The past week, the potential for cyber and kinetic military convergence came to the fore, with the US interactions with Venezuela. Numerous news outlets have speculated on how cyber technologies - for intelligence gathering and offensive operations - could have been utilised.

The BBC recently published a story focused on “The continued mysteries surrounding the intelligence operation to capture Maduro”. The article goes on to explain:

“The fact that the US Cyber Command was publicly thanked for its role in the operation has led to speculation that US military hackers got inside Venezuelan networks in advance to shut the grid down at the right moment - but details are limited.

The failure of Chinese and Russian air defences has also led to speculation of what kind of jamming or electronic warfare technology was deployed by the US in the air to aid the operation. The US Space Command, which operates satellites, also received credit for creating a “pathway” for the special forces to enter unseen.”

Polito had an article on 7th January more boldly entitled “Venezuela strike marks a turning point for US cyber warfare”. They again nodded to the sudden power outage that occurred prior to the physical landing of troops:

“Trump, at the same press conference, was more overt in his description of U.S. cyber involvement: “The lights of Caracas were largely turned off due to a certain expertise that we have,” he said. “It was dark, and it was deadly.”

Beyond these small-but-significant nods toward U.S. cyber power, details about how exactly the U.S. was able to pull off such a feat were slim. A spokesperson for the Pentagon declined to comment on the specifics of U.S. cyber operations in Venezuela, while a spokesperson for Cyber Command said it was “proud to support” the mission. A spokesperson for the White House did not respond to requests for comment.”

Of course, the details will never be known - for a long time yet - and a policy of strategic ambiguity supports a stance that denying the fact gains nothing - whilst loosely acknowledging some sort of cyber capability is a potential deterrent option and show of strength.

Whatever the underlying capability and success of it - which is difficult to measure - the structure, growth and operational involvement of USCYBERCOM is being hotly debated.

What Next for USCYBERCOM?

A recent special edition of the Cyber Defense Review tackled just this topic.

The Cyber Defense Review (CDR) describes themselves as:

“…an open-access, peer-reviewed, scholarly journal that serves as a forum for current and emerging research on cyber operations. Its focus is on strategy, operations, tactics, history, ethics, law, and policy in the cyber domain. CDR positions itself as a leading venue for interdisciplinary work at the intersection of cyber and defense, welcoming contributions from the military, industry, professional, and academic communities.”

Their most recent issue was a special edition focusing on the USCYBERCOM and the future of US cyber forces.

What Issues is USCYBERCOM Facing?

Other than restructure for restructuring’s sake, it seems there are some reasonable issues that are being discussed:

• Insufficient Force Size: The current active-duty cyber workforce is considered too small to effectively manage the sheer volume and increasing sophistication of global cyber threats. This results in a significant gap between operational demand and available manpower.

• Talent Recruitment and Retention: There is a persistent structural challenge in recruiting and retaining highly skilled technical talent. The government struggles to compete with the private sector, leading to a need to look “Beyond the Uniform” and develop better strategies for leveraging national cyber expertise.

• Sub-optimal Management and Readiness: The current management framework is seen as needing modernization to ensure sustainable force readiness. Issues include:

  • Lack of codified maximum operational tempo thresholds, potentially leading to burnout.

  • Need for better alignment of technical personnel to demanding technical roles.

  • Insufficient integration of auxiliary units (National Guard and Reserve) into joint exercises.

These are some pretty complex issues to solve - and will be familiar with many large scale cyber operations teams - be they private sector or nation state.

What Can be Done?

The core debate in the CDR issue revolves around whether to simply reform and empower USCYBERCOM or to create an entirely new military branch for cyberspace.

The proposals for expansion fall into a few key areas:

1. Expansion of Cyber Force Size and Management

A primary recommendation is to significantly expand the active-duty cyber workforce, arguing that the current force is simply too small to manage the volume and sophistication of threats.

“Go Big” on Force Size: The proposal argues that the scale of malicious cyber activity far exceeds the capacity of the current military cyber forces. Expanding the force would help close the gap between operational demand and available manpower.

