📚The TL;DR📝

1. China’s Advanced Persistent Threats (APTs) are cyberespionage groups that gain unauthorized access to systems while remaining undetected for extended periods.

2. The centralization of China’s political structure arms the CCP with an asymmetric advantage over the United States in streamlining cyber governance measures.

3. Military-civil fusion in China has allowed the CCP to mobilize civilian militias to exploit new vulnerabilities and develop offensive cyber capabilities.

4. The United States’ Sector Risk Management Agencies, which are responsible for the security of the 16 U.S. critical infrastructure sectors, operate on outdated strategic plans from a 2013 Presidential Policy Directive.

5. Cyberattacks have the potential to disrupt the continuity of an economy and catalyze disruptions that threaten human lives and democratic integrity.

📌Advanced Persistent Threats: The Agility & Lethality of China's Cyberespionage Groups📌

The Department of Justice charged Chinese nationals Yim Kecheng and Zhou Shuai in early March 2025 for participating in an operation of the People Republic of China’s (PRC) Ministry of State Security that targeted U.S. dissidents of China and the foreign ministries of multiple Asian governments. Only three months prior, an advanced persistent threat (APT) group—a state-sponsored cybercriminal group seeking to obtain sensitive information that remains undetected for extended periods—hacked into a U.S. Treasury cloud-based technical support service, gaining remote access to user workstations and unclassified documents. 

For at least twenty years, hackers sponsored by the Chinese Communist Party (CCP)—either acting individually or more typically in APT groups—have underscored the growing threat of China’s use of cyber operations as a tool of state power. Acting under the auspices of the state, Chinese hackers have pioneered the most widely discussed and high-level cyberattacks. In January 2010, Chinese proxies carried out a cyberattack against Google and thirty other U.S. companies, compromising the accounts of human rights activists and prompting Google to reconsider the feasibility of business operations in China. 

Chinese state-sponsored hackers have also targeted U.S. allies. Indicted in 2021, hacking group APT 40 targeted Five Eyes intelligence alliance members—the United Kingdom, Japan, Australia, and New Zealand—through illicit network exploitation activities under the guise of its front, Hainan Xiandun Technology Development Company. Another state-sponsored group, the “Tonto Team,” hacked several South Korean entities in 2017 involved in the deployment of the Terminal High Altitude Air Defense missile system.

The Asymmetric Advantage of China’s Centralized Political System

The proliferation and success of Chinese state-backed hacking incidents stems from the centralization of China’s cyber governance. The CCP creates, executes, and oversees cyberspace policy under the national Cybersecurity Law. Established in 2017, the law underlines the top-down structure of China’s cyber ecosystem, in which local governments, commercial companies, and researchers must adhere to centrally coordinated frameworks for cyber activities and yield to regulatory supervision by the national government. General Secretary Xi Jinping designated himself as the chair of a new Central Commission for Cybersecurity and Informatization (CCCI) in 2018, consolidating oversight of cyber operations. Xi has the final say in all government and private sector decisions pertaining to China’s cybersecurity ecosystem.

Beyond the legal foundations of China’s cyber operations, military-civil fusion (MCF), a CCP strategy that encourages technology transfer between military and civilian sectors, serves as the bedrock upon which the Chinese government can inform and deploy proxy hackers. As China seeks to build a world-class military by 2049, proxies bolster its advantage in information warfare. In the past decade, China’s People’s Liberation Army (PLA) has increasingly mobilized “civilian militias” of technically skilled individuals from the private sector and academia to develop offensive cyber capabilities and conduct cyber espionage to exploit new vulnerabilities. Privatizing cyber operations has facilitated the expansion of intelligence operations, in which China tasks firms such as iS00N to spy on global diplomatic targets to cultivate an information network between the private sector, the Chinese government, and the PLA. 

Despite global breakthroughs in digital security, China has leveraged MCF to not only identify new vulnerabilities in critical infrastructure but also conduct cyberattacks on entities that pose political challenges to China’s international leadership, both domestically and abroad. The Chinese government has leveraged its centralized control over cyber operations to monopolize the vulnerability supply chain and gain access to high-value targets. The 2021 HAFNIUM hack exploited novel zero-day vulnerabilities in Microsoft Exchange server software, reflecting that China’s cyber capabilities pose an increasingly sophisticated and vicious threat to U.S. agencies, enterprises, and civilians. Similarly, state-sponsored actor Volt Typhoon extends China’s cyber operations beyond traditional espionage targets, pre-positioning on end-of-life vulnerabilities on outdated software to catalyze critical infrastructure disruptions in the event of a military conflict outbreak. Despite China’s self-proclaimed emphasis on civil liberties, these actors possess scarce ability to counter CCP demands, facing a choice between thwarting state operations or offering intelligence, research, and operation capabilities. Most actors choose the latter to align with the expectation of compliance underscored in the national Cybersecurity Law, which informs the responsibilities and standards for all actors that contribute to China’s cyberspace ecosystem.

