Our government is not cyber-secure.
Two weeks ago, the Congressional Budget Office (CBO) confirmed it was suffering an ongoing hack perpetrated by Chinese state-backed agents. The attack potentially exposed CBO’s communications with lawmakers’ offices and access to cost estimates and analysis of legislation—information that could be of significant interest to foreign intelligence services tracking U.S. economic and defense policy [4].
This is just the latest in a long line – a very long line – of successful attacks by foreign governments on the U.S. government. We have been aware of these successful attacks for over a decade, and there is little evidence to suggest that we have made progress in mitigating this risk.
In December 2024, the U.S. Treasury Department disclosed that Chinese state-sponsored actors had infiltrated its network, accessing workstations and over 3,000 unclassified files. The breach targeted the Office of Foreign Assets Control and the Office of the Treasury Secretary—entities directly involved in administering sanctions against Chinese companies and individuals [5].
Federal agencies are experiencing systematic targeting. In July 2025, three Chinese-associated threat actors—Storm-2603, Linen Typhoon, and Violet Typhoon—compromised more than 400 organizations, including the Department of Energy, the Department of Homeland Security, and the Department of Health and Human Services [6]. The Department of Justice identified these actors as part of APT27 (also known as Silk Typhoon), which has conducted multi-year computer intrusion campaigns dating back to at least 2013 [7].
State and local governments face even more acute vulnerabilities. As of 2025, at least 44 U.S. states have reported cyber incidents affecting government systems. Communities from St. Paul, Minnesota, to Mission, Texas, declared states of emergency following significant intrusions. The Interlock ransomware group attacked St. Paul’s local government, forcing the city to shut down its networks for over a month. After officials refused to pay ransom, attackers publicly posted 43 gigabytes of stolen data [8].
The scale of government targeting has intensified dramatically. According to CrowdStrike, China’s cyber espionage efforts increased by 150% in 2024 compared to the previous year, with targeted attacks on government sectors rising by 300% [9]. The Center for Internet Security documented a 148% surge in malware attacks and a 313% rise in endpoint security incidents against government agencies [10].
The fact is that Federal, state, and local government systems face unprecedented cyber threats from state-sponsored actors, with direct implications for national security and defense operations. These attacks need to be understood not merely as attacks on administrative functions, but as strategic efforts to compromise the institutions underpinning American military and economic power. These are national defense issues, not administrative ones.
The Defense Infrastructure Connection.
Government facilities and networks are integral components of national defense infrastructure. The Department of Defense relies on federal civilian agencies for essential services, including financial management and personnel security. Compromise of these systems can directly impact military readiness and operations. Just as with the private sector, traditional sector-specific agency oversight is, obviously and empirically, not adequately effective in providing the degree of security that modern attack methods demand. Cybersecurity is not a matter of administrative practice. It is a matter of national defense and needs to be addressed as such.
The Treasury Department breach illustrates the problem. By targeting the Office of Foreign Assets Control, adversaries gained insight into sanctions against entities supplying them with weapons and conducting cyber operations against U.S. infrastructure. This intelligence provides foreign governments with strategic advantages in circumventing U.S. economic statecraft tools, which are essential to national security [11].
The Congressional Budget Office hack illustrates how adversaries target legislative processes that affect defense policy. CBO provides lawmakers with cost estimates for defense legislation and long-term budget projections. Access to this information enables foreign intelligence services to anticipate U.S. defense spending priorities, force-structure decisions, and strategic resource allocation [12].
The electronic case filing system, managed by the Administrative Office of the U.S. Courts, was reportedly breached in July 2025 by Russia-affiliated hackers. Such intrusions compromise sensitive legal proceedings, including those involving national security matters and classified information [13].
Strategic Implications.
Adversaries understand that compromising government systems provides strategic intelligence and operational advantages. The Justice Department charges against twelve Chinese contract hackers and law enforcement officers revealed that victims included U.S. federal and state government agencies, foreign ministries of multiple Asian governments, and U.S.-based critics of the Chinese government. The Chinese Ministry of Public Security and Ministry of State Security paid contractors for stolen data, creating a profit-driven ecosystem of indiscriminate targeting [14]. While it is indeed laudable that the DOJ has taken action against these 12 individuals, estimates suggest that China has roughly 60,000 such agents operating, and that’s just in China. China is only one of many nations engaging continuously in these attacks on American organizations, government, and industry.