• Management Reforms: Workforce expansion must be paired with management modernization to ensure sustainable readiness gains, which could include:

  • Codifying maximum operational tempo thresholds.

  • Adopting rotational assignment models.

  • Creating “force health” reporting metrics that link readiness to personnel workload.

  • Aligning technical personnel to demanding technical roles and reserving less complex tasks for less experienced individuals.

2. Reforming and Empowering USCYBERCOM

Many contributions suggest that incremental reform is the fastest, least risky, and most effective path, especially as USCYBERCOM is already increasing its capabilities.

• Utilize New Authorities: Empowering USCYBERCOM to fully execute the authorities it already possesses, such as full training authority over cyber operational forces, is critical for standardization and interoperability.

• Leverage Auxiliaries and Exercises: Incorporate National Guard, Reserve, and other auxiliary units, particularly by integrating them into joint exercises that involve foreign and domestic partners.

• Avoid Disruptive Restructuring: Critics of a new Cyber Service warn it would be costly, slow, and counterproductive, risking years of turmoil, duplicating functions, and diverting scarce resources and expert personnel from current operations.

3. Reconnecting with the Private Sector

A structural challenge is the struggle to recruit and retain technical talent, leading to a proposal to look “Beyond the Uniform” by leveraging the national cyber workforce outside of the government.

• Cyber Mission Support Framework (CMSF): This framework is proposed to reconnect uniformed forces with trusted, highly skilled cyber professionals in the private sector for scalable mission augmentation and, potentially, regulated cyber proxy operations.

• Industry Collaboration: USCYBERCOM should foster deeper collaboration with the commercial industry, which dominates cyber defenses at home and abroad.

4. Radical Organizational Change

Other contributors argue that patchwork fixes are insufficient, advocating for a significant structural overhaul to fully expand capabilities.

• Create a Separate Cyber Service: One option is to create a new, separate cyber service or military department—similar to the Space Force—to establish a unified career progression system and better align technical skills with advancement.

• Revising Doctrine: Another suggestion is to revise U.S. doctrine to treat cyberspace as a battlespace and not merely a function that supports kinetic force.

It seems the continued hiring and structural challenges facing USCYBERCOM will continue as none of the suggested proposals are quick to implement. The ability to acknowledge “winning” narratives associated with “cyberwar” usage however, does bring some additional attention on the entire area - which may be good for the hiring apparatus, but ultimately makes integration and success metrics more complex.

DomainTools released three separate articles which are well worth reading (it will take a good 45 mins or so) but they do provide an end to end view of the scale and completeness of the solution.

1. Inside the Great Firewall Part 1: The Dump

2. Inside the Great Firewall Part 2: Technical Infrastructure

3. Inside the Great Firewall Part 3: Geopolitical and Societal Ramifications

What is the Great Firewall?

The Great Firewall (GFW) of China is a vast and sophisticated system of digital control that goes far beyond simple website filtering. It is the centerpiece of China’s digital repression strategy, designed not only to block content but also to control user behavior, shape perceptions, and enforce ideological conformity.

Core Purpose and Strategy

• Ideological Containment: The GFW’s primary domestic function is to preempt the circulation of narratives, symbols, or software deemed threatening to the Chinese Communist Party (CCP) legitimacy. It enforces a state-defined version of reality by algorithmically suppressing politically sensitive terms, foreign platforms, and civil society organizing.

• Digital Sovereignty: It is the digital expression of a strategic doctrine rooted in state control, asserting that information space is equivalent to territorial space. It insulates the domestic population from foreign influence and enables centralized surveillance.

• Economic Engineering: The GFW systematically blocks foreign software (like Google Docs, Zoom, and Dropbox), which nurtures a domestic ecosystem and accelerates the adoption of Chinese-developed alternatives (e.g., Tencent Docs, DingTalk) that are integrated with state surveillance requirements.

Technical Components

The GFW operates as a modular and hierarchical system that combines central orchestration with distributed enforcement nodes, built on cooperation between state-run ISPs, telecom vendors, and research labs. Key technical components include:

• Traffic Secure Gateway (TSG) System: This is a core modular, exportable Deep Packet Inspection (DPI) platform capable of application-layer proxying, SSL/TLS interception, and centralized policy enforcement across national ISP backbones and regional access points.

