A civilisation that cannot defend itself really should not expect to survive, and after the latest cybersecurity news, I wonder how it can.

An official advisory was recently sent out to the US military, warning that all forces must now assume their networks have been breached. The enemy is inside the house.

What it means is that no system connected to the internet can be defended.

Our own national cybersecurity agency asked UK businesses to make this presumption in 2020. The reason this hasn’t been bigger news is that we’ve become fatalistic and weary, as one cybersecurity attack follows another.

So when we discovered in early July that Chinese hackers had gained control of Microsoft servers at hundreds of US government agencies – including the US nuclear weapons agency – it was just another hacking story.

What made this one noteworthy was that there wasn’t immediately a fix or a patch, Microsoft admitted last Tuesday.

Incredibly, confirmation of the US military’s “assume breach” alert had to be dragged out of the Department of Defense via Freedom of Information Act requests by a campaigning non-profit called Property of the People.

These developments are the latest stage in an ongoing state-sponsored Chinese campaign, in which hacking has evolved from widespread commercial espionage a decade ago into something far more threatening.

The latest phases, Salt Typhoon and now Volt Typhoon, are meticulous and sophisticated. They target not just government agencies like the National Guard, and China-critical MPs like Sir Iain Duncan Smith, but also private sector companies in the energy, telecoms, transport and water sectors.

Ciaran Martin, former head of NCSC, the cybersecurity centre based at GCHQ, says that China’s capabilities have been transformed.

“Now think of dozens or even hundreds of [individual] hacks at the same time – ‘everything, everywhere, all at once’ in the words of Jen Easterly, recently departed head of the US Cybersecurity and Infrastructure Security Agency.”

Software attacks on our computer systems can create unique damage in ways that conventional warfare cannot. Let’s consider two. While aerial bombing can produce spectacular instant results, targets can be disassembled prior to attack, and can be quickly rebuilt after the attack. Both happened with the recent attack on Iraq’s nuclear facilities.

But recovering from cyber attacks is much harder. Ask the British Library, which has still not restored all of its services.

“Printed catalogues and handlists are available in our Reading Rooms”, it still advises visitors to its website. The attack took place in October 2023.

A second way in which cyber attacks now present a unique challenge is the ability of Chinese hackers to ‘live off the land’ after they break through.

Rather like special forces embedded behind enemy lines, hackers conceal themselves undetected for months or years. To the guardians of the network, they are just another innocent user.

“Both Salt and Volt Typhoon were in play for years before being detected,” writes Martin. “And they are strategic compromises of the West on a scale hitherto unseen by any other cyber power.”

Not only do we not know when the attack is over, we don’t even know when it has begun.

How did this happen? If I haven’t depressed you enough, this is where it gets particularly troubling.

Cybersecurity is a gnarly failure of accountability and regulation that spans decades of indifference, and implicates business complacency and government apathy. The internet protocols (IP) we use today are completely rotten.

The great and the good of the IT and telecommunications industries spent the entire 1980s in international committees devising complex secure networking protocols, only to be met with mistrust and specifications no one really wanted.

Fed up with waiting, we adopted today’s protocols, which were cheap and simple to implement, but not secure. Now, the international standards bodies that might devise a successor to IP are dominated by China.

When they fail, suppliers can hide behind licensing agreements and expensive lawyers. No one goes to prison for bad security design. Their customers – us – are guilty of negligence too.

Salt Typhoon took advantage of a bug in Cisco routers that users had not bothered to fix for seven years. As a society, we rush to implement technologies without thinking too hard about externalities.

Generative artificial intelligence (AI) opens up lots of new holes, and also lowers the bar so that even the technically unskilled can plant hacks.

All in all, then, this may not seem a good time to force Britons to use a new government identity service. Especially when you know that ‘red team’ penetration testing proved in March that this could be penetrated by hostile foreign agents without them being detected.

This is what Baroness Neville Jones calls “a piece of critical infrastructure”. Chinese agents may already be “living off the land” inside the One Login system, on which your government wallet has been built, and soon perhaps, your digital ID.

But don’t expect Peter Kyle, the Science and Technology Minister, to put the brakes on the One Login project when he’s its biggest fan.

To survive and prosper, we need serious and technically aware people in his position, who listen to the security professionals.

Kyle appeared on Newsnight last week wearing jeans and a T-shirt and trainers, all of which were intended to signal to viewers his youthful love of digital technology. He is 54.