What Happens if China Hacks the US Water Supply? I Went to a Secret War Game to Find Out
It’s around an hour and 10 minutes into the role-playing game I’ve been invited to observe, a simulated catastrophic cyberattack on US water utilities, when the whole thing begins to feel less like a fun afternoon playing Dungeons & Dragons and more like a plausible threat to civilization.
A full 24 hours of in-game time have passed since hackers disrupted 5,000 water utilities across the United States in this imagined scenario. Joshua Corman, the former Cybersecurity and Infrastructure Security Agency strategist serving as our dungeon master, stands at the front of a conference space in an office tower high above Times Square, narrating the latest updates to the game’s participants, a few dozen insurance executives set up in six teams. All of them have gone disturbingly silent.
“You ready? It’s about to get harder,” Corman says. “I’m going to share a few things, and it’s going to hurt.”
It is, of course, still the same April afternoon as when we started—but in game time, the second-order effects of widespread water outages have started to become clear. Food refrigeration systems are failing at cold storage warehouses. Water-dependent drug and chemical manufacturing has been bottlenecked, leading to insulin shortages. Data centers’ cooling systems are failing, causing outages of cloud services. Most critically, 2,000 hospitals are without water, hampering patient care and in some cases leading to evacuations as HVAC systems shut down and the July heat—the game takes place just before Independence Day in 2027—bakes facilities.
Worse yet, Corman is playing a looping video onscreen, at the front of the room, showing a burst water main: The hackers have managed to trigger not just IT disruption but also, in at least some cases, real physical destruction that will take far longer to fix. “Everyone downstream is without water pressure,” Corman says. “Everything depends on water.”
(The tension in the room has also peaked, in part, due to Corman’s decision to deny participants any organized restroom breaks. “There are no breaks in real incident response,” Corman explains just before the giant water pipe starts gushing onscreen. “If you have to go to the bathroom, go to the bathroom. But you might miss something vital.” No one goes to the bathroom.)
The central task Corman has assigned for this round to the teams of participants, all of whom are playing the surprisingly pivotal role of insurance companies, is to decide how they’ll dole out their resources—contracted cybersecurity incident responders and money—and which clients will get priority.
Will their business relationships with clients dictate their response? Or will they focus on minimizing harm for the most possible people? And given that some clues in the game are already suggesting this catastrophic cyberattack was carried out by the Chinese military to hamper a US response to its invasion of Taiwan, will the insurers be required to focus on keeping military facilities operational?
Left unspoken in this question is another range of disastrous possibilities for the insurers themselves: Will this catastrophe bankrupt them? Or will they invoke an “act of war” exclusion in their insurance policies—a standard clause that exempts carriers from all liability when an armed conflict breaks out—and pay their clients nothing, thus risking that they’ll become the villains of the story?
The teams have 15 minutes to decide on a policy. “OK?” Corman asks. “Let’s start the clock now.”

Photo-Illustration: Jobanny Cabrera; Getty Images
Most China-watchers in the cybersecurity world agree, in fact, that this particular clock has already been ticking for years.
In May 2023, Microsoft, the National Security Agency, and CISA all announced the discovery of what they called Volt Typhoon, a group of hackers working in service of the Chinese military. The intruders had broken into the networks of critical infrastructure facilities across the continental United States and the US territory of Guam, hitting targets related to everything from manufacturing to telecommunications to the electric grid.
These breaches were especially alarming because the hackers seemed to be going beyond the espionage that’s become standard practice for Chinese state cyberspies. Instead, according to Microsoft, they were “pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises.” Volt Typhoon was, in other words, “pre-positioning,” as another CISA and NSA advisory would put it in early 2024, laying the groundwork for broad cyberattacks aimed at hampering the US military at a crucial strategic moment—perhaps, some cybersecurity analysts suggested, on the eve of an invasion of Taiwan.
As the US government and cybersecurity industry continued to track Volt Typhoon, however, it became clear that the hackers’ target list wasn’t limited to networks that would allow the sabotage of US military assets. They included the IT systems of a water utility in Hawaii, multiple US ports, and at least one oil and gas pipeline that might have military relevance, but also hundreds of other entities including water and electric infrastructure as small-scale as the Littleton Electric Light & Water Departments in Littleton, Massachusetts, a town with just under 10,500 residents. “The only reason to target that sort of entity is to cause societal chaos in the United States,” CISA’s former executive director Brandon Wales told WIRED in early 2025. Volt Typhoon, he said, seemed to be preparing to “cause chaos in the homeland—to influence our geopolitical freedom of action, our willingness to fight.”
