Weekly Security Brief

Week of Sunday, July 12, 2026

Key Insights

1. China Caught a Rocket, and a Ten-Year Lead

On July 10, a Chinese rocket booster dropped out of the sky over the South China Sea and flew into a net. Four hooks on the booster snagged a net strung across a ship. It worked on the first try.

On July 10, a Chinese rocket booster dropped out of the sky over the South China Sea and flew into a net. Four hooks on the booster snagged a net strung across a ship. It worked on the first try.

That was the maiden flight of the Long March 10B, built by China's main government space company, China Aerospace Science and Technology Corporation. Eleven minutes after liftoff from Hainan Island, the company recovered the rocket's first stage on a sea platform fitted with a net-capture system. It made China the second nation, after the United States, to bring an orbital-class booster back under control. China says it will fly the same stage again before the end of the year.

The net is a different answer to the problem SpaceX solved with legs and a controlled hover. Dropping the landing legs saves weight and lets the rocket carry more. Whether that reflects a clever design choice or an engineering workaround, the public record does not settle, and it does not change the result.

The result is what matters. Reusability was the advantage no one could match. SpaceX first landed an orbital booster in December 2015 and reflew one in 2017, and for a decade that ability to launch, land, refuel, and fly again was the thing no other country could do. It is why SpaceX could put thousands of Starlink satellites into orbit at a cost nobody could touch. China just matched the capability on a rocket's first flight, with projected launch costs falling more than 40 percent.

The payoff is a constellation. The Long March 10B is the launch key to Guowang, China's planned 13,000-satellite internet network, a government-run rival to Starlink that is scheduled to scale from roughly 310 satellites this year to 3,600 a year by 2028. General Stephen Whiting, who commands US Space Command, has warned repeatedly about China's rapid buildup in orbit, and a reusable launch capability is a large part of why. It gives Beijing's military a resilient, high-tempo way to replace satellites in a conflict. Space-based communication and imagery are becoming infrastructure Beijing owns outright.

It looks a lot like SpaceX. No one has proven the design was stolen, and it is not an identical copy, but the resemblance is close, and China has a documented history of acquiring foreign technology by every route available, from licensing and joint ventures to reverse-engineering and outright theft. US prosecutors have brought case after case over stolen aerospace and semiconductor designs. How China got here matters less than how fast it arrived.

And it is not just rockets. Reusable launch is one marker on a board that is filling in fast: homegrown chips, competitive AI models, the world's largest shipbuilding base, dominant electric vehicles. The lead the West has treated as a buffer is thinning on nearly every front that matters, and in space it is now visible from orbit. This is a race, on more than one track at once.

The Takeaway
China is closing the technology gap fast, and it uses every tool to do it, including espionage. Treat that as the operating environment, not a passing headline. If your company holds anything worth copying, a design, a manufacturing process, source code, a customer model, assume it is a target and act like one. Know where your crown-jewel intellectual property lives, who can reach it, and whether a departing engineer or a compromised vendor could carry it out the door. In a race where the other side gains by building and by taking, the companies that guard what they have built keep their edge. The ones that assume "they are years behind" are the ones who hand it over.

2. The Cranes at Your Port Answer to Beijing

A study out this month put a number on a supply-chain dependency few companies think to check. Chinese firms own, finance, or operate 78 of Africa's 231 commercial ports, and the control does not stop at the water's edge. It reaches into the software, the automation, and the artificial-intelligence systems that actually run them.

A study out this month put a number on a supply-chain dependency few companies think to check. Chinese firms own, finance, or operate 78 of Africa's 231 commercial ports, and the control does not stop at the water's edge. It reaches into the software, the automation, and the artificial-intelligence systems that actually run them.

The study, from the Africa Center for Strategic Studies, a research institution inside the US Defense Department, counted about $50 billion in Chinese port investment across 32 countries, tied to roughly $350 billion in annual trade. Its sharpest finding was not about who holds the deed. It was that the ongoing reliance on Chinese operating software could end up costing those countries more than the physical ports ever did. The control point is the code, not the concrete.