• Layered Filtering:

  • DPI: Deep Packet Inspection processes TCP streams in real-time to inspect HTTP headers, TLS handshakes, and apply keyword filtering.

  • SNI-based TLS Detection: Filters encrypted circumvention traffic (e.g., Psiphon, Shadowsocks, V2Ray) based on patterns in the TLS handshake process without decrypting content.

  • URL, Host Header, and DNS Hijack Strategies: Used to block, redirect, or monitor suspect endpoints.

• Monitoring and Logging: Systems like MAAT (Modular Automated Analysis Tool) and Gohangout (a log processing framework) are used for pervasive visibility, continuous telemetry, and real-time policy enforcement. Logs reveal fine-grained behavioral fingerprinting, tying user sessions to device IDs and remote IP patterns.

• Behavioral Prediction Engines: These systems go beyond static rules to flag and act on traffic that deviates from normal patterns, assigning a risk score to sessions in real-time and preemptively routing or terminating sessions (e.g., injecting artificial latency).

• Vendor Integration: The GFW is a distributed ecosystem of hardware and software from Chinese technology companies, such as A Hamson Technology Co., Ltd., Venustech, Topsec, and Huaxin, which supply customized routers, DPI cards, and orchestration platforms.

It is pretty clear that to get the level of interoperability and management, a state level top-down approach to control is needed. The vast breadth and depth of both the physical infrastructure components and the technical skills needed to design and maintain such components has to be directed from a strategic point of view.

Of course, having so many moving parts (including the hiring, validating and training of staff) requires a strong set of security controls.

However, the vast scale and size of such an operation is likely to house opportunities for information leakage, subversion and insider threat.

Geopolitical and Societal Impact

The leaked material clearly has an emphasis on the technical bits and bytes and architectural choices that have been made. Whilst that is interesting, perhaps the more long term analysis such ends up asking more about the “why” than the “how”.

1. What is the aim?

2. What does success look like?

3. How closely does this policy interact with both domestic and foreign policy?

From a technology point of view there are some conceptual and architectural design patterns that can be “exported” - either for monetary gain or ideological expansion and support of countries that have similar ethics and ethos.

• Global Fragmentation (”Splinter-net”): China’s model is exported to other authoritarian regimes, such as Iran, Vietnam, and Russia, often through initiatives like the Digital Silk Road. This promotes the idea of “cyber sovereignty”—the right of states to regulate information flows within their borders—contributing to the fragmentation of the global internet.

• Transnational Repression: The GFW’s cyber capabilities are used to monitor and harass groups that the PRC views as security threats, including Falun Gong practitioners, Uyghurs, Tibetans, supporters of Taiwanese independence, and pro-democracy activists, even those living in diaspora communities abroad.

• Arms Race with Resistance: Despite the GFW’s sophistication, resistance is persistent. The system’s countermeasures provoke an ongoing arms race with developers creating new circumvention tools like Shadowsocks, V2Ray, and Trojan, which continuously iterate to evade detection. Dissent also manifests in creative, coded cultural forms (satire, homophones) to evade keyword filters.

The model is clearly not one for simple technical experimentation. It is a strategic implementation based on a controlling narrative - that supports internal information manipulation and the removal of external and counterpoint sources of opinion.

Whilst not necessarily in line with Russia’s view of a separate sovereign network that can limit technical denial of service to ISP and network access, the GFW could provide similar functions.

Such strategies of course are used for a multitude of functions - from enablement and awareness, funding, risk identification but also public awareness and partnership generation.

The Scottish approach is no different and amplifies the need that such country-wide approaches require a broad spectrum of stakeholders - as well as public/private integration.

Image Source: Scottish Cyber Strategic Plan on a Page

Key questions remain around how to measure resilience success? Speedy response to attack? Faster detection? An improved ability to defend?

