Beijing’s recent organizational and operational moves in cyberspace reflect a sustained strategic intent to make information advantage the fulcrum of its military power. That shift is not only about capability accumulation. It is also an effort to reframe what acceptable behaviour in cyberspace looks like. The result is a growing mismatch between the rules many democracies hope to lock in and the posture China is consolidating.
The PLA reorganization that dissolved the Strategic Support Force and created distinct cyberspace and information support arms under direct Central Military Commission authority is a structural marker of this intent. The change centralizes command, sharpens the division between defensive and offensive missions, and elevates cyber operations as an operational domain to be integrated into joint campaigns.
Organizational reform has been matched by a campaign-level approach to operations. High profile intrusions and long-running campaigns attributed to China-sponsored actors have penetrated telecommunications infrastructure, government networks, and private-sector supply chains in ways that create both immediate espionage value and latent operational options for crisis or conflict. The Salt Typhoon campaign that compromised multiple carriers underscored the asymmetric leverage available when adversaries gain access to core telecom systems. These operations are not only intelligence-gathering. They create persistent footholds that could be used to surveil, degrade, or manipulate communications at scale.
At the same time Washington and partners have documented the use of state-linked contractors and front companies to enable cyber operations. The United States and allies have moved to sanction and prosecute some of those enablers, signaling a willingness to impose costs beyond the purely technical response. Arrests and indictments tied to state-directed campaigns, and Treasury designations of companies linked to malicious activity, illustrate how economic and legal instruments are being used to push back. Those measures matter. They also reveal the limits of escalation control in cyberspace, because attribution, attribution thresholds, and states ability to retaliate remain contested.
Beijing’s behaviour sits in tension with its normative rhetoric. Chinese official doctrine emphasizes “sovereignty in cyberspace” and multilateral governance conducted on an equal footing. Beijing argues that states must protect networks and data within their borders and resist “cyber hegemony.” At the same time Chinese practice, including large-scale exfiltration from foreign networks and repeated compromises of infrastructure, is interpreted by Western and many Indo-Pacific states as inconsistent with the obligations that a stable international order would require. That normative divergence is the core problem. When two actors disagree about principles such as jurisdiction, permissible intelligence collection, and the meaning of due diligence, operational competition in the networked domain becomes institutionalized.
Institutions are trying to close this gap. The United Nations Open-Ended Working Group on security in the use of ICTs culminated in a July 2025 report that recommended a standing mechanism to negotiate responsible state behaviour. That recommendation reflects the recognition that episodic diplomacy will not suffice if states expect to stabilize norms around containment, attribution, and mutual restraint. But consensus is difficult because core questions remain unresolved: how to treat espionage in peacetime, what constitutes an armed attack in cyber terms, and under what conditions a state may lawfully retaliate.
Practically speaking, China’s expansion complicates norm-building in four ways. First, the blending of civilian and military talent through civil-military fusion and the use of private-sector intermediaries blurs lines of state responsibility. Second, operations that exploit third-party infrastructure make harms diffuse and remediation slow. Third, strategic persistence in infrastructure creates coercive options that are difficult to signal about without revealing capabilities. Fourth, advances in AI and machine learning accelerate the tempo of deception and manipulation in information operations, compressing decision cycles and increasing the risk of escalation.
Allies and partners are adapting. Defensive measures have shifted from perimeter hardening to resilience investments in core routing infrastructure, lawful intercept design, and supply chain assurance. Intelligence sharing and coordinated sanctions have become routine levers. Agencies such as national cybersecurity centres and alliance forums are producing joint advisories and playbooks to detect and expel persistent footholds. Those steps raise the costs to adversaries, but they do not, by themselves, rebalance a strategic logic that prizes information control and operational surprise.
What should policy look like in the near and medium term? First, coalitions should continue to expand the set of non-kinetic response options - indictments, targeted sanctions, export controls, and disruption operations - while clarifying thresholds for when kinetic responses might be considered. Second, invest in systemic resilience in telecommunications and cloud ecosystems so that core routing and lawful intercept points cannot be repurposed covertly. Third, accelerate norms diplomacy by building an authoritative, technical baseline for evidence and a credible, fast attribution process supported by multilaterally agreed procedures. Fourth, create crisis channels that include cyber, space, and diplomatic interlocutors to manage incidents before they become escalatory. Finally, the West must reduce dependence on single-vendor or single-country choke points in critical tech supply chains without slipping into protectionism that would fragment the global internet.
Longer term the task is political as much as technical. If China persists in treating cyberspace as an instrument of statecraft that privileges sovereignty claims and operational flexibility, then the international order will face continued contestation. Conversely, if major powers can agree to a narrower set of red lines around destructive actions on critical infrastructure, and couple those commitments to verification and clear consequences, normative progress is possible. What is unlikely is that norms will self-seed. They must be the product of strategic patience, technical cooperation, and, crucially, a coalition that can credibly raise the costs of revisionist behaviour while offering pathways for deconfliction.
China’s cyber force expansion is therefore both a capability story and a political test. It tests whether the international community can translate technical interdictions into durable rules of the road. The answer will shape not only crisis stability in the Indo-Pacific but also the architecture of global digital governance for decades to come.