Back to Feed
Nation-stateJul 8, 2026

What Happens if China Hacks the US Water Supply? I Went to a Secret War Game to Find Out

Insurers play out a simulated cyberattack on US water utilities by China's Volt Typhoon.

Summary

A war game simulation involving insurance executives explored the catastrophic consequences of a cyberattack by China's Volt Typhoon on US water utilities. The simulation highlighted severe second-order effects, including hospital evacuations, food supply chain disruptions, and potential physical destruction, leading to difficult decisions for insurers regarding resource allocation and liability under 'act of war' clauses.

Full text

CommentLoaderSave StorySave this storyCommentLoaderSave StorySave this storyIt’s around an hour and 10 minutes into the role-playing game I’ve been invited to observe, a simulated catastrophic cyberattack on US water utilities, when the whole thing begins to feel less like a fun afternoon playing Dungeons & Dragons and more like a plausible threat to civilization.A full 24 hours of in-game time have passed since hackers disrupted 5,000 water utilities across the United States in this imagined scenario. Joshua Corman, the former Cybersecurity and Infrastructure Security Agency strategist serving as our dungeon master, stands at the front of a conference space in an office tower high above Times Square, narrating the latest updates to the game’s participants, a few dozen insurance executives set up in six teams. All of them have gone disturbingly silent.“You ready? It’s about to get harder,” Corman says. “I’m going to share a few things, and it’s going to hurt.”It is, of course, still the same April afternoon as when we started—but in game time, the second-order effects of widespread water outages have started to become clear. Food refrigeration systems are failing at cold storage warehouses. Water-dependent drug and chemical manufacturing has been bottlenecked, leading to insulin shortages. Data centers’ cooling systems are failing, causing outages of cloud services. Most critically, 2,000 hospitals are without water, hampering patient care and in some cases leading to evacuations as HVAC systems shut down and the July heat—the game takes place just before Independence Day in 2027—bakes facilities.Worse yet, Corman is playing a looping video onscreen, at the front of the room, showing a burst water main: The hackers have managed to trigger not just IT disruption but also, in at least some cases, real physical destruction that will take far longer to fix. “Everyone downstream is without water pressure,” Corman says. “Everything depends on water.”(The tension in the room has also peaked, in part, due to Corman’s decision to deny participants any organized restroom breaks. “There are no breaks in real incident response,” Corman explains just before the giant water pipe starts gushing onscreen. “If you have to go to the bathroom, go to the bathroom. But you might miss something vital.” No one goes to the bathroom.)The central task Corman has assigned for this round to the teams of participants, all of whom are playing the surprisingly pivotal role of insurance companies, is to decide how they’ll dole out their resources—contracted cybersecurity incident responders and money—and which clients will get priority.Will their business relationships with clients dictate their response? Or will they focus on minimizing harm for the most possible people? And given that some clues in the game are already suggesting this catastrophic cyberattack was carried out by the Chinese military to hamper a US response to its invasion of Taiwan, will the insurers be required to focus on keeping military facilities operational?Left unspoken in this question is another range of disastrous possibilities for the insurers themselves: Will this catastrophe bankrupt them? Or will they invoke an “act of war” exclusion in their insurance policies—a standard clause that exempts carriers from all liability when an armed conflict breaks out—and pay their clients nothing, thus risking that they’ll become the villains of the story?The teams have 15 minutes to decide on a policy. “OK?” Corman asks. “Let’s start the clock now.”Photo-Illustration: Jobanny Cabrera; Getty ImagesMost China-watchers in the cybersecurity world agree, in fact, that this particular clock has already been ticking for years.In May 2023, Microsoft, the National Security Agency, and CISA all announced the discovery of what they called Volt Typhoon, a group of hackers working in service of the Chinese military. The intruders had broken into the networks of critical infrastructure facilities across the continental United States and the US territory of Guam, hitting targets related to everything from manufacturing to telecommunications to the electric grid.These breaches were especially alarming because the hackers seemed to be going beyond the espionage that’s become standard practice for Chinese state cyberspies. Instead, according to Microsoft, they were “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.” Volt Typhoon was, in other words, “pre-positioning,” as another CISA and NSA advisory would put it in early 2024, laying the groundwork for broad cyberattacks aimed at disabling the US military at a crucial strategic moment—perhaps, some cybersecurity analysts suggested, on the eve of an invasion of Taiwan.As the US government and cybersecurity industry continued to track Volt Typhoon, however, it became clear that the hackers’ target list wasn’t limited to networks that would allow the sabotage of US military assets. They included the IT systems of a water utility in Hawaii, multiple US ports, and at least one oil and gas pipeline that might have military relevance, but also hundreds of other entities including water and electric infrastructure as small-scale as the Littleton Electric Light & Water Departments in Littleton, Massachusetts, a town with just under 10,500 residents. “The only reason to target that sort of entity is to cause societal chaos in the United States,” CISA’s former executive director Brandon Wales told WIRED in early 2025. Volt Typhoon, he said, seemed to be preparing to “cause chaos in the homeland—to influence our geopolitical freedom of action, our willingness to fight.”Even now, three years after Volt Typhoon’s initial discovery, threat intelligence analysts say China’s efforts to prepare for US civilian infrastructure disruption continue. Joe Slowik, a former Los Alamos National Labs cybersecurity researcher working on contract for the Department of Energy, says Volt Typhoon—or a related hacker group it has evolved into—is still targeting the US electric grid and water utilities.Some of these intrusions are caught, Slowik says. Others go undetected, in part due to the minimal security budgets of municipal utilities, and in part due to the hackers’ stealthy mode of operating, known as “living off the land,” that hijacks legitimate functions in a network instead of planting malware. “It’s pretty good tradecraft,” says Slowik, who now leads threat research at cybersecurity firm Dataminr. “But it’s also applying that tradecraft to areas that really don't have the capacity to identify it.”The scenario modeled by Corman’s war game—5,000 hacked water utilities—would be unprecedented. It also isn’t the most probable outcome of Volt Typhoon’s intrusions, cautions Jen Easterly, who served as director of the Cybersecurity and Infrastructure Security Agency when China’s hacking campaign was first discovered. Yet Easterly, now CEO of the RSA cybersecurity conference, also warns that AI could make that mass-sabotage hypothetical far more plausible, particularly over the next few years, when its use in offensive hacking may outpace its use by defenders.The scale of China’s preparations remains unknown, Easterly says, but its intent is clear. “What we found was really just the tip of the iceberg,” she says of her time running the Volt Typhoon response at CISA. “Do I believe there’s any change to China's very deliberate strategy to create access points in our most important civilian infrastructure, to be able to launch disruptive attacks in the event of a crisis in the Taiwan Strait? No, I don't.”Just two months ago, former NSA director of cybersecurity Rob Joyce spelled out the warning even more starkly in an article for the Cyber Defense Review, arguing that the threat Volt Typhoon poses remains as clear and present as ever.“China has effectively strapped the digital equivalent of explosives to th

Entities

Volt Typhoon (threat_actor)Microsoft (vendor)critical infrastructure (technology)