Picture the United States waking up on July 1, 2027, to a government advisory reporting that hackers have simultaneously knocked out 5,000 water utilities across the country. That was the premise handed to roughly thirty insurance industry executives during a closed-door tabletop exercise held inside a conference room in an office tower overlooking Times Square. Organized by an insurance-sector cybersecurity group called CyberAcuView, the exercise was run by Joshua Corman, a former strategist at the Cybersecurity and Infrastructure Security Agency, who built the entire scenario around a real Chinese state-linked hacking operation known as Volt Typhoon. Divided into six teams, the executives were told the story would unfold minute by minute like a real crisis, with no scheduled breaks and no easy answers.
Inside the Simulation: A Water Crisis Spirals Into a National Emergency
Twenty-four hours had passed in game time when Corman warned the room, "You ready? It's about to get harder. I'm going to share a few things, and it's going to hurt." Although it was still the same April afternoon in real life, the fictional clock had moved forward to reveal the disaster's second-order effects. Cold storage warehouses were losing refrigeration, threatening food supplies. Manufacturing plants that depend on water to produce drugs and chemicals had ground to a bottleneck, triggering insulin shortages. Data centers that rely on water-cooled systems were failing, knocking cloud services offline. Most alarming of all, 2,000 hospitals were left without water, straining patient care and forcing evacuations as air conditioning systems shut down in the middle of a July heat wave, since the scenario was set just before Independence Day in 2027.
To heighten the pressure, Corman played a looping video of a burst water main on the screen at the front of the room, signaling that the hackers hadn't just disrupted software systems but had also caused physical destruction that would take far longer to repair. "Everyone downstream is without water pressure," he told the group. "Everything depends on water." He also refused to schedule any restroom breaks, telling participants, "There are no breaks in real incident response. If you have to go to the bathroom, go to the bathroom. But you might miss something vital." Nobody left the room.
Impossible Choices for the Insurance Teams
The task assigned to each of the six teams, all playing the role of insurance companies, was to decide how to allocate limited resources, meaning contracted cybersecurity incident responders and money, and which clients would receive help first. Should existing business relationships dictate who gets served first? Should the companies try to minimize harm to the largest number of people? And because some clues in the game suggested the attack was carried out by the Chinese military to slow a US response to an invasion of Taiwan, should insurers be compelled to prioritize keeping military facilities running?
Underneath all of this sat an even darker question for the insurers themselves: would this catastrophe bankrupt them, or would they invoke an act-of-war exclusion, a standard insurance clause that frees carriers from liability once an armed conflict begins, and pay their clients nothing, risking being cast as the villains of the story? Each team was given 15 minutes to settle on a policy.
At one table, an argument broke out almost immediately over whether to warn the insurer's full roster of corporate clients about the breach. Most wanted to notify everyone. One holdout argued that under the normal insurance model, it's the client who reports an incident to the insurer, not the reverse. He was outvoted, and the table agreed to alert all its customers.
As the exercise went on, Corman moved between tables handing out surprises. At one point he had a participant roll a 20-sided die, then announced, without further explanation, that incident responders from Dragos, CrowdStrike and Mandiant, three of the biggest providers of emergency cybersecurity response for industrial clients like water utilities, were all unavailable because they were tied up with other victims. That table would have to find responders from smaller firms or ask government agencies for help. "Perfect," one player replied.
With responders scarce, deciding who to help first became even more fraught. One table settled on prioritizing clients by size, largest revenue first. Other tables described prioritizing customers on a first-come, first-served basis, or following some vaguely defined notion of national security set by the government, though it was unclear which government office would actually define that standard. One table asked where CISA's own incident responders were in all this. Corman noted that, in the scenario, CISA had gone 15 months without a Senate-confirmed director and had lost much of its staff. Some teams suggested turning to cybersecurity experts in academia or the National Guard for help. None of it was enough.
Then Corman introduced another twist: a prerecorded video statement from a fictional military official appealing to the insurers for help responding to the threat from China, the first time the country had been named aloud in the exercise. "I'm most concerned about our ability to protect our military mobility, a key element of national security," the official said.
For day two, Corman asked the teams to reconsider their priorities as the disruption kept spreading. The "biggest customers first" and "first-come, first-served" answers from the earlier round suddenly looked hopelessly simplistic. Should the teams focus on restoring water where they could save the most lives, in cities dense with hospitals? Should they try to minimize economic damage instead? Or should they follow the military's request and effectively put a potential Taiwan conflict response ahead of everything else?
