The Trump Administration’s Cyber Strategy Fundamentally Misunderstands China’s Threat

Matthew Ferren is an international affairs fellow in national security, sponsored by Janine and J. Tomilson Hill, at the Council on Foreign Relations. He coauthored the 2023 National Cybersecurity Strategy and the 2024 Report on the Cybersecurity Posture of the United States.

Against a steady drumbeat of ransomware attacks, data breaches, and sophisticated intrusions, President Donald Trump’s administration is preparing to release a new national cybersecurity strategy this month centered on offensive cyber operations. Senior officials have repeatedly emphasized hitting back at the hackers and nation-states who have compromised U.S. networks with seeming impunity. If early signals are any indication, the strategy will treat offense as the primary solution to the United States’ cybersecurity challenges.

Meanwhile, the administration has weakened the foundations of U.S. cyber defenses. The Cybersecurity and Infrastructure Security Agency (CISA) has seen its budget reduced and staffing slashed, and the agency still lacks a Senate-confirmed director. Similar cuts have affected cyber defense offices across federal agencies, and the administration is rolling back cybersecurity requirements for critical infrastructure operators.

This combination—more offense, less defense—reflects a seductive logic: why play defense when you can take the fight to the enemy? But against China, now the most active and persistent cyber threat to U.S. networks, an offense-first strategy is a dangerous miscalculation. Cyber operations cannot stop or even substantially diminish Beijing’s campaigns. Doubling down on offense while neglecting defense will leave the United States more vulnerable, not less.

The allure of cyber offense

Since 2018, the Pentagon has pursued [PDF] an increasingly proactive approach to cyberspace competition under the doctrine of “persistent engagement.” Instead of waiting for attacks to reach U.S. networks, U.S. Cyber Command would disrupt malicious activity at its source—dismantling adversary infrastructure, degrading their tools, and frustrating operations before execution. Disrupt enough infrastructure, burn enough access, keep attackers perpetually off balance, and eventually you neutralize the threat.

Successive administrations have empowered Cyber Command with expanded authorities, streamlined approvals, and increased resources to do exactly this. This paradigm has produced genuine successes. Cyber Command has dismantled ISIS’s online propaganda infrastructure, countered Russian election interference, and disrupted ransomware groups.

For policymakers, cyber operations offer an attractive alternative to harder choices: they appear to punish adversaries without requiring difficult legislative battles over cybersecurity regulations, expensive infrastructure investments, or escalation beyond cyberspace. But what works against terrorist propagandists and criminal networks will not work against China.

Why China is different

China’s cyber apparatus operates at unprecedented scale. Under President Xi Jinping, Beijing has modernized [PDF] its military and intelligence cyber units while building a vast support ecosystem of private contractors, universities, and technology firms that provide infrastructure, capabilities, and operational assistance.

Cyber operations serve Beijing’s core national interests. Cyber-enabled espionage advances technological self-sufficiency by acquiring intellectual property. Surveillance and influence campaigns support political control at home and abroad. And critically, China is pre-positioning for crisis and conflict—establishing persistent access to critical infrastructure and military networks that could constrain U.S. decision-making in a future confrontation.

Recent campaigns by Chinese state-sponsored actors, including Salt Typhoon’s penetration of global telecommunications networks and Volt Typhoon’s infiltration of U.S. infrastructure, underscore that China is now a peer competitor in cyberspace. Beijing’s operators are ever-present, able to exploit the smallest vulnerability to achieve broad network access, and highly resilient to disruption. Aging, poorly defended U.S. networks are filled with vulnerabilities that China’s sprawling cyber apparatus is purpose-built to find and exploit. Faced with a threat of this magnitude, the instinct to match China’s offensive capabilities and take the fight to the adversary is understandable—but it will not work.

Disruption won’t stop them

The theory behind persistent engagement is that continuous offensive operations will cumulatively degrade adversary capabilities. But against China, this logic breaks down.

Start with the target. Every cyber operation depends on network access—penetrating adversary systems, establishing presence at a useful location, and maintaining that foothold long enough to develop and deliver tailored effects. Against China, access is scarce. Beijing has invested in layered defenses: the Great Firewall filters cross-border traffic and blocks suspicious activity, strict laws mandate security controls for network operators, and indigenized technology supply chains reduce foreign penetration opportunities. There are no system-agnostic “cyber missiles”; each operation requires painstaking intelligence collection and capability development against specific targets. Scaling up operations against China will be far easier said than done.

Then consider China’s resilience. China’s distributed ecosystem can reconstitute faster than U.S. operators can disrupt it. Dismantle one threat group’s infrastructure, and operations simply shift to another provider. Expose one contractor, and dozens more remain. The result is an endless cycle of temporary takedowns that consumes finite resources while leaving the underlying threat unchanged.

