In 2023, unidentified hackers conducted a sophisticated cyber espionage campaign known as “Operation Triangulation,” infiltrating iPhones used by high-value targets within the Russian government. Apple patched the underlying vulnerabilities, and the case appeared to be closed—but in late February, a former employee at a U.S. defense contractor was sentenced to 87 months in prison for supplying a Russian broker with malware linked to the Triangulation campaign. The same hacked infrastructure was being used for multiple criminal campaigns.
The episode illustrates the reality of cyber conflict: Even best-in-class cyber capabilities rarely stay contained, and once exposed, they move rapidly through contractors, brokers, and criminal networks. Past leaks of cyber tools suspected to be developed by the United States—by the Shadow Brokers group and others—have shown how quickly sophisticated capabilities circulate among rival intelligence services and criminal networks.
In 2023, unidentified hackers conducted a sophisticated cyber espionage campaign known as “Operation Triangulation,” infiltrating iPhones used by high-value targets within the Russian government. Apple patched the underlying vulnerabilities, and the case appeared to be closed—but in late February, a former employee at a U.S. defense contractor was sentenced to 87 months in prison for supplying a Russian broker with malware linked to the Triangulation campaign. The same hacked infrastructure was being used for multiple criminal campaigns.
The episode illustrates the reality of cyber conflict: Even best-in-class cyber capabilities rarely stay contained, and once exposed, they move rapidly through contractors, brokers, and criminal networks. Past leaks of cyber tools suspected to be developed by the United States—by the Shadow Brokers group and others—have shown how quickly sophisticated capabilities circulate among rival intelligence services and criminal networks.
Yet U.S. President Donald Trump’s new six-pillar national cyber strategy, released on March 6, doubles down on this risk, elevating offensive cyber operations as Washington’s primary instrument of deterrence. It’s a dangerous gamble—one that Beijing, which has emerged as the prime cyber adversary to the United States, will see not just as an escalation but also as a legitimization of its own destabilizing posture.
Ultimately, the strategy risks the proliferation of dangerous capabilities to more countries and nonstate actors; increases the chances of miscalculations and retaliation based on misunderstanding; and makes the global cyberspace more aggressive, crowded, and unstable.
China has been flexing its willingness to take risks through cyber operations—and its ability to withstand ensuing retaliation—for more than a decade. In recent years, however, Chinese cyber operations have assumed an increasingly strategic nature, shifting beyond intellectual property theft toward prepositioning and political or military signaling. Chinese cyber actors have embedded themselves in U.S. critical national infrastructure and supply chains, ready to weaponize their access if tensions escalate.
The “Typhoons”—hacker groups inside the Chinese government and military—have demonstrated this strategic shift in cyber operations. Between 2021 and 2023, the “Volt Typhoon” group, linked to the People’s Liberation Army (PLA), infiltrated U.S. naval hubs in the Pacific, gaining access to real-time counterintelligence and signaling Beijing’s capacity to disrupt U.S. logistics in the event of a major confrontation over Taiwan. Western officials say Chinese diplomats have offered only feeble denials of PLA involvement, underscoring Beijing’s growing confidence that it can operate in cyberspace with relative impunity.
The Ministry of State Security (MSS), China’s foreign intelligence arm, pursued a similar approach through “Salt Typhoon,” a collection of hacker groups widely believed to be under its federated command. Its ongoing cyber operations have infiltrated U.S. telecommunications networks, giving the MSS the ability to disrupt data flows and exfiltrate sensitive subscriber information. Salt Typhoon has also compromised U.S. congressional staffers, which the MSS can leverage for counterintelligence about U.S. political discourse. Taken together, the Typhoons demonstrate that Beijing uses cyber operations not just for espionage, but also to signal that it has a growing ability to preempt, subvert, and reshape Washington’s political and military objectives.
Against that backdrop, the first pillar of Trump’s new cyber strategy—labeled “Shape Adversary Behavior”—attempts to restore deterrence through offensive cyber operations by creating “real risk for adversaries who seek to harm” the United States. But Beijing already views cyberspace as a strategic competition domain, and a more aggressive U.S. posture will only reinforce the model that China has been building for years.
And, crucially, the strategy demonstrates a misunderstanding of how deterrence functions in the present environment. Conventional deterrence, developed in the nuclear era and based on the idea that clearly signaled threats of retaliation can prevent adversaries from acting, works best when adversaries are visible and threats are credible. These conditions rarely exist in cyberspace, where threats move through diffuse, interdependent supply chains in which attribution is murky and no single actor controls escalation or its consequences. As a result, the classic deterrence model breaks down.