Even now, three years after Volt Typhoon’s initial discovery, threat intelligence analysts say China’s efforts to prepare for US civilian infrastructure disruption continue. Joe Slowik, a former Los Alamos National Labs cybersecurity researcher working on contract for the Department of Energy, says Volt Typhoon—or a related hacker group it has evolved into—continues to target the US electric grid and water utilities.
Some of these intrusions are caught, Slowik says. Others go undetected, in part due to the minimal security budgets of municipal utilities, and in part due to the hackers’ stealthy mode of operating, known as “living off the land,” that hijacks legitimate functions in a network instead of planting malware. “It’s pretty good tradecraft,” says Slowik, who now leads threat research at cybersecurity firm Dataminr. “But it’s also applying that tradecraft to areas that really don't have the capacity to identify it.”
The scenario modeled by Corman’s war game—5,000 hacked water utilities—would be unprecedented. It also isn’t the most probable outcome of Volt Typhoon’s intrusions, cautions Jen Easterly, who served as director of the Cybersecurity and Infrastructure Security Agency when China’s hacking campaign was first discovered. Yet Easterly, now CEO of the RSA cybersecurity conference, also warns that AI could make that mass-sabotage hypothetical far more plausible, particularly over the next few years, when its use in offensive hacking may outpace its use by defenders.
The scale of China’s preparations remains unknown, Easterly says, but its intent is clear. “What we found was really just the tip of the iceberg,” she says of her time running the Volt Typhoon response at CISA. “Do I believe there’s any change to China's very deliberate strategy to create access points in our most important civilian infrastructure, to be able to launch disruptive attacks in the event of a crisis in the Taiwan Strait? No, I don't.”
Just two months ago, former NSA director of cybersecurity Rob Joyce spelled out the warning even more starkly in an article for the Cyber Defense Review, arguing that the threat Volt Typhoon poses remains as clear and present as ever.
“China has effectively strapped the digital equivalent of explosives to the backbone of American society,” Joyce wrote. “Quietly maintaining access. Waiting.”
Even as it’s loomed over US cybersecurity for more than three years, Volt Typhoon—or whatever it has now become—has never in a single confirmed incident pulled the trigger and carried out an actual disruptive cyberattack. Understanding the threat it represents remains an exercise in imagination.
Hence the war game that I’m here to witness. The event, convened by an insurance industry cybersecurity organization called CyberAcuView, has invited 30 or so insurance execs. They’ve allowed me to sit in on the condition that none of them or their employers are identified.
Corman, who has run dozens of these types of war games, says he asked me to attend this specific exercise for two reasons: First, few people understand the central role of insurance in the midst of a cybersecurity emergency. Hacking victims’ first call is often to their insurance company, who then approve and unlock law firms and cybersecurity incident response providers in the hours that follow.
Second, Corman argues that insurance companies serve as illuminating game players: They have a strong financial incentive to squarely assess risk—“skin in the game,” as Corman puts it—without hyping it up or downplaying it.
Around 1 pm, after some introductions and ground rules (“Don’t fight the scenario”), Corman begins. He quotes the 1983 hacker classic film WarGames, addressing the room: “Shall we play a game?”
Day one is July 1, 2027. The New York Times has published a headline that morning about growing fears of a Chinese invasion of Taiwan. A cybercriminal ransomware gang’s ongoing hacking spree has taken up about a third of the US’s cybersecurity incident response capacity. The cybersecurity industry is warning, meanwhile, of three vulnerabilities in network edge devices like firewalls and VPNs—the kind that Volt Typhoon has long used to get a foothold on a victim network—being exploited by unnamed hackers.
Then the participants hear the real starting gun: A restricted advisory from the US federal government states that thousands of water utilities have been breached, their controls are unresponsive, and anecdotal reports suggest physical damage. The execs’ first assignment is to determine if and how they’ll communicate this news to customers, and then—given that this will almost certainly exceed their capacity to unlock funds for targeted victims—decide how they’ll choose which clients to prioritize.