After 15 minutes of discussion, every one of the six teams gave the same answer: save human lives first. Yet none of them could spell out how they would make the countless difficult decisions that answer would actually require. Only one participant, after hearing all six teams give an identical response, raised an uncomfortable objection. "The easy answer is public safety, human life," he said. "The more difficult one is when you do have regulators or someone calling, shareholders asking questions." He added that if the Treasury Department were calling for numbers while the company said it was focused solely on saving lives, "I don't know if that's the actual talk track," using an industry term for a scripted set of talking points for client calls. He also noted that if an official told the company to prioritize telecommunications or dual-use infrastructure, meaning assets with potential military value, that demand might become "priority number one." In other words, taking the most direct path to protecting people during a catastrophic cyberattack could mean breaking contracts, ignoring military requests, or contradicting the US government's broader wartime strategy. "We didn't agree on that as a table," he said. "There's not going to be a consensus."
At that point, Corman ended the exercise to begin a lessons-learned discussion, putting up a slide representing the infrastructure disrupted by the hackers' second-order effects, each item marked with rows of dollar signs and human silhouettes standing in for financial loss and casualties. He later said there was no point treating those symbols as a score, they were meant to convey qualitatively how bad things had become, not to quantify an exact toll. If the exercise had any winners, he said, they weren't in the room.
The Real Hacking Group Behind the Nightmare
The scenario wasn't pure fiction. In May 2023, Microsoft, the National Security Agency, and CISA jointly announced they had discovered a group of hackers working on behalf of the Chinese military, which they named Volt Typhoon. The group had broken into the networks of critical infrastructure operators across the continental United States and the US territory of Guam, hitting sectors ranging from manufacturing to telecommunications to the electric grid.
What made the intrusions especially alarming was that the hackers appeared to be going beyond the espionage that has become standard practice for Chinese state-backed cyberspies. According to Microsoft, they were "pursuing development of capabilities that could disrupt critical communications infrastructure between the United States and Asia region during future crises." In other words, Volt Typhoon was "pre-positioning," a term used in a follow-up CISA and NSA advisory in early 2024, laying groundwork for wider cyberattacks designed to hamper the US military at a critical strategic moment, potentially timed to an invasion of Taiwan, according to some cybersecurity analysts.
As the US government and the broader cybersecurity industry kept tracking Volt Typhoon, it became clear the group's targets weren't limited to networks that would enable sabotage of US military assets. They included the IT systems of a water utility in Hawaii, multiple US ports, and at least one oil and gas pipeline with possible military relevance, along with hundreds of other entities, including water and electric infrastructure as small as the Littleton Electric Light & Water Departments in Littleton, Massachusetts, a town with just under 10,500 residents. Brandon Wales, CISA's former executive director, said the only reason to target an entity that small is to cause societal chaos in the United States, adding that Volt Typhoon appeared to be preparing to cause chaos in the American homeland in order to influence the country's geopolitical freedom of action and its willingness to fight.
How Deep Has China's Access Really Gone?
Even three years after Volt Typhoon was first discovered, threat intelligence analysts say China's preparations for disrupting US civilian infrastructure haven't stopped. Joe Slowik, a former Los Alamos National Labs cybersecurity researcher who now works on contract for the Department of Energy, said Volt Typhoon, or a related group it has evolved into, continues to target the US electric grid and water utilities. Some of these intrusions are caught, Slowik said, while others go undetected, partly because municipal utilities operate on minimal security budgets, and partly because the hackers rely on a stealthy technique known as "living off the land," which hijacks legitimate network functions instead of installing malware. Slowik, who now leads threat research at the cybersecurity firm Dataminr, described the tradecraft as "pretty good," adding that it's being applied against targets that simply don't have the capacity to detect it.
Jen Easterly, who led CISA when the Volt Typhoon campaign was first uncovered and now serves as CEO of the RSA cybersecurity conference, cautioned that the 5,000-utility scenario modeled in the war game would be unprecedented and isn't the most likely outcome of Volt Typhoon's intrusions. Still, she warned that artificial intelligence could make a mass-sabotage scenario like that far more plausible in the next few years, particularly if AI's use in offensive hacking outpaces its use by defenders. Easterly said the true scale of China's preparations remains unknown, but that its intent is not in doubt. "What we found was really just the tip of the iceberg," she said of her time overseeing the Volt Typhoon response at CISA, adding that she sees no reason to believe China has changed its deliberate strategy of creating access points inside America's most important civilian infrastructure so that it can launch disruptive attacks if a crisis breaks out in the Taiwan Strait.