This approach maximizes intelligence collection while providing deniability. Operating through contractors and front companies, state actors cast a wide net to identify vulnerable systems, exploit them, and sell information either to the government or third parties. The result is an increase in worldwide intrusions, more systems left vulnerable to future exploitation, and more stolen information circulating through criminal networks [15].
It’s not that We Don’t know or We Are Not Trying.
In many ways, federal, state, and local governments face many of the same problems that plague the private sector. Simply mandating security without providing the proper infrastructure and resources to make reasonable management possible is a proven recipe for failure.
The response from federal, state, and local government agencies has accelerated significantly in recent years, with emergency cyber directives, expanded hunt operations, and unprecedented interagency coordination across CISA, the FBI, and the intelligence community [1][2]. Yet even with these efforts, no individual agency — or even coalition of agencies — can independently defend against nation-state adversaries conducting long-term, multi-vector campaigns. Senior officials have repeatedly warned that foreign intelligence services are willing to invest unlimited time, resources, and personnel to penetrate U.S. government networks, operating with a level of persistence that traditional defensive models were never designed to withstand [3].
The Government Accountability Office reports that since 2010, it has made over 4,000 recommendations to federal agencies to address cybersecurity shortcomings. However, more than 850 remained unimplemented as of February 2023. Until these shortcomings are addressed, federal and critical infrastructure IT systems will be increasingly susceptible to cyber threats [16].
The most fundamental element of a secure infrastructure is having an adequately trained staff to implement the security protocols. Nationally, there are an estimated 500,000 cybersecurity jobs for which there are not sufficiently trained professionals to fill—including 35,000 positions in the federal government itself. The reality is that the federal government cannot adequately compete with the private sector in the marketplace for high-level cybersecurity talent across its numerous agencies. The situation is far worse in state and local governments, which have virtually no chance of attracting an adequate supply of adequately trained cyber personnel.
In addition, the lapse of arguably the most successful piece of cybersecurity legislation ever enacted — the Cybersecurity Information Sharing Act of 2015, which needs to be reauthorized and updated — has substantially reduced the government’s ability to coordinate with industry and execute critical information sharing. This creates blind spots in networks precisely when threats are escalating [17].
The National Defense Authorization Act.
Under the Constitution, the federal government is explicitly established to “provide for the common defense.” The Armed Services Committees are charged explicitly with addressing national defense “generally.”
Addressing these challenges requires honest recognition that government cybersecurity is fundamentally a national defense issue. This understanding needs to be extended to include recognition that national defense in the digital age cannot be limited to simply supplying the armed forces, critical though that obviously is. The economic and military power of the United States depends on secure government operations working in partnership with the private sector in entirely new ways than were contemplated when the current structure was created after World War II, 80 years ago. Our adversaries understand this reality and are systematically exploiting it. The question is whether our policy responses will match the scale and urgency of the threat.
Endnotes
[1] CISA, “Emergency Cyber Directives and National-Level Incident Response,” 2024–2025.
[2] FBI, “Joint Cyber Defense Collaborative (JCDC) Expansion and Federal Hunt Operations,” 2024–2025.
[3] U.S. Intelligence Community Annual Threat Assessment, 2024–2025, statements regarding persistent nation-state intrusion campaigns.
[4] CNN, “Congressional Budget Office hacked, China suspected in breach,” Sean Lyngaas, November 6, 2025.
[5] CNN, “China-backed hackers breached US Treasury workstations,” December 30, 2024; U.S. Treasury correspondence with Senate Banking Committee.
[6] House Committee on Homeland Security, “Threat Snapshot,” October 31, 2025.
[7] U.S. Department of Justice, “Justice Department Charges 12 Chinese Contract Hackers…,” March 5, 2025.
[8] Industrial Cyber, “US Homeland Security Committee warns of rising cyber threats…,” November 2025.
[9] CrowdStrike Global Threat Report, 2025.
[10] Center for Internet Security, “Under Fire 2024,” March 11, 2024.
[11] Foundation for Defense of Democracies, Jack Burnham, January 3, 2025.
[12] CNN report on CBO hack, November 6, 2025.
[13] House Homeland Security Threat Snapshot, October 2025; DOJ filings, 2025.
[14] U.S. Department of Justice press release, March 5, 2025.
[15] DOJ indictments describing PRC hacker-for-hire ecosystem, March 2025.
[16] U.S. Government Accountability Office, “Cybersecurity High-Risk Series,” 2023–2024.
[17] House Homeland Security Committee, “Threat Snapshot,” October 31, 2025.
