.png)
Five Warnings in Sixty Days: The Keys to America's Infrastructure Are Not Being Held
Over the past sixty days, five separate cybersecurity stories broke in the American press, and each was reported as its own isolated bad week. Put them in a single line and they stop being five stories. The agency that defends American infrastructure told the country to assume the enemy is already inside, then left its own keys in a public place for six months. The Senate confirmed Chinese hackers are still inside the phone networks. China has sat inside the power grid for seven years. And a whistleblower suit alleges the telecom giant trusted with a federal military network, and the wiretap system itself, hid foreign break-ins and was coached to dodge the NSA. This is the connection no one has printed, and the five investigations behind it.
Five Stories. One Conclusion No One Wants to Print.
Over the past sixty days, five separate cybersecurity stories broke in the American press. Each was reported on its own. Each was treated as its own bad week for somebody.
Put them in a single line and they stop being five stories. They become one, and the one is worse than any of its parts.
On May 5, the federal agency responsible for defending American infrastructure told the country to assume the enemy is already inside the networks that run the power and the water. Thirteen days later, that same agency was caught leaving the keys to its own cloud in a public place for six months. A Senate committee confirmed that Chinese hackers have still not been removed from the telephone networks most Americans use every day. The intelligence community has now spent seven years watching a different Chinese group sit quietly inside the power grid, waiting. And a federal court just unsealed a lawsuit alleging that the telecom giant trusted with a military network, the same company breached in the telephone hack, hid foreign intrusions from the government and was coached to dodge the NSA.
Read together, these five events describe something the security industry has not said plainly. The defense of American infrastructure has been handed to a chain of third parties, a hollowed-out federal agency, its contractors, and the telecom carriers running the government's own networks. And in a single sixty-day window, every link in that chain produced concrete, sourced, on-the-record evidence that it cannot be relied upon to hold the keys it was given.
The adversary's patience is documented. What the last sixty days documented is the condition of the door. This piece connects the five. Each one links to a full investigation of its own.
Warning One: CISA Told America to Assume the Enemy Was Already Inside
On May 5, 2026, the Cybersecurity and Infrastructure Security Agency published guidance under a new program called CI Fortify. It told operators of power, water, transportation, and communications to prepare to run their most essential systems in complete isolation, cut off from the internet and from their own vendors, for weeks to months at a time.
The reason is the part that should have led every newscast in the country. In CISA's own words, operators should "assume that in a conflict scenario third-party connections will be unreliable and that threat actors will have some access to the OT network."
That is not a warning that an attack might come. It is an instruction to assume the attacker is already inside, already holding a position in the systems that run the machinery. The agency whose job is keeping the enemy out told the country to plan for the enemy already being in. It is survival guidance written by the people responsible for prevention, which tells you what they actually believe about the state of prevention.
Full analysis: What CISA's CI Fortify Guidance Actually Means, and Why It Reads Like a Confession
Warning Two: Then CISA Left Its Own Keys on GitHub for Six Months
Thirteen days later, on May 18, the agency that wrote that guidance was revealed to have spectacularly failed to follow it.
A CISA contractor had been running a public GitHub repository, named without any apparent irony "Private-CISA," that exposed administrative credentials to multiple AWS GovCloud accounts and dozens of internal agency systems. It included the keys to CISA's software build system, the single most dangerous thing in the pile, because that is how an adversary slips a backdoor into software that the victim then deploys everywhere itself. The researcher who found it said he assumed it was fake, because the agency it belonged to was the last one on earth that should have produced it. Members of Congress from both parties said the leak handed adversaries a "roadmap" to gain access and persistence on federal networks. The exact words the intelligence community uses for what China is already doing.
Full analysis: Nine Days After CISA Told America to Lock Down, Its Own Keys Were Sitting on GitHub
Warning Three: China Has Been Inside the Power Grid for Seven Years
The reason CISA can tell the country to assume compromise is that, in confirmed cases, compromise is the baseline.