Two months before the exercise, former NSA director of cybersecurity Rob Joyce laid out the same warning even more bluntly in an article for the Cyber Defense Review, arguing that the threat posed by Volt Typhoon remains as urgent as ever. "China has effectively strapped the digital equivalent of explosives to the backbone of American society," Joyce wrote. "Quietly maintaining access. Waiting."
Why Insurance Executives Were Chosen to Play This Game
The war game was convened by CyberAcuView, which invited about 30 insurance executives on the condition that neither they nor their employers would be identified. Corman, who has run dozens of similar exercises, said he wanted an outside observer present for two reasons. First, few people understand how central insurance companies are to a real cybersecurity emergency, since hacking victims typically call their insurer first, and it's the insurer that then approves and unlocks law firms and cybersecurity incident responders in the hours that follow. Second, Corman argued that insurance executives make illuminating players in this kind of exercise because they have a direct financial incentive to assess risk accurately, what he called having "skin in the game," rather than exaggerating or downplaying the danger.
The exercise began around 1 pm with introductions and ground rules, including an instruction not to fight the scenario. Corman opened by quoting the 1983 hacker film WarGames, asking the room, "Shall we play a game?" Day one of the fictional scenario was set on July 1, 2027. A news headline that morning described growing fears of a Chinese invasion of Taiwan. A cybercriminal ransomware gang's ongoing hacking spree had already consumed about a third of the country's cybersecurity incident response capacity. Meanwhile, the cybersecurity industry was warning of three vulnerabilities in network edge devices such as firewalls and VPNs, the same kind of devices Volt Typhoon has long used to gain an initial foothold, being actively exploited by unnamed hackers.
Then came the actual starting point of the scenario: a restricted US government advisory stating that thousands of water utilities had been breached, that their controls were unresponsive, and that anecdotal reports pointed to physical damage. The executives' first task was to decide whether and how to tell customers, and then, since the damage would almost certainly outstrip their capacity to fund every affected client, to decide how they would choose whom to prioritize.
What the Exercise Proved About America's Preparedness
Corman said afterward that some moves by the teams genuinely mattered, such as prioritizing water restoration in cities with many hospitals from the very start. He was also curious whether any team would invoke an act-of-war exclusion, the kind of clause that fueled prolonged legal battles after Russia's NotPetya cyberattack caused billions of dollars in damage in 2017, or would plan to seek reimbursement from the federal government under the Terrorism Risk Insurance Act, known as TRIA. Neither came up at Corman's table's discussion, partly because of lingering uncertainty on day two about who was actually behind the hacking campaign.
Still, Corman said the goal was never to create a competition with a winner. Instead, it was designed to overwhelm participants, to "surface and shatter assumptions." More specifically, he said he wanted to demonstrate to the insurance industry that even a relatively mild version of what Volt Typhoon could unleash, and he argues the real version could be far worse than 5,000 disabled water utilities, would already exceed the insurance industry's capacity to handle it.
Mark Camillo, CyberAcuView's CEO, who co-hosted the exercise with Corman, said the results suggest a catastrophic cyberattack of this scale may well be "uninsurable," meaning the costs would likely bankrupt the industry unless insurers invoke act-of-war exclusions to avoid paying claims, a move that would badly damage public trust in insurance. Camillo said one lesson from the exercise is that the insurance industry may need a government-backed fund similar to the terrorism-focused TRIA to help cover such costs, refilled over time through payments from policyholders following a cyber disaster.
Corman, though, said the larger lesson is that the insurance industry, perhaps even more than the US government, has unique leverage to prevent this scenario altogether rather than simply respond to it once it happens. Insurance policies could, for example, require customers to better secure themselves by reviewing their networks for the unpatched, vulnerable edge devices that Volt Typhoon is known to exploit, or by requiring membership in cybersecurity information-sharing groups. Currently, Corman said, just 0.3 percent of the roughly 151,000 water utilities in the United States belong to such groups, an extremely low participation rate compared with similar organizations in sectors like finance or electric utilities.
"The idea is to help insurers realize that this is not going to play out the way they thought it would," Corman said, summing up his goal for the exercise, "and make them think about what they might do differently once they leave the room." As the final lesson of WarGames put it, some games are only won by declining to play them, or at least not by the rules the adversary wants you to follow.