The vision statement is clear however : “Scotland thrives by being a digitally secure and resilient nation.” Cyber resilience is framed as a whole-of-society responsibility, not just a technical activity - which could be difficult to attain and also measure. The plan aligns with Scotland’s wider goals—economic growth, reducing child poverty, public-service improvement, and climate action. So essentially a force multiplier or extension of general governmental aims.

However, cyber crime in Scotland has doubled since 2019–20, reaching ~14,000 cases in 2024–25.

To work towards this cyber-resilience aim requires a village. The broad ecosystem consists of:

• Scottish Cyber Coordination Centre (SC3) – 24/7 threat intelligence, incident coordination.

• Police Scotland (Cyber and Fraud Unit) – operational response and victim support.

• National Cyber Security Centre (NCSC) – technical authority for cyber security.

• CyberScotland Partnership – cross-sector awareness, education, public engagement.

• National Cyber Resilience Advisory Board (NCRAB) – strategic guidance.

If “success” is being earmarked as being “strong, capable and resilient” how will that be acheived?

The Seven Strategic Outcomes

1. People recognise cyber risks and are prepared to manage them

• Public awareness campaigns.

• Cyber resilience embedded across lifelong learning—from early years to adult education.

• Targeted support for vulnerable groups (rural, disabled, older adults, non-English speakers).
  

2. National cyber coordination and incident response are effective

• SC3 leads multi-agency response.

• Stronger early-warning systems and national incident management.
  

3. Digital public services are secure and resilient

• Protective controls, secure-by-design architecture, and resilience built into critical services such as health and education.

4. Public sector organisations manage cyber risk effectively

• Consistent standards across government bodies.

• Regular testing, assurance, and cyber maturity improvement.

5. Businesses recognise cyber risks and manage them

• SMEs supported with guidance, toolkits, and Cyber Essentials adoption.

• Large organisations encouraged to lead on supply-chain security.

6. Third-sector organisations are prepared and protected

• Tailored guidance for charities and voluntary organisations, which often have limited resources but hold sensitive data.

7. Scotland has a strong cyber security industry and skilled workforce

• Growth of the cyber security sector.

• Enhanced research, innovation, and talent pipelines.

• Support for CyberFirst schools and national cyber skills initiatives.

Download Full Report

It is interesting to see not only physical events - cable cutting as one example - versus the increasing role of cyber as part of a broader information warfare operations play.

Cyber operations are described as a core enabler and integral component of Russia’s wider sabotage strategy — not a separate or secondary activity. The report situates cyber activity within Moscow’s “gibridnaya voyna” (hybrid warfare) doctrine, where physical, informational, and digital tools are fused to weaken adversaries below the threshold of open war.

A a breakdown of cyber’s specific role in Russia’s sabotage attacks, includes:

1. Integrated in Hybrid Sabotage Doctrine

• Russian military doctrine treats cyber operations as part of information warfare, combining “information-technical” (cyber, hacking, electronic attacks) and “information-psychological” (propaganda, disinformation) methods.

• Cyber is therefore used alongside physical sabotage—for instance, hacking logistics or communications systems to support or conceal physical attacks.

• The goal is to blur the line between war and peace, disrupting without triggering a conventional NATO response.

2. Cyber as Reconnaissance and Targeting Tool

• Russia’s intelligence services (especially the GRU and SVR) use cyber intrusions to map critical infrastructure networks—energy grids, transport hubs, and communications links—identifying single points of failure for later physical attacks.

• These cyber intrusions often precede or accompany physical sabotage (e.g., rail disruptions, water-supply incidents, or cable damage), providing operational intelligence and coordination.

• Russian operatives have used cyber-espionage to track NATO logistics and supply routes for Ukraine, and to help recruited proxies locate targets such as energy substations or communication nodes.

3. Cyber as a Tool of Coercion and Confusion

• Cyber activity is paired with disinformation and deepfake campaigns to amplify fear and distrust after sabotage incidents—portraying them as government failures or accidents.

• Such “information-psychological” operations aim to erode public confidence, increase societal anxiety, and divide allied responses.