The breakout sessions start. At my table, an argument begins almost immediately on the question of whether to alert the insurer’s broad range of corporate clients. Most of the table wants to share the news with all customers. One player disagrees, arguing that the usual insurance model is that it’s the client who first reports an incident to the insurer along with a claim—not the other way around.
“So do? Don’t?” one player asks the table.
“Don’t,” the holdout says. The naysayer is quickly outvoted, and they choose to alert all their customers.
Corman is walking around the tables, handing out surprises. He comes to my table, tells someone to roll a 20-sided die, then looks at the result and tells the group without explanation that all incident responders at Dragos, CrowdStrike, and Mandiant—some of the biggest providers of those emergency cybersecurity responses for industrial services like water utilities—are unavailable, apparently busy with other victims. My table will have to scrounge up incident responders from other, smaller companies or beg for the help of government agencies. “Perfect,” one player responds.
This scarcity makes the question of which customers to help first all the more touchy. The table comes to a rough consensus that they’ll prioritize clients in order of size, biggest first, defined by revenue.
As each table takes turns presenting its decisions, other tables say they’ve opted to prioritize customers on a first-come, first-serve basis, or to follow some vaguely defined sense of “national security” as defined by the government, though it’s not clear who in the government is going to offer that definition.
One table asks where incident responders from CISA, the nation’s premiere cybersecurity defense agency, have been during all of this. Corman notes that CISA has spent the last 15 months without a Senate-confirmed director and has hemorrhaged staff. Some tables suggest they’ll ask for help from cybersecurity experts in academia or the National Guard.
None of that, it’s soon clear, will be enough.

Photo-Illustration: Jobanny Cabrera; Getty Images
Day two of the simulation arrives, and Corman lays out the new reality: Numerous water mains across the country have broken. The man-made drought has spread to hospitals, data centers, refrigeration, and manufacturing.
Then Corman throws another curveball: He plays a prerecorded video statement from a fictional military official appealing to the insurance companies’ help in responding to the geopolitical threat posed by China, the first time that country’s name has been spoken in the game so far. “I'm most concerned about our ability to protect our military mobility, a key element of national security,” the official tells them.
Corman hands out the day-two assignment: As the disruption spirals outward, how will they prioritize now which of the water utilities deserve their resources? The “biggest-customers-first” or “first-come, first-serve” answers from the prior round, just a few minutes earlier, now seem hopelessly naive. Will they focus on restoring water in places where they can save the most lives, such as hospital-dense cities? Or will they seek to minimize economic harm? Or heed the military’s request to focus on national security, essentially prioritizing the military’s response to China’s potential invasion of Taiwan?
Fortunately, no one in the room is a monster. After 15 minutes of breakout conversations, the teams around the room render the same verdict, that their first priority will be to save human lives—though none spells out how they’ll make the endless impossible decisions that follow from that answer.
Only one person, after all six teams have given that same answer, speaks up to raise an uncomfortable point. Prioritizing harm to people above all else may not be an option. “The easy answer is public safety, human life,” he says. “The more difficult one is when you do have regulators or someone calling, shareholders asking questions.”
“If Treasury is calling and asking numbers, and we’re saying we’re focused on human life, I don’t know if that’s the actual talk track,” he goes on, using a sales term for a phone script of talking points for client conversations. Or, he adds, if an official is telling the company it needs to focus on telecommunications or “dual use” infrastructure—meaning things that might have military importance—that might become “priority number one,” he says.
In other words, taking the most direct action to protect people from harm in the midst of a catastrophic cyberattack might require breaking contracts, flouting the military’s demands, or directly contradicting a larger US government strategy in the early days of an unfolding war.
“We didn’t agree on that as a table,” he says. “There’s not going to be a consensus.”
At this point, abruptly and mercifully, Corman ends the game to start a lessons-learned session. During this round, he’s put up a slide that represents some of the infrastructure disrupted by the second-order effects of the hackers’ cyberattacks. Next to each is a long line of multicolored dollar signs and outlines of people, representing financial loss and human casualties.
There’s no point in counting these as if they’re some sort of score or demerit, Corman assures me when I ask afterward. They’re less a quantified measure of losses than a qualitative assurance that things have gotten very bad. He’s gotten his point across: If this game has any winners, they’re not in the room.
