On January 31, FBI Director Christopher Wray testified to Congress that China’s cyber actors are positioning to “wreak havoc” against U.S. critical infrastructure, likely to prevent the United States from aiding Taiwan in the event of conflict. Security analysts suggest that in a “short, sharp war” against Taiwan, China’s cyber forces would decapitate command and control systems, target Taiwanese morale with influence operations, and establish information dominance over the Taiwanese military.
However, policymakers must also remember that cross-strait flashpoints are more likely to manifest as coercive crises below the threshold of war. By understanding China’s approach to cyber coercion in such crises, the United States and Taiwan can avoid surrendering leverage to Beijing both in standalone crises and in the buildup to a potential live conflict.
Chinese cyber actors leveraged offensive cyber operations (OCOs) in the “Fourth Taiwan Strait Crisis,” following then-U.S. Speaker of the House Nancy Pelosi’s 2022 visit to Taipei. In addition to its public threats, military exercises, and sanctions, China defaced public screens and launched distributed denial-of-service (DDoS) attacks against Taiwanese military networks. Taiwan experiences millions of cyberattacks every day, most notably for data theft and espionage purposes, and Chinese cyber-enabled disinformation campaigns will only become more disruptive as Beijing grows more anxious about Taiwan’s political trajectory.
Given the asymmetry in resources and numbers between Chinese attackers and Taiwanese defenders, many assume China could easily coerce Taiwan through cyberspace in a crisis. In reality, however, several operational and strategic factors currently prevent Beijing from successfully doing so. By understanding the forces undermining Chinese cyber coercion, policymakers can help ensure Taiwan remains resilient to coercion during crises.
China’s Approach to Coercion in Cyberspace
During the Third Taiwan Strait Crisis in 1996 and the aftermath of the Belgrade embassy bombing in 1999, China found the threat of its military insufficient and the threat of its nuclear arsenal non-credible. To compensate, Beijing pursued cyber forces to overcome its leverage deficits in crisis bargaining with the United States. Since 2004, People’s Liberation Army (PLA) texts have argued that cyberattacks on communications infrastructure would allow China to destroy military and civilian morale, and “achieve the goal of winning without fighting.”
Under Xi Jinping, Beijing has adopted a controlled escalation cyber force posture to protect its increasingly digital society from unintended cyber escalation, and to protect the Chinese Communist Party from threats to its rule. China’s cyber forces are tightly controlled and rarely conduct major effects-based operations (operations with immediate impacts on the availability or integrity of systems and hardware). During a future Taiwan Strait crisis, Chinese authorities will again task their cyber forces with providing a powerful but carefully limited complement to the economic and military coercion of recent cross-strait flashpoints.
Why Cyberspace Will Play a Larger Role in Cross-Strait Crises
Beijing is likely to increasingly favor OCOs against Taiwan for three reasons. First, cyberattacks have the ability to bypass militaries and target civilians directly, making them a powerful option for punishment should Beijing perceive the island as moving toward de jure independence. Second, a major cyberattack that punishes civilians could put new pressure on Taiwan’s ruling Democratic Progressive Party (DPP), which Chinese influence operations failed to unseat in the January 2024 presidential election.
Third, and perhaps most importantly, China has every major advantage over Taiwan’s cyber defenders. Taiwan’s military cyber force, the Information Communication Electronic Force Command (ICEF), is still struggling to stand on its own. Several of the Western firms supporting Ukraine’s cyber resilience may be more hesitant to support Taiwan’s cyber defenses for fear of losing access to the Chinese market.
Most concerningly, the most labor-intensive steps of an offensive cyber campaign – exploitation and maintaining persistence in enemy systems – are already complete in Taiwan. China is a preeminent force in cyber espionage, and likely has access to many major Taiwanese networks. Drawing on China’s considerable human intelligence assets in Taiwan, the Ministry of State Security or the PLA Strategic Support Force could position a debilitating attack on a critical network while allowing Beijing to hide behind the plausible deniability endemic to attacks in cyberspace.
A major attack on critical infrastructure could punish civilians and erode confidence in Taiwan’s government and military in a way PLA exercises and sanctions cannot. However, even after decades of searching for leverage in cyberspace, it is still unknown if China’s OCO capabilities have the ability to help further Beijing’s coercive efforts in a crisis.