• The IISS notes that the “grey-zone” framing has allowed Russia to use cyberattacks to intimidate Europe while staying below the escalation threshold.

4. Exploitation of Civilian Digital Infrastructure

• The Kremlin leverages commercial IT supply chains, weak network defenses, and the private ownership of 90% of NATO transport and communications infrastructure.

• Cyber intrusions into dual-use civilian networks (e.g., rail control systems, air logistics software, port communications) increase the impact of physical sabotage.

• Russia’s “gig economy” approach—outsourcing low-skill acts to recruited proxies—relies on encrypted messaging, dark web payments, and online coordination, all of which are cyber-enabled.

5. A Blended Threat Environment

• Russia’s hybrid operations use a continuum of effects:

  • Cyber reconnaissance → physical sabotage → disinformation amplification.

  • Attacks on undersea cables and satellite links combine both physical damage and digital disruption, impacting internet traffic, GPS, and secure communications.

• NATO data show that energy and communication networks, often targeted by Russian cyber groups, overlap with physical sabotage zones (Baltic Sea, Poland, Germany).

6. Strategic Impact

• While no mass-casualty cyberattack has occurred, the cumulative effect is to undermine resilience, complicate attribution, and delay collective response.

• The report warns that the cyber-physical convergence in Russian sabotage campaigns is raising the risk of escalation and strategic miscalculation — where a blended attack could unintentionally cross NATO’s Article 5 threshold.

In summary:

Cyber operations are the connective tissue of Russia’s sabotage campaign — enabling reconnaissance, coordination, psychological impact, and plausible deniability. The IISS assesses that Russia’s use of cyber tools is not about stand-alone attacks but about amplifying and concealing physical sabotage, forming a seamless part of its hybrid war against Europe

Download Full Report

They state:

“ESET researchers have recently observed a new instance of Operation DreamJob – a campaign that we track under the umbrella of North Korea-aligned Lazarus – in which several European companies active in the defense industry were targeted. Some of these are heavily involved in the unmanned aerial vehicle (UAV) sector, suggesting that the operation may be linked to North Korea’s current efforts to scale up its drone program. This blogpost discusses the broader geopolitical implications of the campaign, and provides a high-level overview of the toolset used by the attackers.”

It sounds like a potential two-bird win for Lazarus - in the sense of helping to disrupt existing manufacturers of potentially enemy operators (aka Ukraine and those supporting Ukraine against Russia, which North Korea is an ally) as well as helping streamline and optimize their own drone and UAV systems designs through mere intellectual property theft.

Strategic purpose

• The attacks likely sought intellectual property and manufacturing know-how to accelerate North Korea’s drone program, which is expanding with Russian assistance and modeled on U.S. systems such as the RQ-4 Global Hawk and MQ-9 Reaper.

• Victims made parts for UAVs currently deployed in Ukraine, suggesting Lazarus wanted data on Western-made weapons used on the front line.

• The campaign aligns with Pyongyang’s pattern of reverse-engineering foreign UAV designs via cyberespionage.

Image Source: ESET report on new Lazarus attack patterns

Attack chain and tools

• Initial access: classic DreamJob social-engineering — fake “dream job” offers sent to defense engineers with a malicious PDF reader that installs malware.

• Loader stage: trojanized open-source projects from GitHub (e.g., TightVNC Viewer, MuPDF Reader, DirectX Wrappers, Notepad++ plugins).

• DLL proxying/side-loading: fake system libraries such as DroneEXEHijackingLoader.dll, webservices.dll, and radcui.dll run under legitimate Windows executables.

• Main payload: ScoringMathTea, a 40-command remote-access trojan giving full control of the host, using encrypted HTTP/S C2 via compromised WordPress servers.

• Encryption and reflective DLL injection keep payloads only in memory; data are exfiltrated through the C2 channel.

Take Aways

ESET attributes the campaign to Lazarus with high confidence. The “DroneEXE” internal naming, target selection, and timing indicate an espionage operation in support of Pyongyang’s UAV industrial expansion.

In essence, North Korea is combining social-engineering intrusion with code theft to steal UAV blueprints and production methods, improving its own drone arsenal and export capability.

