Inside a closed Times Square exercise, insurance teams modeled a Chinese state style attack on 5,000 small US water utilities. The cascade broke their underwriting models.
When Joshua Corman told a room full of insurance executives that 2,000 US hospitals had just lost water, nobody reached for a calculator. The silence was the answer.
Corman, a former strategist who helped shape the federal Cybersecurity and Infrastructure Security Agency's approach to critical-infrastructure risk, was running a closed tabletop exercise in a Times Square conference room, as reported by Wired. A few dozen insurance executives, split into six teams, were modeling a simulated Chinese state-style cyberattack on roughly 5,000 small US water and wastewater utilities. The intrusion was built around the same patient, "living-off-the-land" tradecraft that the Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have tied to a Chinese state hacking group tracked as Volt Typhoon.
The war game was not a forecast. It was a stress test. The room's silence was the signal that the US insurance market has no working model for what a successful Volt Typhoon-style campaign against water infrastructure would actually cost.
The cascade showed, in compressed form, that water is not a single asset class. It is a load-bearing dependency. When the simulated attackers cut pressure and visibility across thousands of small systems at once, the cascade jumped sectors within hours. Hospitals lost sterilization and dialysis water. Insulin and pharmaceutical manufacturing, which depend on high-purity process water, stopped. Cold-storage warehouses and food-refrigeration networks began to fail. Data-center cooling systems, many of which tap municipal supplies, throttled. Burst water mains, the predictable consequence of uncontrolled depressurization, started to surface in the scenario.
The cascade is what makes the problem uninsurable. The utilities themselves are small. Most serve towns under 10,000 people, run on IT staffs of one or two, and have neither the budget nor the in-house expertise to detect a patient, state-sponsored foothold. A 2024 joint advisory from CISA and the FBI confirmed that PRC state-sponsored actors had maintained persistent access to US water and wastewater networks for years. WaterISAC, the sector's threat-information hub, reported that the Volt Typhoon botnet had resurfaced, a reminder that the foothold is not a one-off intrusion but an enduring pre-positioning for crisis-stage disruption.
But advisories do not underwrite losses. The insurance teams, modeling the same scenario, ran into the limit of what their tools could price.
The insurers in the war game could price a single utility compromise. They could not price a coordinated campaign against 5,000 simultaneously compromised systems, because the same campaign that produces the loss also produces the legal basis for denying it under standard war-exclusion language. The aggregation is not a multiplier on individual risk. It is a different shape of risk, and no commercial reinsurance market in the United States can absorb it.
CISA's analysis report on PRC state-sponsored actors describes the tradecraft in detail: living-off-the-land techniques, credential abuse, persistence in operational technology and IT systems, and a posture that prioritizes pre-positioning for future crisis over immediate espionage. Former NSA cyber director Rob Joyce, writing in the Army's Cyber Defense Review, frames the shift as a strategic one: the threat is no longer to data, it is to operations. Neither document offers a financial backstop for the losses the threat would produce.
The threat is already here. The economic instrument meant to absorb the shock, commercial cyber and property insurance, has a structural gap it cannot close without government-backed reinsurance, mandatory cyber disclosure, or both. The war game did not invent a new risk. It made visible a market failure that the public record has not yet named.
The Five Eyes joint advisory on PRC state-sponsored cyber activity puts the threat in plain language: critical-infrastructure operators should assume they are targets. The exercise in Times Square put a number on the assumption and found that no commercial market in the United States can absorb it. The next test is whether the public sector fills the actuarial gap the commercial market cannot, or whether the 5,000 small utilities that run US water learn what their insurance policies will not cover by reading the next incident disclosure.