The administration will likely tout artificial intelligence (AI) and expanded private sector involvement as force multipliers that can overcome these constraints. Neither is a silver bullet. AI tools show promise for vulnerability discovery but cut both ways—they also augment defenders, and China is investing heavily in the same technologies. Private firms already contribute through vulnerability research and intelligence support, but deeper involvement introduces coordination challenges without altering the structural dynamics that limit what offense can achieve.

Deterrence won’t change behavior

If disruption cannot degrade China’s capabilities, perhaps offensive operations can deter Beijing from malicious activity by threatening retaliation? This is the logic behind the rhetoric about “imposing costs” and “demonstrating resolve.” But deterrence faces even worse odds.

China uses cyber operations to advance interests it considers non-negotiable. Espionage enables technological self-sufficiency. Pre-positioning prepares for wartime contingencies. Beijing will not abandon these activities because the stakes are too high—they are integral to China’s vision of national rejuvenation and its strategy for competing with the United States.

Even setting that aside, the United States has laid none of the groundwork that deterrence requires. Washington has attempted to draw red lines—around intellectual property theft in 2015, and more recently around pre-positioning on civilian critical infrastructure—but neither boundary has held. The reason is simple: changing Chinese behavior would require consequences beyond cyberspace, such as economic sanctions, export controls, or restrictions on market access.

Yet there is little evidence U.S. leaders are willing to escalate across domains in response to cyber intrusions. Indictments and sanctions against front companies signal disapproval but impose no meaningful cost. The reality is that both policymakers and the public broadly tolerate ongoing cyber competition, rhetoric notwithstanding. Beijing knows this. Cyber-on-cyber deterrence is an illusion.

The Cost to military readiness

Even if one believes disruption is worth attempting despite the long odds—better to try than cede the field—an offense-first strategy imposes costs that rarely enter the policy debate. Overemphasizing peacetime disruption campaigns diverts resources and attention from preparing cyber forces for their role in high-intensity conflict.

Cyber effects are becoming a fixture of modern military operations—but not as standalone, decisive capabilities. In Ukraine, they have proven most valuable when synchronized with kinetic strikes, electronic warfare, and intelligence operations. In the recent U.S. operation to capture Venezuelan leader Nicolás Maduro, Cyber Command reportedly helped “create a pathway” for special forces by layering effects with other capabilities—including, according to Trump, blacking out much of the capital, Caracas. These cases point in the same direction: cyber functions best as an enabler of conventional operations, not a substitute for them.

Achieving this integration, however, requires specialized preparation—planning processes, joint exercises, and capabilities tailored to military targets. Years of emphasis on standalone disruption campaigns have not built these muscles. Cyber Command has struggled to generate enough trained forces even for its current mission set, fueling debate about whether a separate cyber service is needed. Piling on peacetime operational demands diverts attention from the harder work of preparing for high-end conflict.

Beijing, meanwhile, is preparing for exactly this kind of fight. The People’s Liberation Army (PLA) has developed a doctrine [PDF] to integrate cyber effects with kinetic operations from the outset of a conflict. Its pre-positioning campaigns are preparation for wartime missions aimed at disrupting U.S. command and control and delaying force deployment.

The way forward

If offense cannot solve the China problem, what can? Simply put: defense.

American prosperity depends on digitally interconnected systems, and Chinese cyber campaigns will continue regardless of U.S. offensive operations. The goal must be to prevent them from causing systemic harm. The United States’ endemic cyber vulnerabilities represent a market failure that government action is required to fix. The Trump administration is unlikely to pursue new cybersecurity regulations, but they remain the right answer. Minimum requirements for critical infrastructure, harmonized across sectors, would benefit everyone. The United States should also leverage its structural advantages—including leading technology companies, influence over internet governance, capacity to shape global standards—to embed security across the digital ecosystem.

The Department of Defense, meanwhile, should ensure its cyber forces are prepared for high-intensity conflict with a peer adversary. This means hardening critical command and control systems, weapons platforms, and logistics networks against adversary disruption. It means integrating cyber effects with joint operations through embedded planners, realistic exercises, and doctrine that treats cyber as an organic capability rather than a standalone tool.

Most importantly, the United States must demonstrate to PLA planners that cyber operations cannot achieve their objectives. If China believes pre-positioned access could paralyze U.S. power projection or undermine U.S. political will during a Taiwan crisis, it could calculate that a fait accompli is achievable. Denying China that confidence could do more to prevent conflict than any offensive campaign.

Accepting reality

None of this means abandoning offensive cyber operations entirely. They retain utility against ransomware groups, for protecting time-bound events like elections, and for supporting intelligence collection. But they cannot compel China to stop activities Beijing considers essential to national security.

U.S. policymakers face a choice: invest in defenses that limit damage from intrusions or accept persistent compromise as the price of digital interdependence. There is no third option where offense solves the problem. The forthcoming national cybersecurity strategy promises exactly that nonexistent option. It will fail—and the United States will be less secure because of it.

This work represents the views and opinions solely of the author. The Council on Foreign Relations is an independent, nonpartisan membership organization, think tank, and publisher, and takes no institutional positions on matters of policy.