When the Threat Is a Condition
The Discovery Tax of Cyber Persistence.
Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use AI tools in research and drafting; the analysis and judgement are mine.
In July 2025, Singapore did something it had never done before. Its Coordinating Minister for National Security named a specific threat actor, UNC3886, and said it was going after the country’s critical infrastructure. By February 2026, Singapore had confirmed that the group had compromised all four of its major telecommunications providers, using at least one zero-day and persistence engineered to survive detection, and that containing it had required Operation Cyber Guardian, the largest coordinated cyber defence operation in the country’s history.[1] No service was disrupted, and there was no indication that customer data had been taken. In operational terms, nothing had happened. That was the point. The value of the access lay precisely in the fact that it had produced nothing visible.
I used that episode in my previous piece, When Silence Stops Being Cheap, to argue that public attribution of state cyber operations is less about deterrence than economics. Expose an operation and you force cost back onto the operator. Infrastructure has to be rebuilt. Access pathways have to be re-established. Tradecraft has to be adjusted. Internal scrutiny rises. None of that is decisive in itself, but over time it creates friction, and friction has value. That was the logic behind what I called the retooling tax.
In that same piece I noted, almost in passing, that the defender pays too. Every breach, even one that never becomes operationally disruptive, imposes what I called a response tax: teams stand up, regulators expect notification, and effort shifts from forward work to forensic work while the organisation tries to size a compromise it cannot yet measure. I let that observation go by in a sentence. It deserves more, because it is the other half of the ledger, and it behaves quite differently from the cost most institutions are built to price.
This cost appears not when the adversary causes visible damage, but when hidden access is discovered. At that point, even if no data has been stolen, no systems have been encrypted, and no public disruption has occurred, the organisation has already crossed into consequence. The moment of knowing changes the economics: discovery creates obligation, obligation creates expenditure, and the expenditure arrives whether or not the adversary ever goes on to do anything dramatic.
It matters because most cyber risk models are still built around events. They are calibrated to ransomware, fraud, data breach, service outage, or business interruption. Something happens, impact is realised, loss becomes visible, and the institution can begin the familiar cycle of response, reporting, remediation, and recovery. As I argued last time, corporate risk frameworks lean this way because criminal threats produce quantifiable losses that fit neatly into a register. The model is not foolish. It fits a certain class of threat well, especially criminal operators whose logic is simple enough. They compromise access in order to monetise it. Their business model depends on shortening the distance between intrusion and return.
Persistent state-aligned access follows a different logic. Its value often lies in the fact that nothing visibly happens. The point is not always to act, but to gain position: to establish presence inside systems that matter, map dependencies, understand trust relationships, study operating rhythms, and preserve the option to influence, disrupt, coerce, or simply observe later, if and when the strategic environment makes that useful. Volt Typhoon, which I touched on last time, is the clean illustration at state scale. In February 2024 the United States assessed that the Chinese group had been resident in the networks of communications, energy, transport and water utilities, in some cases for at least five years, not to steal or destroy but to pre-position for disruption in the event of a crisis.[2] That is not an intrusion aimed at a payday. It is a foothold held for years as a latent instrument, waiting on a political trigger rather than a technical one. Persistent access of this kind is not best understood as a precursor to an event. It is better understood as a form of geopolitical positioning conducted through digital infrastructure.
Many organisations still struggle to absorb this. We remain more comfortable with the language of incident than the language of occupation. This is the register Jon Lindsay captures in Age of Deception when he reads cybersecurity as secret statecraft, the organised use of deception for strategic advantage, rather than as warfare: the object of persistent access is position and knowledge, not destruction. A ransomware attack is easy to recognise. A destructive malware event is easy to explain. Even a serious breach can be narrated through the grammar of event, impact, and recovery. Persistent access is different. It sits in the background, may never trigger obvious harm, and yet changes the strategic landscape all the same. What it offers the operator is not merely information, but optionality. And optionality, in a contested geopolitical environment, is a form of power.
