Technical Standards: America’s Forgotten Tool of Statecraft

A ship docks at the Port of Los Angeles. Cranes begin to offload containers filled with electronics, car parts, and solar panels. Across the Pacific, in Tianjin, China, similar cranes are hard at work. They run the same software and follow identical maintenance protocols, written by standards bodies that most people have never heard of.

What connects ports, pipelines, and hospitals today is not just concrete or code. It is the invisible scaffolding of standards. They determine how machines talk to one another, how systems recover after failure, and how foreign hardware gets embedded in critical infrastructure without raising alarms.

Most of these rules are not set by governments but by a patchwork of international committees where industry representatives do much of the talking. Over the past decade, China has treated these committees as terrain worth claiming. Its companies show up to international forums. Its ministries coordinate positions. Its engineers write the specifications that others quietly adopt. As a result, China has been able to shape the protocols that define everything from 6G wireless to industrial automation. Indeed, just this week China is hosting five International Organization for Standardization (ISO) meetings, including one in Nanjing on industrial cyber and physical device control, another in Shanghai on ports and terminals, and one in Hangzhou on the sterilization of health-care products.

In some domains, Chinese voices now outnumber American ones entirely. And with each new standard that quietly gets adopted, Beijing gains another lever over global systems that enable trade, finance, logistics, and military mobility—and the impending integration of artificial intelligence (AI) across these systems as well.

We’ve already seen China’s bold interest in disrupting U.S. infrastructure. In 2023, U.S. intelligence agencies detailed a sprawling Chinese military cyber campaign that had gained deep access to oil and gas pipelines, water plants, transportation hubs, and power grids across North America. This campaign carried out by the People’s Liberation Army, known as Volt Typhoon, did not rely on novel hacking techniques—because it didn’t have to. Instead, it got in through outdated routers and unsecured entry points, exploiting systems that lacked consistent security baselines and standards.

The U.S.—which once led the push for technical standards—has not disappeared entirely from the arena. But it has failed to treat standards-setting as a tool of statecraft. It has ceded leadership positions in key international bodies to China and fallen behind in both participation and influence. By design, institutes like the Department of Commerce’s National Institute of Standards and Technology (NIST) still treat standards as purely technical matters, with little attention to their geopolitical implications. Without a coordinated framework that connects that expertise with foreign policy priorities, U.S. officials remain under-resourced and fragmented—leaving industry to navigate this geopolitical battle largely on its own.

The consequences of falling behind on the standards fight are not always visible. There is no single moment of failure or dramatic flashpoint. There is just a quiet accumulation of decisions—and indecisions—about how systems are built, which protocols they follow, and who gets to shape the rules. But in a world that is increasingly connected and contested, those choices can carry outsized consequences. By the time they are visible, it may be too late to reverse them.

A New Era, Built on Old Assumptions

The systems Volt Typhoon exploited were not anomalies but endemic to industries prioritizing operational uptime, with security often as an afterthought. Consequently, the vulnerabilities were predictable: outdated routers, unmonitored control systems, and overprivileged remote access tools. Without a course correction, we risk carrying the same vulnerabilities as we build out the next generation of infrastructure—but with far graver ramifications.

Governments around the world are launching infrastructure programs on a scale not seen in generations. Trillions of dollars are being directed toward AI data centers, semiconductor fabs, power grids, and the digital backbones and clouds that connect them. This is not just a modernization push but a full-scale construction of the systems that will power the next era’s economic growth, military readiness, and industrial capacity.

BlackRock’s Larry Fink focused his annual letter to investors on this infrastructure push and its historic tie to economic growth. As the letter outlines, in the late 1800s, just building railroads increased U.S. GDP by a quarter. A century later, the Interstate Highway System accounted for nearly a quarter of America’s productivity gains over four decades. Today’s moment is even bigger. By 2040, global infrastructure needs are projected to reach $68 trillion—roughly the equivalent of building the entire U.S. interstate system and the transcontinental railroad, from scratch, every six weeks for the next 15 years.

