The United States (US) would be best placed to adopt a Cyber Maze framework, advocating a flexible, layered strategy to counter China’s evolving cyber operations. This would involve focusing on adaptability over rigid deterrence, and emphasing proactive defence, resilience, and diplomacy to manage risks without escalating conflict.

The Cyber Maze is a strategic framework for managing modern cyberattack patterns by prioritising adaptability, layered risk mitigation, and context-specific responses over rigid measures. It acknowledges that cyberattacks, whether state-sponsored campaigns, proxy actors, or novel attack vectors, are not straightforward, symmetric, or static. The framework advocates for a flexible strategy combining deterrence, diplomacy, and defence to adapt responses based onattacks and context. This framework is useful for countering China’s ambition to become a cyber superpower (Wangluo Qiangguo, 网络强国), a policy fueling its state-aligned cyber ecosystem.

The People’s Republic of China (PRC) cyber ecosystem is a “maze” of interconnected formal and shadow institutions, feeding into state-linked cyberattacks involving the People’s Liberation Army, the Ministry of State Security (MSS), and the Ministry of Public Security. A US Homeland Security report from February 2025 shows 224 cyber espionage incidents targeted at the US from China, with over 60 directly linked to the Chinese Communist Party.

China’s state-linked cyber operations connect to its desire for technological dominance, aiming to lead innovation in critical sectors like artificial intelligence, 5G infrastructure, and quantum computing while reducing foreign technology dependence. This ambition, pronounced in platforms such as Made in China 2025 and the 14^th Five-Year Plan, drives geopolitical rivalry to counter Western cyber hegemony and maintain domestic stability. Experiences during the “century of humiliation” (1840-1949) have shaped Beijing’s strategic vision, justifying narratives by emphasising technological self-reliance and cybersecurity.

China’s cyberattacks involved coordinated efforts to enhance geopolitical, economic, and military interests, reflecting goals to reduce Western influence through asymmetric advantage. The US Treasury Breach (2024), a suspected Chinese state-sponsored attack, for instance, compromised several agencies, showing Chinese interest in accessing strategic intelligence. Salt Typhoon (2022-23), China’s MSS-backed cyber group, infiltrated global (US, Europe, Asia) telecommunication providers using Backdoor JumpledPath to monitor network traffic and capture sensitive data. Volt Typhoon (2023) targeted US critical infrastructure, particularly in Guam, including the energy, water infrastructure, and transportation sectors, using Living off the Land techniques and credential dumping to maintain persistent access for future disruption capabilities.

Chinese cyberattacks serve a strategic role, advancing the Party’s geopolitical and military objectives through cyberespionage, such as via gathering sensitive data, through intellectual property theft for economic dominance, and deploying malware (as outlined in Table 1 below) to disrupt critical infrastructure—capabilities that Rush Doshi has identified as central to Beijing’s asymmetric warfare strategy. Doshi’s testimony before the US Homeland Security on 5 March 2025 mentioned:

The Chinese Communist Party is a nationalist political party dedicated to the goal of national rejuvenation after what it perceives as a “century of humiliation” at the hands of imperial powers. Related to that objective, the PRC has a grand strategy to displace the U.S.-led order. It seeks to “catch up and surpass” the U.S. technologically; to make the world dependent on China’s supply chains economically; and to acquire the capability to defeat U.S. forces militarily.

China’s cyber strategy has evolved from espionage to a multifaceted campaign weaponising the geopolitical, economic, and ideological vulnerabilities of the target state. This shift, documented in Graphika’s 110-page analysis, reflects Beijing’s strategic adaptation to US countermeasures such as the ban on Huawei and CHIPS Act. Cyber operations target not only critical infrastructure (as outlined in Table 1) and democratic institutions to erode trust in governance and amplify societal divisions.

AI-enabled cyberattacks have advanced, leading to complex cyber intrusions focusing on cloud-stored data for remote and real-time access. According to the CrowdStrike 2025 Global Threat Report, cyberattacks from state-sponsored Chinese groups increased by 150 percent in 2023, with a 300 percent rise in AI use for identity theft and social engineering in 2024.

Beijing’s cyber maze includes state-sponsored hacking groups and Active Persistent Threat (APT) actors. These groups target US elections, critical infrastructure, government officials, industries, and pharmaceutical sectors.

Table 1: China-based APT groups involved in the cyberattack against the United States. Source: Compiled by author from various sources.

US challenges and prospects

As of 5 March 2025, the US Department of Justice (DoJ) has indicted twelve Chinese nationals for participation in APT 27 cyber espionage activities. On 25 March 2024, a further seven Chinese individuals were indicted for their involvement with APT 31 for sending 10,000 phishing emails targeting US government officials, as well as aerospace, defence, and telecommunication companies. DoJ records (2018-2021) show that 80 percent of espionage cases involved participation in the theft of trade secrets, intellectual property rights, and economic espionage. This trend has been emerging since 2021. While DoJ data reflect prosecutable incidents, normalisation is shown by the state-aligned actors’ adoption of AI-driven tactics, for instance, in the Crowdstrike report. These evolving tactics are not merely technologically advanced but reflect a broader systematic shift in how states orchestrate cyber-enabled espionage. For instance, China’s “ hack-to-hire network” refers to a state-coordinated ecosystem to recruit, train, and deploy cybersecurity talents for domestic cyber control. This system operates through a network involving private companies (e.g., Qihoo360, Tencent), state-sponsored hacking competitions (e.g., Tianfu Cup), academic institutions (e.g., PLA Information Engineering University), and bureaucratic entities (e.g., Ministry of State Security). The Chinese government conducts surveillance, reconnaissance, and suppression of dissent to uphold Communist Party rule. The US Department of Justice, for instance, has charged Chinese company I-soon, Heiying Information Technology, for collaborating with state intelligence agencies and harvesting user data to further China’s cyber espionage objectives.

Navigating the Cyber Maze

Rush Doshi advocates developing reciprocal offensive cyber capabilities as a deterrent, arguing that adversaries are less likely to escalate if they expect proportional retaliation. However, deterrence requires restraints: if retaliation deters, it limits escalation by imposing calculable risks on adversaries. This logic reinforces Doshi’s emphasis on reciprocity. Yet, cyber conflict complicates this equation. Unlike conventional warfare, cyberattacks are often anonymised through third parties, making attribution and proportional retaliation fraught. Retaliating against proxy actors risks escalating cyber conflicts with the potential for severe collateral damage; given the unpredictable nature of cyberattacks, a tit-for-tat may not be wise. Instead, pursuing cooperation, information sharing, and proactive measures is necessary.

Here lies the tension between Doshi’s framework and Cyber Maze. While Doshi’s alignment with deterrence theory’s emphasis on reciprocity aligns, Cyber Maze is a focus on unpredictability and adaptability against Chinese cyberattacks. Rather than direct retaliation, Cyber Maze advocates for multi-layered risk management. A wise approach combines cooperation, information sharing, and a “Hunt Forward” proactive cybersecurity strategy by gathering intelligence on adversary tactics, techniques, and procedures while channelling responses into de-escalatory measures (sanctions, attributions, shaming) and enhancing systemic resilience through strategic alliances, norms, and negotiations to mitigate unintended consequences.

Nistha Kumari Singh is a doctoral candidate and TMA Pai Fellow in the Department of Geopolitics and International Relations, Manipal Institute of Social Sciences, Humanities and Arts, Manipal Academy of Higher Education (Institution of Eminence), Manipal, India. nisthakumarisingh@gmail.com

This article is published under a Creative Commons License and may be republished with attribution.