This is why the issue is larger than cyber security in the narrow corporate sense. In an era of strategic rivalry, quiet access into cloud environments, identity systems, telecommunications, energy networks, logistics platforms, or major service providers may never be used in a spectacular way. Equally, it may be held in reserve as strategic insurance, a latent instrument of coercion, or a means of shaping choices in a crisis. The point is not always to pull the trigger. Sometimes the point is to ensure that, should the political temperature rise, you are already inside the machinery.
Persistence of this kind fits badly inside governance models built to price realised harm. Boards want to know what happened, what it cost, and whether the problem has been contained. Regulators ask similar questions. Executives want clarity that can be translated into action and reassurance. Persistent access offers very little of that neatness. At the point of discovery, the most consequential fact may be not what has already happened, but what has been made possible. That is an uncomfortable proposition, because possibility is harder to price than damage, and ambiguity is harder to govern than loss.
Once persistent access becomes visible, the organisation is no longer making a calm strategic choice about whether to act. It is responding to an obligation that has already been triggered. That is true even when the facts remain partial. Indeed, it is the incompleteness that drives the cost. You do not know the full scope or the dwell time. You do not know which trust relationships were traversed, which dependencies were mapped, what was accessed, what was observed, or what might have been staged for later use. You may not know whether anything was taken, but nor can you responsibly assume that nothing was. And you do not know what the adversary intended to do with the access, whether next month, next year, or only if the wider context changed.
The telecommunications intrusions attributed to a second Chinese group, Salt Typhoon, show what that uncertainty costs once it is discovered. From late 2024, US officials said the group had penetrated the networks of some nine American carriers, among them Verizon, AT&T and Lumen, and had reached the systems used to service lawful wiretap requests, exposing the call and location metadata of a large number of users.[3] What is instructive is not the espionage itself but the aftermath. Evicting an adversary who has embedded in the identity fabric and core routing of a modern carrier turned out to be extraordinarily hard. More than a year on, officials described the activity as ongoing. Some of the exploited weaknesses sat in hardware that could not be closed with a software patch and required physical replacement. Confident remediation would mean forensic examination of tens of thousands of endpoints across networks that were built for reach and resilience, not for expulsion.[4] The federal programme to strip suspect Chinese-made equipment out of US networks has approved reimbursement claims of very nearly five billion dollars, and even that addresses only part of the problem.[5] The bill did not arrive because something broke. It arrived because someone looked, and found.
The uncertainty has immediate and practical consequences. Forensics teams are engaged, logs are revisited and often found wanting, identity systems are revalidated, credentials are rotated, and trust assumptions are tested under pressure. Core infrastructure may need to be rebuilt, not because it has failed in any operational sense, but because confidence in its integrity has been seriously weakened. The sequence is not hypothetical. When the SolarWinds compromise, attributed to Russia’s foreign intelligence service, was uncovered in December 2020, the US emergency directive did not ask agencies to repair a malfunction. It told them to disconnect the affected software, forensically image their systems, reset every credential the software had touched, and rebuild hosts from trusted sources.[6] The systems were still running. The problem was that they could no longer be believed. Meanwhile legal teams are brought in, disclosure thresholds are debated, regulatory obligations are tested, and executives are briefed. Boards ask for certainty at exactly the point when certainty is least available. The institution begins spending money, attention, and credibility not in response to visible destruction, but in response to discovered uncertainty.
In a persistence model, the absence of visible damage does not remove the obligation to respond. The response itself becomes a major category of cost.
This is the discovery tax.
“Two mirror-image costs, split by the moment of discovery: exposure forces the operator to rebuild, while discovery forces the institution to respond.”
The two taxes are mirror images. For the attacker, persistence preserves optionality. They can observe, wait, and decide later whether to exploit, influence, disrupt, or simply retain access as a hedge. For the defender, discovery removes optionality. Once you know, you must move. You may not know enough to describe the situation neatly, but you know enough to know it cannot be ignored. One side benefits from remaining unseen. The other, the moment sight is established, inherits cost, scrutiny, and organisational friction.