Yet the infrastructure of today is not just concrete and steel. A water plant is no longer just pumps and pipes—it is control software, cloud monitoring, and remote diagnostics. A shipping hub is not just forklifts and warehouses—it is Internet of Things sensors, automated cranes, and real-time logistics platforms. AI isn’t just code—it is the chips and servers that run it, the smart grids and new power plants that energize it, and the fiber and satellites that link it all. What makes these systems run, and what makes them vulnerable, is an invisible layer of decisions: the standards that define how machines communicate, how updates are authenticated, and how systems recover from failure.

Today’s standards were not built for this level of complexity and interconnection, to put it mildly. Many of the widely adopted frameworks focus on securing individual components, but modern infrastructure is not just a collection of devices. It is an evolving puzzle of systems of cloud services, legacy hardware, and third-party software—often deployed by contractors with little visibility into upstream risks. Even well-intentioned standards struggle to keep up with that kind of integration. They were not designed for adversaries probing every weak link, and they certainly were not written to contend with competition over the world’s most critical systems—and their centrality to the AI race.

In Washington, the dominant response has been to push for “Secure by Design”—an effort to make software less vulnerable by shifting the burden of security from end users to tech vendors. That is a valuable goal, but it is not a grand strategy for securing critical infrastructure. Today’s threat is not just insecure products that make up a system—it is insecure operations across the labyrinth of modern infrastructure. A more secure device does not guarantee a secure deployment. “Secure by Design” offers important guidance at the component level, but it says little about whether the broader system has been stress-tested under adversarial conditions. That’s why some in industry have begun emphasizing “Secure by Operations”: the idea that real resilience depends on how infrastructure is maintained and monitored after deployment. Put differently, design is the beginning. We need a feedback loop guided by operational insight.

More importantly, “Secure by Design” does not address the larger contest underway: As the world’s physical systems are being wired up, China is trying to write the next blueprint. Through its Standards 2035 initiative, Beijing is moving aggressively to shape the rules that govern global infrastructure, from industrial protocols to wireless networks. The U.S., by contrast, still treats standards as a narrow technical matter and lacks a strong interagency framework to tie them to the challenge of strategic competition. This is not some peripheral bureaucratic battle. It is a bid to define the default settings of the modern world.

The Standards Race Has Already Started—and China Is Winning

Beijing has moved aggressively to shape the global standards that govern modern infrastructure. These are not the kind of rules average people know exist. They are negotiated in obscure forums like the International Organization for Standardization and the International Electrotechnical Commission (IEC). Yet they are foundational to our modern lives, defining how machines talk to one another and who gets to participate in global markets.

Start with the ISO—the world’s largest and most influential standards body. Since 1998, China’s leadership positions have grown more than 17 times. Between 2013 and 2023, China gained 233 ISO leadership positions, while the United States lost 139. China is now a participating member of more ISO technical committees than the U.S., Germany, France, the United Kingdom, and Japan. At the IEC, which sets industrial and electrical standards, China more than doubled its leadership roles between 2012 and 2024.

These are not just symbolic wins. Technical standards can be incredibly lucrative. When a company’s technology becomes part of the standard, it often gains the right to license its patents to anyone who wants to build compatible products. Companies like IBM and Qualcomm have long turned standards-essential patents into steady revenue streams, leveraging their role in shaping technical norms to secure licensing power across global markets. However, the most striking shift is Huawei. Once seen as a hardware manufacturer, it now earns more from licensing its technologies than it pays out, flipping the script on a system once dominated by Western firms.

The more China can entrench its tech incumbency, the more economic gravity it gains. Countries adopting its standards are more likely to buy Chinese equipment, use Chinese chips, and route data through Chinese platforms. These technical decisions create lock-in and, with them, strategic leverage.

That leverage can also be dangerous. Taiwan, for example, depends on two dozen undersea cables to stay connected to the global internet. With sufficient influence over routing standards or control protocols, China would not need to cut those cables physically (although it has done so). It could isolate Taiwan in ways that look like network failure, not war. The same logic applies to smart ports, telecom infrastructure, and logistics hubs around the world.