That pattern is not confined to Africa. It is already in the ports you use. About 80 percent of the ship-to-shore cranes at US ports were built by a single Chinese state company, Shanghai Zhenhua Heavy Industries, known as ZPMC. A 2024 congressional investigation found undocumented cellular modems on some of those cranes, hardware that was never in the purchase contracts, that some port operators had declined, and that could open a path for remote access. The same company has repeatedly pressed to reach its US cranes remotely, and in 2021 the FBI found intelligence-gathering equipment aboard a ship delivering ZPMC cranes to the Port of Baltimore.

That is the hardware. The data is a separate exposure, and it sits mostly overseas. LOGINK, a logistics platform backed by the Chinese government, aggregates shipping and cargo information across more than 20 ports worldwide, including allied ports in Japan, South Korea, and Europe. It does not currently operate in US ports. But Congress judged it dangerous enough that in 2024 it barred the Pentagon from using any port that runs LOGINK, because American military cargo moves through the same commercial ports your freight does. If your goods transit Asia or Europe, their shipment data may be passing through Chinese-government software.

Washington is treating all of it as serious. In 2024 it gave the Coast Guard new authority over port cyber threats and committed more than $20 billion to rebuild a US crane industry that had not existed in three decades. That road is long, so the exposure holds for years.

The Takeaway
This is the Hormuz problem in another form. You do not control the chokepoint, only your alternatives to it. You cannot pull the Chinese cranes out of US ports, and you cannot rewrite the software running an overseas terminal. What you can do is find your single points of failure, the one gateway port or carrier that would stall your goods if it went dark for a week, and build a second route with enough buffer stock to keep moving. Plan the alternate now, while it is a tabletop exercise and not a scramble.

3. The AI Boom Just Landed on Your Power Bill

In May we told you the grid could pull the plug on your data center. This month the bill arrived, and data-center tenants are not the only ones paying it. Every business and household on the grid is.

In May we told you the grid could pull the plug on your data center. This month the bill arrived, and data-center tenants are not the only ones paying it. Every business and household on the grid is.

PJM, the grid operator for all or part of thirteen states from Illinois to the Mid-Atlantic, has to line up enough power for the hottest day of the year, years in advance. It does that by paying power plants to stay on standby, ready to run when needed. The more power it has to reserve, the more it pays, and that cost is passed straight through to everyone's electricity bill. Data centers are an enormous new draw on the system, so this year PJM had to reserve far more standby power than before. The price it pays jumped roughly elevenfold. Its independent market monitor pinned 63 percent of that jump, about $9.3 billion in a single year, on data centers. Over three years their share reaches $23.1 billion. In Washington, DC, the utility Pepco says the typical household bill has already climbed about $21 a month.

That is what separates this from an ordinary cost story. You did not build the data centers and you cannot opt out of the grid, but the cost of reserving all that power is spread across everyone on it. A company running a warehouse, a hospital, or an office in the PJM footprint is now helping pay for the AI build-out through its utility bill, with no vote and no line item explaining why.

The price of electricity minute to minute follows a similar rule. The grid runs its cheapest plants first and turns to expensive backup plants only when demand climbs high, and the priciest plant running at any moment sets the price for all the power on the grid right then. During the July heat wave, demand pushed toward PJM's all-time record and the grid had to run its costliest units, so the price of power briefly topped $2,500 per megawatt-hour, more than sixty times a normal day. It is the same shortage we described in May, when the Department of Energy began ordering data centers onto backup generators to keep the lights on. The reliability risk and the rising bill are two faces of the same crunch.

The Takeaway
Electricity is turning into a bigger and more volatile line on your budget, and you have no say in the biggest reason why. Treat it like any input with a rising, unpredictable price. Model a wider range into next year's forecast, lock in rates wherever your contract allows, and if you operate in the PJM region or another tight grid, ask your finance team what a further capacity-price jump does to your numbers. You cannot stop the AI boom from crowding the grid, but you can keep it from surprising your budget.

4. Europe Is Rearming, and the Boom Comes With a 'Buy Local' Sign

At a summit in Ankara this week, NATO announced the largest defense build-out in a generation. More than $50 billion in new weapons purchases, a $40 billion fund for military drones over the next five years, and a restated pledge to push defense spending to 5 percent of each member's economic output by 2035, up from about 4 percent today. Strip away the summit choreography and the acronyms and it comes down to money, a great deal of it, and where it is about to flow. That last figure alone is trillions of dollars over the decade.