Seen this way, the problem is not merely incident response. It is a structural mismatch between the threat environment and the models institutions use to understand it. Many governance frameworks still assume that cyber risk becomes serious when impact is realised. But persistence does not wait politely for our reporting categories. Some of the most consequential risks in cyber do not first appear as high-impact events. They first appear as ambiguity, and ambiguity in a large institution is expensive. It consumes decision-making time, management attention, legal energy, regulatory bandwidth, and executive confidence. It exposes how much of an organisation’s operating model depends not simply on systems functioning, but on those systems being trusted.
A wider strategic implication follows. If the contest is increasingly about access, visibility, dependence, and response cost, then cyber security cannot be treated as a technical hygiene function sitting off to the side of geopolitics. It sits inside questions of sovereignty, resilience, and strategic dependence. A firm that relies heavily on interconnected digital platforms, third-party technology, global service providers, and tightly coupled identity or cloud architectures is not merely efficient. It is also exposed to a world in which persistent access can create leverage without a shot being fired and without a headline ever appearing. This is the same dynamic I have elsewhere called digital bifurcation, one of the forces reshaping the cyber order. Every exposure hardens the line between trusted and untrusted infrastructure, and every dependency an institution cannot vouch for is a place where that line runs straight through its own estate. The surface story is technical compromise. The deeper story is contested interdependence.
The old comfort phrase, that there are only two types of organisation, those that have been breached and those that do not know it yet, is therefore no longer enough. It captures something true, but not something sufficient. The more useful distinction is between organisations that still think of intrusion as event, and those beginning to understand intrusion as condition. The first group anchors on prevention rhetoric and headline incidents. The second starts with a harder question: what does it mean to operate responsibly in an environment where hidden access may simply be part of the landscape, and where the cost of discovery may be immediate even in the absence of obvious harm?
This is not an argument for fatalism, and it is not an argument against prevention. Prevention still matters. Visibility matters. Identity discipline matters. Good architecture matters. Friction matters. But prevention alone is an incomplete frame if the adversary’s goal is not to break something, but to stay, learn, and preserve options. In that world, resilience is not only about stopping bad things from happening. It is also about reducing the strategic and economic shock that follows when you discover that hidden presence has already been established.
A different set of boardroom questions follows, and they can be made concrete. Most boards today ask a version of: are we protected, and has anything happened? The persistence frame asks three sharper ones.
First, if we discovered tomorrow that a capable adversary had been resident in our core systems for two years, how much of our environment could we actually re-verify, and how long would it take to trust it again? That is a test of recovery of confidence, not recovery of service.
Second, which of our dependencies, from identity providers to cloud platforms to a handful of critical suppliers, are so deeply trusted that we have no practical way to detect or expel an intruder who reached them? That is a map of where the discovery tax would fall hardest.
Third, can we make a defensible disclosure and remediation decision on partial information, at speed, without waiting for a certainty that will never come? A board that can answer those three has moved from pricing damage to pricing possibility, which is the shift the environment now demands.
There is a tension here with where I left things last time, and it is worth naming rather than smoothing over. I argued that a state with strong institutions can choose managed coexistence over reflexive eviction, holding a known intruder under watch rather than tearing the house down at the first sign of a footprint. That latitude is real, but it is not evenly distributed. It belongs to actors with the legal authority, the telemetry, and the institutional nerve to live alongside an adversary they can see. Most boards and most companies have none of those things. For them, discovery does not open a menu of strategic options. It triggers an obligation. That asymmetry is the discovery tax in its sharpest form: the same fact that a disciplined state can absorb as a managed condition lands on an ordinary institution as a bill it must pay at once.