In a postmortem call later on, I ask Corman: Was it ever actually possible to win his game? Or even to change its outcome? Or was it a kind of Kobayashi Maru, an impossible test designed to teach some other sort of lesson?
Corman gets the Star Trek reference but disagrees with the analogy. There were moves the players could have made that mattered, he says, such as prioritizing water recovery in hospital towns from the start. He was also interested to see if any of the teams invoked exclusions to their insurance policies based on acts of war—an argument that led to drawn-out legal battles following the billions of dollars in damage from Russia’s NotPetya cyberattack in 2017—or planned to claim reimbursement from the federal government for their costs under the Terrorism Risk Insurance Act, or TRIA. None of that came up in my table’s game, however, due in part to the lack of certainty on day two of who was behind the hacking campaign.
But yes, Corman adds: The goal of the game was to not to create a competition to be won. Instead, it was designed to “overwhelm”—to “surface and shatter assumptions.”
More specifically, Corman says, he wants to show the industry that if even a relatively mild version of Volt Typhoon’s potential hacking occurred under current conditions—Corman argues the real version could be far worse than 5,000 disabled water utilities—it would be beyond the insurance industry’s capacity to handle it.
Mark Camillo, CyberAcuView’s CEO, who cohosted the war game with Corman, says the results show that a cataclysmic cyberattack may well be “uninsurable”: that the costs of such an event would surely bankrupt the industry if insurers don’t invoke act-of-war exclusions that would get them off the hook—which would in turn cause enormous damage to the trust that American society puts in insurance. One lesson of the game, Camillo contends, is that insurance companies might need a government fund like the terrorism-focused TRIA to help cover its costs, to be refilled with payments from policy holders in the years following a cyber disaster.
But Corman says the bigger lesson is that the insurance industry, maybe even more than the US government, has the unique power to change all of this—not by learning how to respond in the midst of a hacking catastrophe but by focusing on how to prevent one. It could, for instance, demand via insurance policies that customers better protect themselves, compelling clients to review their networks for the unpatched, vulnerable network devices that Volt Typhoon exploits, or requiring that they join cybersecurity information sharing groups. Currently, Corman says, just 0.3 percent of the country’s 151,000 water utilities are part of those organizations, an appallingly low membership compared to similar groups in industries like finance or electrical utilities.
“The idea is to help insurers realize that this is not going to play out the way they thought it would,” Corman says in summary. “And make them think about what they might do differently once they leave the room.”
As the final lesson from WarGames goes, after all, there are games where the only winning move is not to play—or at least not on the adversary’s terms.
Comments 0
Leave a Reply
Your email address will not be published. Required fields are marked *
Technology
Explore All
Feds demand autonomous vehicle companies stop interfering with first responders
The National Highway Traffic Safety Administration said emergency scenes are not "edge cases."
Messi and Ronaldo Are Building Tech Portfolios. Mo Salah Is Playing a Different Game
59 minutes ago
Google’s deepfake detector system used to debunk McConnell hoax pic
1 hour ago
With EU backing, QuantumDiamonds aims to speed up chip manufacturing
1 hour agoAutonomous drone delivery startup Manna plots major US expansion
2 hours agoWhats New
View All
Feds demand autonomous vehicle companies stop interfering with first responders
Bernie-backed socialist who allied with Platner could supplant him on ballot
Oregon A.G. Seeks Delay of Paramount-Warner Bros. Merger, Suggests DOJ Approval Was ‘Corrupt’
US launches more strikes on Iran with blasts reported in south of country
Anonymous Content’s Darren Walker on Company’s 10 Emmy Nominations and Nominee Sally Field’s ‘Motherly’ Dating Advice
WATCH: Dana White drops 2028 hints while raving about his favorite Trump cabinet secretary
Emmy Noms Analysis: Diversity in Acting Nominees Down 39% While ‘The Pitt’ Cements Frontrunner Status and ‘Widow’s Bay’ Emerges as Dark Horse
Salman Rushdie Says AI Has ‘Zero’ Role in Storytelling, Teases New ‘Midnight’s Children’ TV Adaptation, Film of ‘The Ground Beneath Her Feet’ (EXCLUSIVE)
France lose appeal against Olise’s yellow card in Paraguay World Cup clash