In addition, the rapid progression of China’s offensive cyber capability development reflects Xi Jinping’s expansion of his Comprehensive Security Strategy to the emerging cyber realm. As China’s government articulated in its 2022 white paper Jointly Building a Community with a Shared Future in Cyberspace, cyberspace is a pillar of national sovereignty, and each country has the “right to formulate public policies, laws, and regulations on cyberspace in the context of their national conditions and international experience.” On a domestic level, Xi’s focus on national security serves to justify the government’s collaboration with domestic telecommunications companies to reinforce censorship behind The Great Firewall. Limitations on freedom of speech extend beyond the actions of Chinese citizens, with Xi declaring in 2016 that the work of the CCP’s media should safeguard China’s unity by bolstering party values. Internationally, China has criticized democratic leaders including the United States for interfering in the domestic activities of other countries by seeking to instill democratic norms and regulations for cyber operations. 

Is the United States “Defending Forward?”

U.S. agencies and companies such as the Cybersecurity Infrastructure and Security Agency, have demonstrated rightful concern with the pace and agility of China’s cyber activities. Decentralization of U.S. authority constrains the effectiveness of decision-making, formation of cyber policy, and incident response efforts. Responsibility for the execution and oversight of cybersecurity law is dispersed across agencies such as Cybersecurity and Infrastructure Security Agency (CISA), Department of Homeland Security (DHS), Department of Defense (DOD), Federal Bureau of Investigation (FBI), National Institute of Standards and Technology (NIST), and owners of critical infrastructure in the private sector, exacerbating the difficulties of reaching consensus in cyber governance. 

The U.S. National Cybersecurity Strategy employs a “defend forward” strategic posture that emphasizes an increased focus on offensive—in addition to defensive—cyber capability development. However, the actual organization of the U.S. cyber ecosystem fails to fulfill this rhetoric. The U.S. government designates Sector Risk Management Agencies (SRMAs) to oversee the needs and objectives of one of 16 critical infrastructure sectors, serving as an important link between the federal government and local actors and civilians. Despite the significant responsibilities of SRMAs, they continue to operate under decade-old crisis response procedures such as the Presidential Policy Directive (PPD 21) from 2013, failing to account for changes in broader U.S. strategic posture in cyberspace. The United States has failed to adapt with agility to the offensive advantage of cyber operations, only beginning to incorporate offensive-oriented cyber exercises in its CYBER FLAG drills in 2024. U.S. leaders face a unique challenge of mediating the tensions between regulatory policy and the innovation surrounding cyber defense technologies, which the private sector is reluctant to sacrifice in a rapidly emerging market. 

Conclusion: Transforming the Levers of Deterrence

The CCP’s disregard for cyber escalation demands a U.S. response. The absence of physical boundaries typically associated with a nation’s sovereignty has allowed China to grow its offensive cyber capabilities under the guise of strengthening defense while condemning U.S. attempts to enforce democratic norms in cyberspace as foreign “interference.” Where the Chinese government ignores de-escalatory norms and procedures in their cyber strategy, they instead prioritize the development of its network reconnaissance, defense, and support operations across a widespread attack scope, targeting both military and civilian infrastructure. The growing focus on information exchange in PLA military operations, accompanied by the growing reliance on civilian actors, poses a threat to civilians susceptible to China’s use of sophisticated cyber threats to achieve political and military objectives. 

In critical infrastructure sectors, a single cyberattack has the potential to dismantle a nation’s entire economy. For example, the ransomware attack on Change Healthcare, a subsidiary of UnitedHealthcare, in February 2024 stole the personal medical data of 190 million patients, costing the company over $2 billion. They also have life-threatening consequences; from 2016 to 2021, ransomware attacks killed as many as 67 Medicare patients. With China’s active development of its offensive cyber capabilities, a targeted attack by an APT or other state-sponsored actor could catalyze a disruption far more destructive and extensive in scope.

Not a subscriber? Click here to subscribe! 

See You Next Tuesday For 🌎The Beyond Borders Brief!🌎

This week’s newsletter brought to you by the Deep Dive staff. Connect with us on social media to pose questions, comments, or feedback. Click here to learn more about TSI.