At a summit in Ankara this week, NATO announced the largest defense build-out in a generation. More than $50 billion in new weapons purchases, a $40 billion fund for military drones over the next five years, and a restated pledge to push defense spending to 5 percent of each member's economic output by 2035, up from about 4 percent today. Strip away the summit choreography and the acronyms and it comes down to money, a great deal of it, and where it is about to flow. That last figure alone is trillions of dollars over the decade.

The official story was unity. The group photo, the talk of a stronger and more capable alliance, a plan to tear down the barriers to defense trade between members. Underneath the choreography is a quieter shift that analysts are calling a move from burden-sharing to burden-shifting. Washington is signaling it will lean back from Europe's defense, in troops and in attention, and Europe is building the industrial base to stand on its own.

That shift comes with a scramble over who gets the money. NATO's preferred label is "Made in NATO," which keeps American and Canadian suppliers in the game. The European Union is running its own parallel program with a "buy European" floor that tilts the work toward European factories. The rulebook for the biggest government spending wave in decades is being written as we speak, and nobody has settled it yet.

Here is why it reaches well past the defense industry. Follow the money and it lands on drones, sensors, artificial intelligence, cyber defense, and logistics software, the same kind of technology plenty of ordinary companies already build. Defense is turning into a fast-moving customer for the commercial technology world, and the "buy local" rules taking shape now will decide who gets to sell to it.

The Takeaway
If your company builds anything with a dual-use edge, drones, sensors, secure software, cyber tools, one of the biggest buyers on the planet just walked in, and it is writing the rules as it shops. Find out now whether your product can qualify under "Made in NATO" or "buy European" terms, because early qualification is where the long contracts get locked in. And if you have operations or suppliers in Europe, watch the burden-shifting story too: the security guarantee that underwrote eighty years of European stability is up for renegotiation, and your assumptions may be moving with it.

5. A Supreme Court Ruling Just Reached Your EU Customer Data

In late June, the Supreme Court ruled that the President can fire the commissioners of the Federal Trade Commission at will. The FTC is the government's main privacy enforcer, and the case looked like a fight over presidential power in Washington. For any company that stores European data on US servers, it is more than that. It quietly weakened the legal ground under those data transfers.

In late June, the Supreme Court ruled that the President can fire the commissioners of the Federal Trade Commission at will. The FTC is the government's main privacy enforcer, and the case looked like a fight over presidential power in Washington. For any company that stores European data on US servers, it is more than that. It quietly weakened the legal ground under those data transfers.

European law bars companies from sending Europeans' personal data, customer records, employee files, website analytics, to any country with weaker privacy protection. To keep the data flowing anyway, the US and the EU struck a deal, the EU-US Data Privacy Framework, that treats the United States as safe enough to qualify. Europe signed on for one reason: independent American watchdogs, the FTC chief among them, would police how the data gets handled. Remove that independence and the deal loses the thing it was built on.

Once the President can fire those commissioners at will, the FTC no longer stands independent of him. Max Schrems, the Austrian privacy campaigner who already persuaded Europe's top court to tear up the two earlier versions of this deal, in 2015 and again in 2020, says the foundation is gone and is preparing a third challenge.

Not everyone agrees the deal is in danger. Prominent privacy lawyers argue the ruling is narrower than it reads, that the specific court which hears Europeans' complaints stands on separate legal ground, and that the justices left that question open on purpose. The European Commission says the framework holds while it studies the decision. This could end in a shrug.

But we have seen this movie before. Each earlier time the legal ground gave way, companies that relied on the deal alone had to rewrite contracts and reroute data flows under emergency pressure. A new challenge would take two to three years to resolve. That is not a reason to relax. It is the window to get ready in.

The Takeaway
This is not a Monday emergency, but it is worth a dry run before it becomes one. Find out which legal basis carries your European data across the Atlantic: the Data Privacy Framework, or the older backup most companies keep in reserve, the standard contract clauses. If it rides on the framework alone, have the fallback drafted and ready now, while any court case is still years off, so a third collapse becomes a switch you flip rather than a scramble you join.