Read ESETs Report in Full

The recent U.S. Cyberspace Solarium Commission’s (CSC’s) annual report on implementation started its report with a scathing introduction:

“Our nation’s ability to protect itself and its allies from cyber threats is stalling and, in several areas, slipping. For five years, the U.S. Cyberspace Solarium Commission’s (CSC’s) recommendations have served as a benchmark against which to measure policymakers’ commitment to strengthening the nation’s cybersecurity. This report assesses that approximately 35 percent of the commission’s original 82 recommendations have been fully implemented, 34 percent are nearing implementation, and an additional 17 percent are on track to be implemented. By comparison, however, last year’s report concluded that 48 percent had been implemented, 32 percent were nearing implementation, and an additional 12 percent were on track. For the first time, there has been a substantial reversal of the advances made in previous years. Nearly a quarter of fully implemented recommendations have lost that status — an unprecedented setback that underscores the fragility of progress.”

That is a pretty damning verdict. Of course in recent months federal budgets across a host of US services have been cut and it seems cyber is also part of that. Reports like this of course do no harm in amplifying the need for more personnel and resources.

Zooming, out what is the both the report and US cyber capabilities in general trying to achieve?

Image Source: CSC Report

The ability to deliver “layered cyber deterrence” is a powerful objective - which basically aims to reduce the frequency and severity of cyber attacks. Both of those points (the likelihood and impact in standard risk management parlance) are complex things to both achieve and measure.

Hardening defences is one aspect, but identifying and in turn attributing attacks to actors linked to nation state orders is also another. The ability to consistently call out attacks, attribute specifically and support with technical evidence (often in line with a broad cast of allies, academia, technology providers and legal stakeholders) is becoming a powerful deterrence in itself. Actor and sponsor denials can only go so far.

The report goes in detail to specify where the US with respect to its strategic cyber progress.

Overall Assessment

• Only 35% of the CSC’s 116 recommendations have been fully implemented (down from 48% in 2024).

• 34% are nearing completion, 17% on track, and the rest face limited progress or major barriers.

• Nearly one-quarter of previously implemented reforms lost their status, showing fragility in institutional progress.

• Leadership gaps, budget cuts, and administrative turnover have slowed coordination, especially at CISA, the State Department, and the Office of the National Cyber Director (ONCD).

Strategic Framework: “Layered Cyber Deterrence”

The CSC’s cyber strategy centers on three layers of deterrence:

1. Shaping behavior — promoting norms of responsible state behavior through diplomacy.

2. Denying benefits — hardening critical infrastructure and aligning public-private cyber defenses.

3. Imposing costs — disrupting adversaries through law enforcement and military operations.

The report finds that:

• The U.S. continues to apply this model inconsistently.

• Technical progress is outpacing federal reform.

• Cyber diplomacy, talent development, and collaboration are under-resourced.

Top Five Recommendations for 2025–26

1. Enhance ONCD’s Authority

   • Give ONCD budgetary and regulatory coordination powers to align cyber policy across agencies.

   • Trump should issue an executive order revising Presidential Policy Directive 41 to grant ONCD formal convening power.

2. Restore CISA’s Workforce and Funding

   • CISA faces a 17% budget cut and up to one-third workforce loss.

   • Congress should provide multiyear stable funding to maintain its role as the national coordinator for critical infrastructure resilience.

3. Rebuild Cyber Diplomacy at the State Department

   • The Bureau of Cyberspace and Digital Policy (CDP) lost key staff and funding, impairing U.S. engagement abroad.

   • The report urges restoration of CDP’s capacity to counter PRC digital influence and support allies.

4. Reinstate Public–Private Collaboration Mechanisms

   • The administration’s termination of CIPAC (the Critical Infrastructure Partnership Advisory Council) has eroded industry trust and chilled information sharing.

   • Congress should restore legal protections for private-sector collaboration.

5. Expand and Diversify the Cyber Workforce

   • Workforce cuts and the rollback of diversity programs have shrunk the talent pipeline.