Beijing understands this. That is why it coordinates across ministries, deploys staff to work on standards, and stacks committees with state-owned enterprise engineers who push unified proposals. It has signed over 100 bilateral standards agreements, primarily with countries in the Global South, positioning Chinese standards as gateways to financing, infrastructure access, and digital connectivity under the Belt and Road umbrella. Many international technical meetings now take place in China—in fact, as of the time of writing, China is hosting 32 upcoming ISO meetings, while the United States is hosting only 18.

The U.S. and its allies, by contrast, have treated standards as the domain of private companies and volunteers. Until recently, there was no national strategy, no coordinated funding, and little geopolitical attention. That is changing, but far too slowly. In the meantime, Beijing is using every vote, working group, and line of protocol to shape a future in which the defaults favor its platforms, its interests, and its values.

The Standards the U.S. Needs to Write

America did not always treat standards as an afterthought. In the 1920s, Herbert Hoover, then-commerce secretary, launched a campaign to rationalize thousands of industrial specifications. He saw standards not as red tape but as infrastructure: a way to lower costs, raise quality, and knit the country’s economy together. By the time Hoover’s tenure at the Department of Commerce had ended, tires, glass tumblers, lumber, bricks, and doors had become standardized.

World War II scaled that vision. To coordinate the Allied war effort, the U.S. helped launch a transatlantic standards committee with offices in New York and London. It brokered agreements on aircraft repairs, rail gauges, and radio frequencies, locking in common standards across armies and industries.

When the war ended, that logic carried forward. The U.S. backed the creation of the ISO and pushed American reference models as the global default. It was not pure altruism. Countries that adopted U.S. standards adopted American rules, American suppliers, and American assumptions about how the world should work.

What Hoover grasped—and what Washington has largely forgotten—is that standards are not just technical artifacts. They are instruments of economic alignment and geopolitical influence. They can encode values, shape flows of data and capital, and quietly determine who governs the systems the world relies on.

Reclaiming that legacy will not be easy. It will require showing up at the patchwork of standards bodies not just with industry engineers, but with a strategy. The United States will need to train the next generation of infrastructure diplomats: people fluent in both the technical guts of a protocol and the political stakes that surround it. If the past decade of Chinese activity in global standards forums teaches anything, it is that showing up matters. However, so does shaping the agenda itself. It is not enough to reclaim leadership seats at ISO. We also need to define what those seats are used for.

The Biden administration’s 2023 National Standards Strategy was a good start: It reasserted the importance of standards to national security and set out a plan to boost U.S. engagement. However, it does not yet constitute the full reimagining this moment demands. The infrastructure now coming online is not just complicated—it is qualitatively different: cyber-physical, remotely managed, often autonomous, and deeply interdependent across borders and increasingly in the cloud. This is also the same complicated infrastructure that undergirds the global race for AI dominance. This new era requires new standards.

The problem is that, today, those standards do not exist. There is no global baseline for what it means for a cloud-connected substation to be “secure.” We have no agreed way to red-team automated cranes at a port, or to assess whether a logistics system can withstand targeted cyber disruption. A vendor can claim its AI model is “resilient” or “safe,” and no one has any authoritative way to verify that.

That needs to change. NIST should continue to take the lead in defining what secure infrastructure looks like, writing the standards and testing them in real-world setups. But to succeed, NIST’s mandate cannot remain narrowly technical. Its standards work must be guided by a clear strategic outlook that treats competitiveness and security as core goals. While there are some glimmers of this more strategic approach in the Trump administration’s recently released AI Action Plan, there are a host of standards that will require connecting technical expertise with foreign policy and industrial priorities. This will ensure that U.S. proposals are coordinated rather than fragmented and have the backing of key national security and defense constituencies. Once those benchmarks exist, Washington must use its market power to make them real.

No single country can—or should—set the global defaults alone. But the U.S. should take a role that reflects its immense technical prowess and global innovation footprint. This means organizing key state and non-state players to drive global interoperability and security, which will shape not just how infrastructure is built but how it endures.