6. The States Are Writing the AI Rulebook Washington Won't

Washington has spent the past year trying to stop states from regulating artificial intelligence. It has not worked, and the states are not waiting.

Washington has spent the past year trying to stop states from regulating artificial intelligence. It has not worked, and the states are not waiting.

On July 6, Illinois Governor JB Pritzker signed the AI Safety Measures Act, the most demanding state AI law yet. It requires the largest developers, the ones above $500 million in revenue that build the most powerful models, to publish a safety plan, pass an independent audit every year, and report serious incidents to the state within as little as 24 hours. The state attorney general can fine violators up to $3 million. It takes effect in January 2028.

The law shows its worry in the way it defines the harm. It guards against "catastrophic risk," meaning an AI incident that kills or seriously injures more than fifty people or causes more than a million dollars in damage. That is the vocabulary of chemical plants, not software.

Illinois built the law on bills in California and New York. Between them, those three states hold an estimated 40 percent of the country's AI industry, enough that a rule written in one of their capitals becomes a rule the whole country feels. Washington tried to head this off. The Senate stripped a proposed ban on state AI laws by a vote of 99 to 1, and when that failed the President signed an executive order to override state rules, though an order carries nowhere near the force of a law passed by Congress. The objection behind those efforts is not frivolous. A fifty-state patchwork is a hard way to govern one technology, and every safety rule the United States adopts is one China, racing hard in the other direction as our lead story described, does not have to follow. That trade-off is real. For now it is settled in the states' favor, and the AI vendors you rely on will build to the strictest rule, because they cannot ship one model to three states and a different one everywhere else.

The Takeaway
You are probably not the company being regulated here. The one that builds your AI tools is, and that is what to watch. AI governance has stopped being a question of what Washington might someday do and turned into a live patchwork of state laws, with real audits, tight reporting clocks, and attorneys general who can impose fines. When you bring in an AI vendor, fold it into the diligence: which state safety laws do they fall under, and can they show you how they meet them. The rules are here. They are just written in three state capitals instead of one.

7. The Reinsurers Just Put Terror Risk on the Market

The companies whose entire business is pricing catastrophe just did something they had never done before. They sold US terrorism risk to investors.

The companies whose entire business is pricing catastrophe just did something they had never done before. They sold US terrorism risk to investors.

In June, the insurer AXA XL raised $67.5 million through what is called a catastrophe bond, and how one works is worth a moment. Investors put up the cash and earn a high rate of interest, in this case about 6 percent above what a safe bond pays. If the specific disaster the bond covers does not happen before the bond matures, they keep the interest and get their money back. If it does happen and the losses cross an agreed line, they lose their stake and the insurer keeps the cash to pay claims. In plain terms, the investors are selling insurance to the insurer and betting the catastrophe will not come.

For years these bonds covered hurricanes and earthquakes. This one is the first ever written to pay out on a terrorist attack in the United States, and investors lined up to buy it.

That is a quiet verdict from the people who price danger for a living. Terrorism has long been treated as too unpredictable for the open market, walled off in specialty policies and propped up by a federal backstop created after September 11. A major insurer moving this risk off its own books, and finding buyers for it, means the market now sees enough political-violence exposure to package and sell.

Here is the blind spot for the rest of us. Most companies assume their property insurance would cover an attack near their building. Often it does not. Terrorism is usually a separate line, and the federal backstop only pays out for attacks the government formally certifies, above a damage threshold. Civil unrest and lower-level political violence can fall through every gap.

The Takeaway
The sharpest risk-pricers in the economy just took on a bet their industry would not touch a year ago. You do not have to share their read of the country to act on the signal. Pull your property and business-interruption policies and find the language on terrorism and political violence. Learn what is actually covered, what is carved out, and whether you are quietly counting on a federal backstop that only pays once the government "certifies" an attack. Most companies find those gaps the morning after they needed the coverage. Find yours on a quiet afternoon instead.

Get this brief in your inbox every Sunday.

No tracking. No spam. One email per week.

Subscribe