A Chinese state-sponsored group known as Volt Typhoon has held persistent access inside US energy, water, communications, and transportation systems for at least seven years. The intelligence community has been clear that this is not espionage. It is pre-positioning, the digital equivalent of placing demolition charges in a building you do not own and waiting for the order. The group leaves no malware. It uses the legitimate administrative tools already on the network, which is exactly why a clean security scan means nothing against it.
Full analysis: Seven Years Inside: What Volt Typhoon Is Actually Doing in the US Power Grid
Warning Four: Chinese Hackers Are Still Inside the Phone Networks
On December 2, 2025, the Senate Commerce Committee reached a blunt conclusion, printed in its own official release: the telecom companies breached by the Chinese group known as Salt Typhoon "have failed to prove the Chinese hackers have been eradicated from their networks." The operation penetrated at least nine US telecom companies, including AT&T and Verizon, and reached the CALEA wiretap system that American law enforcement depends on.
The breach succeeded, in the committee's account, because the carriers "failed to implement rudimentary, rudimentary! cybersecurity measures." Legacy equipment. Router vulnerabilities. Passwords never changed. More than a year after the public learned Chinese hackers were inside the wiring of American telecommunications, the honest government assessment is that they may still be there.
Full analysis: Still Inside: Why the Senate Says Salt Typhoon Was Never Fully Evicted
Warning Five: The Whistleblower, the Wiretap System, and the Company That Sells Itself as Cyber-First
And then, on June 4, the bombshell that ties the whole thing together.
A federal court unsealed a whistleblower lawsuit from William Barlow, IBM's former vice president of threat intelligence. It alleges that IBM and AT&T concealed years of foreign intrusions into a federal cloud system used by the US military, and made false assurances about its security to keep government contracts. When the NSA came asking about hacks attributed to China, Barlow alleges he was told to "dodge" the questions.
Sit with who AT&T is in this story. AT&T operates the CALEA lawful-intercept system, the wiretap infrastructure that holds the keys to federal surveillance. AT&T runs a core network for the US government and the military. AT&T is a confirmed victim of the Salt Typhoon hack that specifically targeted those wiretap interfaces. AT&T owns a cybersecurity company it acquired and markets itself, loudly, as a security-first enterprise. And a senior insider has now alleged, under oath, that the company's instinct on discovering a foreign intrusion was to hide it, even from the NSA, even when the data belonged to the government.
If the allegations are true, the company holding a large share of the federal government's most sensitive communications keys is the same company that allegedly concealed that those keys were being stolen, while selling the public on its security leadership. That is not a vendor problem. That is a national-security problem wearing a marketing budget.
Full analysis: AT&T Holds the Keys to Federal Surveillance. A Whistleblower Says It Hid the Break-Ins.
The story of the last sixty days is not that America has enemies inside its networks. Everyone knows that. The story is that the parties holding the keys, the federal cyber agency, its contractors, and the telecom giants running government networks, keep proving they cannot be relied upon to hold them. That is the part no one will say out loud.
The Thread Running Through All Five
Look at what these stories share, because it is not a coincidence and it is not partisan.
In two of the three cases where an intrusion was discovered, the institution responsible told the public there was nothing to worry about. CISA said there was "no indication that any sensitive data was compromised" while researchers were still finding live keys it had not rotated. The telecom carriers "failed to prove" eviction, then, according to Senator Maria Cantwell, blocked the cybersecurity firm Mandiant from releasing the forensic reports that would have shown the truth, and reportedly instructed their own incident responders not to go looking for the hackers in the first place. And the AT&T whistleblower alleges the intrusions were simply never reported at all.
Don't look. Don't tell. Don't confirm. It is the same posture in three different buildings.
The pattern is not incompetence, though there is plenty of that too. It is the institutional preference, every single time, to make the intrusion sound smaller, more contained, and more resolved than the evidence supports. The public assurance and the private reality are allowed to drift apart, and the people on the outside, the customers, the agencies, the boards, the acquirers, have no independent way to tell.