   • The U.S. should reinvest in skills-based hiring, apprenticeships, and retention incentives.

Key Takeaways

• Cyber deterrence is faltering — adversaries like China continue large-scale intrusions despite U.S. actions.

• Institutional reforms remain fragile without sustained funding, legal authority, and bipartisan political will.

• The U.S. needs to restore trust with industry and allies, reinforce its cyber diplomacy capacity, and rebuild a resilient domestic cyber workforce.

In essence, the CSC report warns that the U.S. cyber strategy risks erosion without renewed executive and congressional action to institutionalize past progress and adapt to accelerating threats.

Read Full Report

The report highlights the strategic, long-term and integrated use of cyber and information operations across a variety of targets with varying levels of success.

Strategic Objectives

The PRC’s cyber strategy is global, persistent, and state-directed, using cyber power as an instrument of geopolitical coercion. Its main goals are to:

• Constrain U.S. strategic options and freedom of action.

• Erode alliance cohesion among the U.S., Europe, and the Indo-Pacific.

• Embed influence and leverage in developing nations.

• Pre-position access to critical infrastructure for crisis or conflict advantage.

Core Operating Logic

Beijing fuses state policy, technical innovation, and systemic exploitation into a cohesive architecture of cyber power. Rather than one-off hacks, PRC campaigns are deliberate, cumulative efforts to:

• Shape global political and security environments.

• Undermine adversaries’ decision-making ecosystems.

• Precondition outcomes in future crises or conflicts.

Four Force Multipliers

The PRC’s operational edge is built around four reinforcing “force multipliers”:

1. Trusted Relationship Exploitation – Compromising software vendors, supply chains, and service providers to scale access and persistence while bypassing traditional defenses.

2. Network Edge Device Exploitation – Systematic targeting of routers, VPNs, and firewalls to gain stealthy, long-term access to networks worldwide.

3. AI Acceleration – Using AI for faster reconnaissance, targeting, translation, and influence operations; moving toward fully AI-enabled cyber operations.

4. Attribution Contestation – Blurring responsibility through criminal proxies, misinformation, and counter-narratives to preserve escalation control and deniability.

Operational Arenas

The PRC applies these methods across three global arenas:

• East Asia: Undermining U.S. agility around Taiwan, Japan, and the South China Sea by embedding access and using influence operations to shape domestic sentiment.

• U.S. Alliance System: Targeting political cohesion in the Five Eyes and Europe, monitoring leadership transitions, and influencing narratives that fracture unity.

• Developing World: Building digital dependency via PRC technology, exploiting infrastructure for espionage and leverage, and influencing governance through cyber and information operations.

Emerging Trends (2025–2030 Forecast)

• Scaling of trusted-access abuse through contractors and vendor ecosystems.

• Expansion to nontraditional edge devices (satellite terminals, cellular gateways).

• AI becoming a core operational enabler, not just a support tool.

• Shift from denial to structured denial operations — organized, fast-response attribution counterclaims.

• Cyber prepositioning for crisis leverage in East Asia and critical minerals supply chains.

• Embedded influence and coercion in developing countries aligned with Belt and Road interests.

Strategic Effect

Beijing seeks to reshape global competition by:

• Eroding U.S. and allied decision-making agility.

• Maintaining plausible deniability below conflict thresholds.

• Establishing persistent strategic leverage through digital entrenchment.

Counter-Strategy (U.S. Recommendations)

The report calls for the U.S. and allies to:

• Close the “trusted back door” (vendor access control).

• Fortify edge infrastructure (firewalls, VPNs, OT systems).

• Reform procurement to factor in adversarial control risks.

• Disrupt PRC botnets and infrastructure-as-a-service ecosystems.

• Out-automate and undermine PRC AI operations.

• Expose and contest attribution at speed.

• Forward-posture with allies and secure the developing world’s digital terrain.

In short:
The PRC’s cyber strategy is not just about hacking—it’s systematic digital statecraft designed to erode U.S. initiative, exploit global interdependencies, and secure long-term positional advantage through scale, stealth, speed, and deniability.