Can China Actually Coerce Taiwan Through Cyberspace?
While Chinese defense scholars have placed faith in the theoretical coercive power of cyberattacks for decades, empirical data suggests OCOs are poorer tools for coercion than the PLA believes. Chinese cyber forces, constrained by a lack of operational experience, the innate limits of effects operations, and their own force posture, will likely continue to fail to coerce Taiwan during future crises.
Daniel Moore noted that while Chinese cyber actors are preeminent leaders in espionage, they lack “discernable offensive experience.” The effects operations that China has launched have often been powerful (such as its massive 2015 DDoS attack against GitHub) and their OCO capabilities are undeniably improving, but Chinese OCOs have not yet shown the operational sophistication and bespoke malware of Russian or U.S. effects operations, which have degraded or destroyed physical infrastructure on multiple occasions. China also reportedly faces a shortage of experienced cyber personnel, meaning that Chinese cyber forces lack institutional knowledge and a diverse offensive toolkit.
Most importantly, China will likely struggle to do enough damage with cyberattacks to affect Taiwan’s political decision making. In 2015, Russian hacking group Sandworm’s sophisticated and then-unprecedented hack of Ukraine’s power grid only affected around 0.5 percent of Ukraine for between one and six hours. Even after Russia’s 2022 invasion, Russian OCOs have failed to do major damage to Ukraine’s critical infrastructure. Taiwanese defenders are also highly aware of the cyber threat to critical infrastructure and are devoting resources to hardening vital networks. While China may be hiding the capability for more devastating attacks (or even preparing the operational environment for such attacks), the friction inherent to cyberattacks means that China can never be certain of its ability to affect Taiwan’s critical infrastructure on demand.
Should Beijing take issue with the incoming Lai Ching-te government in Taipei and order a campaign of coercive punishment against his government or supporters, there is a sizable chance that a Chinese commander could give the order to execute malware in Taiwanese critical infrastructure and that nothing would happen. Critically, issues with detection and attribution endemic to highly secretive OCOs mean that even a successful attack would be difficult to immediately understand and easy for Taipei to overlook in their crisis policymaking. Given the importance of signaling and timeliness in crisis response, the unreliable nature of OCOs fundamentally limits their use during transient crises like the one witnessed in 2022.
Finally, launching an attack devastating enough to affect Taiwanese decision-making in a crisis scenario short of war contravenes China’s controlled escalation cyber force posture. This posture avoids major effects operations of the magnitude required for coercion in order to “smother the risk of autonomous escalation.” Under controlled escalation, cyber coercion is more likely to be a series of small attacks of growing intensity than a barrage of devastating ones all at once, allowing Taiwan and its partners time to respond.
Every OCO exists in tension with espionage interests, and while China’s cyber actors are certainly lurking in Taiwanese systems for an eventual “time to strike,” a conservative Beijing may hesitate to sacrifice access to critical networks for any crisis below the threshold of war. For now, cyberattacks remain too insufficient, too unreliable, and (to Beijing) too volatile a tool to effectively coerce Taiwan during a crisis.
Toward Preventing Cross-Strait Cyber Coercion
While Chinese cyber actors undoubtedly pose a grave threat to Taiwanese networks, coercive offensive cyber operations will continue to fail to affect policymaking in Taipei during crises. Thanks to the confounding variables of inexperience, unreliability, and posture, China’s offensive cyber capabilities will likely remain in the shadow of levers like brinkmanship and economic threats during crises.
It must be noted, however, that Chinese cyber espionage and cyber-enabled influence operations lie outside the scope of traditional coercion literature, meaning that both have the potential to facilitate Chinese cyber coercion of Taiwan. Both will demand increasing attention from Taipei in the years to come, but while network intrusions are addressed in the portfolio of Taiwan’s Ministry of Digital Affairs, influence operations are not.
Policymakers should approach Taiwan’s cybersecurity with the goal of denying China the leverage it seeks during crises, in addition to the traditional goals of protecting data and developing wartime resilience. While China is unlikely to successfully coerce Taipei through cyberspace in the next Taiwan Strait crisis, it is incumbent on policymakers to ensure that this remains the case. If Chinese cyber force maturation continues to outstrip Taiwanese defensive efforts, Taiwan may yet find itself increasingly vulnerable to a major attack that changes the course of its political future.