The crisis brewing between China and Taiwan has involved strident Chinese threats and warnings, military exercises (including firing nearly a dozen missiles toward Taiwanese-controlled waters), and China’s suspension of talks with the United States. Even if China is not seeking to use the current situation as a pretext to justify an invasion of the island, there is the risk that miscalculations or accidents could cause the situation to escalate along a dangerous trajectory.
But what about the cyber dimension of this crisis? Some experts have warned that international crises are fertile ground for cyber escalation and caution that the dangers are growing. Nevertheless, there is limited evidence that cyber operations lead to escalation (especially above a use of force threshold). Therefore, the present China-Taiwan situation may provide yet another case to evaluate the role of cyberspace in crisis stability. What does the evidence reveal?
First, there has been minimal cyber activity amounting to only a handful of publicly-identified incidents. These have largely comprised distributed denial of service (DDoS) attacks against government websites, including the Defense Ministry, Office of the President, Foreign Ministry, and the Taoyuan International Airport. In general, DDoS attacks are relatively unsophisticated and are more of a nuisance than anything else, causing temporary disruptions in service. Additionally, it’s not even clear whether the Chinese government is responsible–either directly or indirectly.
Second, researchers have identified Chinese-linked cyber-enabled information operations. A recent Mandiant report identifies a new Chinese information operation campaign, which includes disseminating content related to the current crisis. During the week of House Speaker Nancy Pelosi’s recent visit to Taiwan, websites and even 7/11 television screens were hacked to display sentiments like “Warmonger Pelosi, get out of Taiwan!" and false claims, such as Chinese fighter jets having crossed into Taiwanese airspace.
Finally, while cyber espionage campaigns can be difficult to uncover (by definition, they are meant to be secret), some experts believe that such operations are underway. John Hultquist, Mandiant’s vice president of intelligence analysis, anticipates Chinese cyber espionage will kick into “overdrive” as Beijing seeks to learn more about Taiwan and U.S. positions on this crisis.
China’s current cyber operations in Taiwan are largely consistent with its past behavior. According to the Dyadic Cyber Incident and Campaign Data (DCID), which categorizes state-sponsored cyber activity between 2000-2020, there have been thirteen recorded cyber events between China and Taiwan, twelve of which were initiated by China. Of those, eight were launched for espionage, consistent with what research has shown about China’s proclivity to conduct cyber espionage operations against its rivals. And of the 115 cyber incidents overall that have been attributed to China, 79 percent were launched for espionage purposes. The remaining four cyber incidents targeting Taiwan were for disruption (such as DDoS campaigns). Altogether, none of the twelve recorded cyber incidents were so severe they resulted in physical damage.
It’s also noteworthy that one third of China’s past cyber operations targeting Taiwanese entities also had an information operations component. 2018 was reportedly a turning point in China’s investment in digital information campaigns. Disinformation had a strong presence in the 2018 and 2020 elections in Taiwan. A few months ago, Taiwanese President Tsai Ing-wen described China’s information assault against Taiwan as “cognitive warfare tactics.”
What does this suggest about the role of cyberspace in international crises? As of this writing, the available evidence about the current China-Taiwan situation parallels what prior research has demonstrated: that cyber operations are poor tools of coercion and are unlikely to cause escalation. Instead, states can gain an advantage over rivals through exploiting the unique aspects of cyberspace–its capacity to shape and manipulate perception (through information operations) and to gain an information advantage (through espionage).
Put simply, if China seeks to demonstrate resolve in this crisis, cyber operations are not the best tool to do so. The small scale of China’s recent disruptive cyber operations against Taiwan–especially when compared to live-fire military exercises–reflects this reasoning. China may also be reluctant to conduct more sophisticated and costly cyberattacks that could burn critical accesses enabling ongoing cyber espionage campaigns or potential cyber operations during a future warfighting scenario.
The nuisance cyber activity could also be a way for China to convey some form of restraint or act as an accommodative signal. This form of signaling can allow states to be perceived as “doing something” while avoiding exacerbating a crisis–especially when under domestic political pressure to take a more hawkish stance. While China has conducted exercises in Taiwan’s air defense identification zone and in waters around Taiwan, the cyberattacks are the only direct offensive effects carried out against Taiwanese infrastructure so far (with negligible impact). Of course, without more evidence caution is warranted when discerning the intent behind cyber behavior.
Overall, this should assuage concerns about cyber activity exacerbating the broader crisis. But what if things change? As experts have noted, the situation is dynamic and China could launch more significant cyberattacks against Taiwan. Indeed, Tsai stated on Friday that government agencies are ramping up security efforts and are “ready to respond as necessary.” While it is far more likely that military moves in the physical, rather than digital, environment would increase the chances of crisis escalation, there are two types of Chinese cyber actions that would be a cause for concern.
First, if significant cyberattacks against Taiwanese civilian critical infrastructure were observed–especially attacks directly linked to the Chinese government–this would represent a significant escalation of the crisis. In general (with a few exceptions), major cyber powers have tended to avoid these cyberattacks. China has exhibited discretion in this area, although Beijing’s risk appetite may be changing.
Second, Chinese military strategy defines an important role for cyber operations early on in a conventional conflict, either preemptively or in response to being attacked, particularly in a contest with a technologically superior adversary (such as the United States). Therefore, cyberattacks that look like a precursor to a conventional assault, such as cyberattacks that disrupt or degrade adversary military assets (e.g., command and control, communications, intelligence, or surveillance) could be an early warning of an impending invasion of Taiwan. That said, even in these circumstances, it will be imperative for policymakers to avoid jumping to conclusions about Chinese intent based on behavior in cyberspace alone, absent other corroborating and credible intelligence.
Erica D. Lonergan (nee Borghard) is an Assistant Professor in the Army Cyber Institute at West Point. She is also an Adjunct Research Scholar in the Saltzman Institute of War and Peace Studies and the School of International and Public Affairs at Columbia University.
Grace B. Mueller is a Postdoctoral Fellow at the Army Cyber Institute at West Point. She is also an Adjunct Lecturer in the Department of Political Science at Southern Methodist University.
The views expressed are personal and do not reflect the policy or position of any U.S. government entity or organization.