This sits alongside the earlier dynamic. Public attribution imposes a retooling tax on the adversary. Discovery imposes a tax on the defender. Neither ends persistence. Neither resolves the competition. What they do is shape its economics. Over time, cyber conflict looks less like a sequence of decisive events and more like a continuous contest over access, visibility, uncertainty, and response cost. This is the world Cyber Persistence Theory describes, one of agreed competition and cumulative gains in which states stay active below the threshold that would invite an armed response, and in which no single intrusion is decisive on its own. What that account leaves underdeveloped is the defender’s side of the ledger, the cost the condition imposes at the moment it is discovered, which is what the discovery tax tries to price. That is not a comforting frame, but it is a more realistic one. The problem is not only intrusion. It is the political, institutional, and economic condition created by living in systems where intrusion can sit quietly until the moment of discovery forces everybody to move.
The uncomfortable implication is this. If persistent access is, at some level, part of the normal strategic environment rather than an exceptional failure of it, then the question shifts. It is no longer simply how to prevent intrusion. It becomes how to govern, endure, and respond in a world where hidden access is part of the competitive landscape and where the cost of knowing may matter as much as the cost of attack.
In that world, the most expensive moment is not always when the adversary acts. It may be the moment you realise they have been there long enough that certainty is gone, but responsibility has arrived. Silence, then, was never truly free. It was simply a liability deferred until discovery made the bill impossible to ignore.
References
On Singapore’s naming of UNC3886 and the compromise of its four major telecoms providers, see K. Shanmugam, “CSA 10th Anniversary Dinner,” Ministry of Home Affairs Singapore, 18 July 2025, https://www.mha.gov.sg/mediaroom/speeches/csa-10th-anniversary-dinner-the-next-10-years-securing-our-cyberspace-and-digital-future; Cyber Security Agency of Singapore, “Largest Multi-Agency Cyber Operation Mounted to Counter Threat Posed by Advanced Persistent Threat (APT) Actor UNC3886 to Singapore’s Telecommunications Sector,” February 2026, https://www.csa.gov.sg/news-events/press-releases/largest-multi-agency-cyber-operation-mounted-to-counter-threat-posed-by-advanced-persistent-threat--apt--actor-unc3886-to-singapore-s-telecommunications-sector/; and “Chinese cyberspies breach Singapore’s four largest telcos,” BleepingComputer, February 2026, https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breach-singapores-four-largest-telcos/
CISA, NSA, FBI and partners, PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure, Joint Cybersecurity Advisory AA24-038A, 7 February 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
For the reported scope of the Salt Typhoon telecom intrusions, including the number of affected carriers and access to lawful-intercept systems, see “AT&T, Verizon, Lumen confirm Salt Typhoon breach,” The Register, 30 December 2024, https://www.theregister.com/2024/12/30/att_verizon_confirm_salt_typhoon_breach/
On the difficulty of eviction and the scale of forensic remediation, see “A house full of open windows: Why telecoms may never purge their networks of Salt Typhoon,” CyberScoop, https://cyberscoop.com/salt-typhoon-chinese-hackers-us-telecom-breach/
On the scale of the federal “rip and replace” programme: approved reimbursement applications reached USD 4.98 billion against an initial USD 1.9 billion appropriation, with a further USD 3.08 billion provided through the FY2025 National Defense Authorization Act. See FCC, Secure and Trusted Communications Networks Reimbursement Program, https://www.fcc.gov/supplychain/reimbursement; and “Rip and replace funding passes as part of defense bill,” RCR Wireless, 18 December 2024, https://www.rcrwireless.com/20241218/policy/rip-and-replace-funding
CISA, Emergency Directive 21-01: Mitigate SolarWinds Orion Code Compromise, 13 December 2020. https://www.cisa.gov/news-events/directives/ed-21-01-mitigate-solarwinds-orion-code-compromise-closed
Further reading
Michael P. Fischerkeller, Emily O. Goldman and Richard J. Harknett, Cyber Persistence Theory: Redefining National Security in Cyberspace, Oxford University Press, 2022.
Jon R. Lindsay, Age of Deception: Cybersecurity as Secret Statecraft, Cornell University Press, 2025.