Why This Generalizes Straight Into Your Boardroom
If CISA, the agency that wrote the playbook, with a national-security mission and the full attention of Congress, can leave its cloud keys in a public repository for six months and still be rotating them a week after being told, then the realistic security posture of a mid-market manufacturer, a regional utility, or a portfolio company with two people in IT is not better. It is worse. Considerably worse.
CI Fortify was addressed to critical infrastructure operators. But its core assumption, that third parties will be unreliable and the adversary will have some access, is the correct planning assumption for nearly every organization that runs on software it did not write and vendors it cannot audit. Which is all of them.
For years, the working assumption in most boardrooms has been that a clean security assessment, a compliant vendor, and the absence of a known incident add up to reasonable safety. This spring took that assumption apart. The absence of a known incident, when the intrusions are built to be invisible and the institutions are inclined to stay quiet, is indistinguishable from a successful intrusion nobody has surfaced yet.
For acquirers running diligence, and above all in private equity, where a single fund may hold a dozen companies sitting inside the supply chains of much larger targets, the lesson is sharper still. Cyber due diligence that confirms the absence of a reported breach is confirming the wrong thing. The intrusions that matter most in this environment are engineered to generate no report at all. Diligence has to start from the assumption of pre-positioning and go looking for the evidence of access, not the evidence of alarms, because the alarms, as the last sixty days demonstrated at every layer of the system, are exactly what a capable adversary makes certain never sound.
The Part No One Will Say
There has been no shortage of coverage. Each of these five stories was reported, some of them widely. What has been missing is the one sentence that connects them, so here it is.
The defense of American infrastructure has been quietly handed to a chain of third parties, a hollowed-out federal agency, its contractors, the telecom carriers that run the government's networks, and the vendors threaded through every supply chain in the country. Over a single sixty-day window in the spring of 2026, that chain produced repeated, concrete, sourced evidence that it cannot be relied upon to hold the keys it was given.
The adversary does not need every door open. It needs one. In sixty days, the country left at least three of them open, and in two of the three cases, told the public there was nothing to see.
This is not a call for alarm. Alarm is useless. It is a call for one specific, unsentimental change in posture. Stop treating the absence of a reported breach as evidence of security. Start treating third-party access as the primary attack surface it has become. And demand independent verification of the assurances that institutions, even the ones whose entire job is security, have every incentive in the world to make sound better than they are.
Five warnings arrived in sixty days. Read them one at a time and they are five bad weeks for five organizations. Read them together and they are a single message about the state of the keys to the country. The detailed investigation of each is linked below. Start with whichever one you think you already understand. It is the one most likely to surprise you.
The Five Investigations
- AT&T Holds the Keys to Federal Surveillance. A Whistleblower Says It Hid the Break-Ins.
- Nine Days After CISA Told America to Lock Down, Its Own Keys Were Sitting on GitHub
- What CISA's CI Fortify Guidance Actually Means, and Why It Reads Like a Confession
- Seven Years Inside: What Volt Typhoon Is Actually Doing in the US Power Grid
- Still Inside: Why the Senate Says Salt Typhoon Was Never Fully Evicted
Related Reading
CISA was right on May 5. Assume the adversary is already inside. The corollary the agency proved thirteen days later, and that a Senate committee and a federal courtroom have reinforced since, is the one nobody wants to say: the institutions holding the keys to American infrastructure cannot be assumed to be holding them. Those two facts, side by side, are the actual state of cyber risk in 2026. Not the threat alone. The threat, meeting a defense that keeps leaving the door open and calling it routine. The adversary has already done the patient part. The only open question is whether anyone holding a key is willing to act as though that is true.
Cloudskope advises private equity firms, boards, and portfolio-company operators on the exposure this analysis describes: third-party and supply-chain access as the primary attack surface, diligence built to detect pre-positioning rather than confirm the absence of alarms, and independent verification of the security assurances that vendors and acquisition targets have every incentive to overstate.
