive step might be to create a special court, like the one used to authorize domestic surveillance, to authorize such operations, an idea put forward by the Center for Strategic and International Studies.
Separately, Congress and the federal government can improve the defense of electric, water and other utilities by helping states and local authorities to buy and deploy the best cyberdefenses, which many currently can’t afford to purchase and maintain on their own. There are other opportunities for innovations, some technical, others organizational; Washington and the states will need help from universities and industry to layer our defenses and identify and close vulnerabilities before adversaries can exploit them, especially when doing so requires using fast-advancing A.I. tools.
Defense isn’t everything. Washington must clearly and publicly articulate to China and other nations that attacks on America’s economy and critical infrastructure are unacceptable and will carry consequences. Until now, that message has been muted. It needs to be stated plainly and enforced consistently.
Here, too, the United States has advantages. It is uniquely positioned to identify Chinese operations with precision, expose their intent and identify the specific individuals within Beijing’s leadership who authorize them. Changing behavior in an autocracy means changing the cost-benefit calculations of those who hold power. Publicly naming responsible officials — with evidence — is one of the most effective tools available. It has been used sparingly. It should be used more.
Beyond naming the leaders responsible, the intelligence community, law enforcement and relevant departments and agencies must use their unique authorities to more actively target and disrupt China’s cybercampaigns — independently and in concert with allies. When they identify authorities behind malign cyberattacks, the U.S. government should use sanctions, indictments, disruptions and regulatory changes more frequently against bad actors. This wouldn’t be new; the government has led these activities episodically.
Finally, to defend the country against cyberattacks, U.S. Cyber Command needs to keep pace with China’s accelerating investment. Recent congressional increases to funding are welcome, but represent around 1 percent of the overall defense budget — inadequate for what is, in practice, one of the most consequential strategic competitions of this era.
The claim that America is outmatched in cyberspace — technically, organizationally or intellectually — is wrong. The capability to defend the nation’s economy and critical infrastructure is distributed across American industry, government and academia right now. American companies have visibility into adversary operations that no other nation’s government or private sector can match. American government agencies possess authorities and intelligence that no industry partner has. The combination, properly aligned and legally enabled, is formidable — and increasingly needed.
Gen. Timothy D. Haugh is a distinguished senior fellow at Yale University’s Jackson School of Global Affairs and a distinguished fellow at Georgetown University’s School of Foreign Service. He is a former commander of U.S. Cyber Command and a former director of the National Security Agency. He retired from the U.S. Air Force in 2025 as a four-star general.
The Times is committed to publishing a diversity of letters to the editor. We’d like to hear what you think about this or any of our articles. Here are some tips. And here’s our email: [email protected].
Follow the New York Times Opinion section on Facebook, Instagram, TikTok, Bluesky, WhatsApp and Threads.
The post I Ran the N.S.A. This Is How to Defeat China’s Hacker Army. appeared first on New York Times.
