CISA’s 2024 Year in Review is blunt about the security landscape: the People’s Republic of China remains the most active and persistent cyber threat to U.S. government, private sector, and critical infrastructure networks. The agency frames this not as episodic espionage but as a sustained campaign that seeks long‑term access and operational impact.

The Year in Review and CISA’s February advisory make Volt Typhoon the poster child for that strategy. U.S. and allied agencies assessed that this PRC‑sponsored actor has compromised IT environments across communications, energy, transportation, and water sectors and is using living‑off‑the‑land techniques to pre‑position for disruptive or destructive activity. That combination of stealthy footholds and an explicit intent to move from IT to OT raises the risk calculus from data loss to physical disruption.

CISA’s practical guidance is exactly what organizations should be implementing now: prioritize patching of internet‑facing systems, enforce phishing‑resistant multifactor authentication, enable centralized logging and retention, and plan for the retirement of out‑of‑support technologies. Those steps are neither novel nor optional when an adversary aims to persist and pivot.

The agency also showed operational impact. CISA highlighted scalable programs and services that reduced risk in 2024, from Protective DNS blocking of billions of malicious connections to expanded scanning and tabletop exercises for election and critical infrastructure stakeholders. Those are necessary force multipliers, especially given the distributed nature of our critical infrastructure.

Where CISA’s framing is strong, the report is less prescriptive. It correctly elevates the threat and builds partnership mechanisms, but the gap remains at the tactical and resource level for small and mid‑sized operators. Many critical service providers lack OT visibility, incident response capacity, or the budget to remediate legacy systems that an adversary will happily exploit. Congressional and industry funding must prioritize retrofit grants, operational monitoring for OT, and subsidized access to managed detection and response for smaller entities.

A second shortfall is supply chain and product security. CISA’s Secure by Design push is the right direction, but government and purchasers must move beyond voluntary commitments for high‑risk product categories that feed into OT environments. Procurement rules should enforce baseline secure‑development practices and vulnerability disclosure requirements for vendors whose products touch critical infrastructure.

Operational recommendations for owners and operators

  • Assume compromise and hunt for it. Turn off unnecessary administrative access, centralize logs, and retain them off network to deny an adversary easy cover.
  • Prioritize MFA that resists phishing and credential theft. Replace shared or local admin accounts with managed, audited privileged access solutions.
  • Patch aggressively for internet‑facing appliances and treat end‑of‑life systems as immediate liabilities. Create funded replacement plans for legacy OT and connected systems.
  • Segment IT from OT and limit lateral movement. If Volt Typhoon intended to move from IT to OT, better network segmentation and strict allow‑lists reduce that option set.
  • Use government services and CISA resources. Leverage Protective DNS, the agency’s SRMA and sector programs, and the joint fact sheets and advisories CISA published for leaders.

Strategic posture for policy makers

CISA’s 2024 review is a call to scale. The agency has built useful tools and made smart, threat‑informed recommendations. The next step for policy makers is to convert guidance into capacity: fund retrofit and monitoring programs for smaller utilities, require minimum security standards for critical product classes, and expand incentives for threat intelligence sharing between the private sector and federal partners. Without those investments the asymmetric economics favor the adversary.

Bottom line: CISA’s 2024 Year in Review accurately elevates China as a persistent, active threat and gives the right playbook. Implementation is where we will win or lose. Organizations must move from awareness to hard, measurable remediation. Policy makers must match guidance with funding and regulatory teeth. Adversaries that seek persistent access will not be deterred by good statements alone. They will be deterred by hardened networks, visible OT defenses, and rapid, well‑resourced response capabilities.