The second pillar of the U.S. cyber strategy, titled “Promote Common Sense Regulation,” is further enticement for Beijing. Outlining intentions to “streamline” cyber and data regulations to “reduce compliance burdens, address liability, and better align regulators and industry globally,” what is presented as “common sense regulation” is actually a calculated appeal to a private sector that views cybersecurity as an endless expense with limited returns. By signaling a retreat from mandatory and rigorous compliance frameworks, the administration offers a sense of regulatory relief that doubles up as a national security vulnerability.
Cyber regulation needs simplification. The regulatory landscape is complex, fragmented, and disproportionately expensive for small- and medium-sized businesses that pay regulatory premiums as a “license to operate” while being priced out of the competition for government contracts. But deregulation, if that is what “common sense” intends, is no guarantor of better cyber defense. There is no evidence that the savings promised by “common sense” will be invested in cybersecurity. Left up to interpretation by the private sector, the second pillar of the cyber strategy risks trading long-term structural resilience for short-term political and economic goodwill from enterprises.
In practice, therefore, this second pillar weakens domestic defense just as the first pillar invites aggression. While some sectors will jump at the opportunity to deregulate, and others are left to determine a baseline for themselves in the absence of minimum compliance burdens, Trump’s approach will have to contend with the uncomfortable reality that sectors and industries are interconnected through vast, complex, and interdependent technology supply chains, in which a single vulnerability in a small, low-value actor can fell giants. Hackers only need to compromise sectors with lax cyber regulations or companies that are no longer obligated to follow basic defense practices. From there, interconnected technology supply chains give them footholds into the rest.
Nowhere has this lesson been more clear than in the 2020 SolarWinds breach. What began as a Russian state-linked actor subverting a small supplier cascaded to thousands of high-value targets, including Microsoft. But SolarWinds reflected a long-standing strategy: The MSS hacker ecosystem has been targeting supply chains at large since at least 2013. Beijing learned that prioritizing more stealth and scalable attacks through supply chain intermediaries was the most efficient way to reach many targets at once. Since then, this pattern has only intensified, and many service providers managing multiple U.S. enterprises have come under constant fire.
While the rest of Trump’s strategy appears to name this trend, it fails to recognize its extent. The third and fourth pillars admit the need for modernizing government technology and protecting critical infrastructure. The fifth adopts a familiar tone of power projection, announcing a goal to protect the “national intellectual advantage,” U.S. artificial intelligence, and the administration’s bets on cryptocurrency and blockchains; the sixth focuses on talent and foundational skill-building. These final two pillars will be of particular interest to Beijing, which has built a whole-of-nation cyber ecosystem in recent years.
The consequences extend beyond bilateral tensions between Washington and Beijing. Abandoning cyber norms that the United States has spent decades developing is a signal to both rising powers that are developing their own cyber capabilities and a cybercrime industry worth trillions. As Washington normalizes an offensive-first strategy, rising powers will seize the opportunity to mimic this in their operations. Exposed cyber capabilities, used for state-level operations and worth hundreds of millions, will proliferate beyond state control through an ecosystem of ransomware gangs, brokers, and moonlighting spies.
Operation Triangulation has exposed this volatile nature of cyberspace over the course of three years; the new cyber strategy only fuels this volatility.
To be sure, it is hard to lack sympathy for hawks in the administration who want to “hack back.” Despite Justice Department indictments, sanctions, cybercrime treaties, diplomatic exchanges, and doctrinal changes, Washington has failed thus far to deter China’s cyber operations.
The Typhoons, however, were a wasted opportunity for Washington to recognize the scale of the threat and prioritize the resilience of key U.S. infrastructure. A bold cyber strategy would put any offense-first stance into strategic context—continuously decreasing the gains that Beijing can make from continued cyber aggression while lowering the MSS’s confidence in the long-term feasibility of its hacking ecosystem. But such an approach needs a defensive foundation to succeed.
Perhaps the greatest tragedy of this new cyber strategy is that this administration already possessed the necessary components for its offense-first stance to have real bite. Cyber defense has been an industrial triumph, with the U.S. cybersecurity sector dominating the global market share and forecast to more than double in size by 2034.
The administration also inherited a sizable chunk of talent. It shot itself in the foot, however, by purging that pool. The now-dissolved Cyber Safety Review Board has not been replaced. The new chief of the National Security Agency and U.S. Cyber Command was only confirmed in March. Top cyber experts have been hounded out of office. The Cybersecurity and Infrastructure Security Agency is a shadow of its past self, with some two-thirds of its staff furloughed or fired. And the new cyber strategy was overseen by National Cyber Director Sean Cairncross, a former CEO of the Republican National Committee with little-to-no cyber expertise. Few voices now espouse the criticality of cyber defense at the top.
Washington believes that offensive cyber power will restore deterrence. But in practice, especially when combined with a deregulation drive, it may accelerate the diffusion, ambiguity, and strategic instability that adversaries such as China have already learned to exploit.
