This sends the wrong message to Beijing, as well as to U.S. allies in the Indo-Pacific caught in China’s cyber crosshairs. Trump’s new National Security Strategy (NSS) explicitly calls for burden-sharing, arguing that allies must “assume primary responsibility for their regions,” while the United States serves as a “convener and supporter” in regional defense. Backing away from sanctions after a major China-linked hacking campaign undercuts that logic: burden-sharing collapses if the United States is not willing to bear economic or political costs itself. If the world’s largest economy will not confront China’s cyber operations, how can it credibly ask Indo-Pacific allies — who have far less leverage over Beijing — to step up?

There is still time to recalibrate. To counter Beijing’s cyberattacks and operationalize burden-sharing, the United States must use its unique leverage to impose costs on China while enabling Indo-Pacific allies to lead cyber defense in the region.

Beijing Exploits Cyber Weakness Across the Indo-Pacific 

The U.S. intelligence community identifies China as the most persistent and active cyber threat to U.S. networks. In 2024, the Chinese state-sponsored hacking group Salt Typhoon carried out one of the most severe breaches of U.S. telecommunications companies. Just weeks before Trump met with Xi in October, the United States uncovered another major China state-backed cyber intrusion of the cybersecurity vendor F5, triggering an emergency directive from the lead U.S cyber agency. Yet, the cyber threat to Washington extends far beyond the homeland. China’s cyber operations have already infiltrated networks supporting U.S. forward deployed forces across the Indo-Pacific, targeted export controls on critical technologies, and spread disinformation campaigns designed to erode trust in U.S. alliances.

U.S. regional partners also bear the full brunt of Beijing’s cyber coercion. In Taiwan alone, China-linked hackers target critical infrastructure and government networks roughly 2.8 million times a day — a 17 percent jump from last year. Over the past five years, Chinese hacking groups have targeted Japan’s national security and critical technology data over 200 times.

Indo-Pacific cyber defenses are not keeping pace with threats from China. The region is experiencing rapid digitalization — often without matching investments in cybersecurity. In Southeast Asia alone, the digital economy could reach up to $1 trillion in gross merchandise value by 2030. This surge in connectivity is fueling growth, but it also expands the attack surfaces that state-backed hackers, and other malign cyber actors, can exploit — underscoring the urgent need for collective investments in cyber defenses.

The lack of cybersecurity personnel in the region emboldens Beijing’s hackers. When breaches occur, scant cyber workforces struggle to root out China’s hostile activity. Identifying the attackers takes weeks — if it happens at all — and allied cyber defense resources often arrive after the damage is done. The numbers are stark. There are only around 200 highly certified cybersecurity professionals in the Philippines, and Japan’s cyber workforce shortfall nearly doubled between 2022-2023. At the same time, China operates a hacking program larger than that of every major country combined.

Beijing’s economic leverage is also blunting efforts to counter China’s cyber operations. For example, the Philippines made no official attribution statement against its largest trading partner, China, when Beijing-backed attackers infiltrated the government and stole sensitive military data earlier this year. The same story plays out in South Korea, Japan, and Taiwan — leaders condemn cyber espionage in vague terms but hesitate to call out Beijing specifically when trade is on the line.

To counter Beijing’s cyber operations across the Indo-Pacific, Washington should lead its treaty allies in building a new “Cyber Shield” for the region. In this proposed framework, Washington would provide strategic capacity-building resources while allies commit to measurable investments in their own cyber defenses — enabling greater regional integration and capability to defend against cyber threats. This framework would also define options for a collective response to move away from ineffective, ad hoc reactions that only embolden China.

Toward an Indo-Pacific Cyber Shield

While an Indo-Pacific Cyber Shield will not stop Beijing’s cyber aggression, it will certainly raise the cost for China. The recommendations below operationalize the proposed Cyber Shield across three pillars — joint resolve, joint resources, and joint response.

Joint Resolve 

Countering Beijing’s cyber operations starts with conveying the joint resolve of the United States and its Indo-Pacific allies. Washington and its regional partners should issue a joint statement condemning China’s cyber activity and commit to a significant collective response if Beijing’s cyber operations continue. Such a statement would undercut Beijing’s denials of its cyber operations. It would also help signal resolve and bolster awareness by publicly highlighting Beijing’s hostile cyber operations. A joint advisory — issued by the FBI and European allies in August — offers a model to replicate. The United States and its allies should increase the cadence of these alerts following major China-backed infiltrations.

Joint Resources

Increasing joint cyber defense capabilities will be the most critical component of countering China’s cyber aggression. To operationalize the Cyber Shield, U.S. capacity building resources should scale with greater partner investments in cyber defenses. This reflects the National Security Strategy’s burden-sharing model in practice. Regional allies must improve the technical capacity to identify evidence of Chinese hacking when a breach occurs, quickly patch vulnerabilities, and bolster resilience of critical networks to thwart future intrusions. The United States is making important progress on cyber defense capacity building in the region. U.S. Cyber Command has deployed more than 85 times to over 30 countries in partner-enabled missions to hunt for hostile activity on networks. The U.S. Cybersecurity and Infrastructure Security Agency has also conducted several capacity-building exercises, including with Japan in 2024 on maritime cybersecurity.

For their part, Indo-Pacific allies and partners participate in multiple U.S.-led military exercises that have a cyber component, including the annual Cyber Flag exercise hosted by the U.S. Cyber Command. The United States has also prioritized negotiating an intelligence sharing agreement with the Philippines, and both countries approved a major intelligence sharing upgrade in 2024. The United States should leverage these engagements to share cyber threat intelligence and provide a clear roadmap for how allies can receive greater cyber defense support from Washington.

Critically, U.S. allies in the Indo-Pacific need to invest in their own cyber defenses. In exchange for access to U.S. cyber defense resources and information, allies should modernize military and intelligence cyber capabilities, upgrade and strengthen intelligence systems, and provide a clear legal pathway for U.S. Hunt Forward operations — defensive operations conducted by U.S. Cyber Command at the request of a host nation — to root out hostile activity on partner networks. Most importantly, allies should remove insecure ICT infrastructure, especially from companies like Huawei and ZTE, that pose a significant cyber espionage risk.

Joint Response

If a breach occurs, the United States and its regional allies must be ready to impose costs on Chinese state-backed hackers. In addition to bolstering domestic cyber defenses, the United States should develop a joint escalation ladder with its regional allies outlining a variety of responses to state-backed cyber aggression. The European Union’s Cyber Diplomacy Toolbox shows what a coordinated diplomatic response to malign cyber activity can look like. While U.S. Indo-Pacific allies are not as politically or institutionally integrated as the European Union, the region can apply similar tools while leveraging the multiple existing cyber coordination channels between the United States, Japan, South Korea, and the Philippines.

Legal action is an important but underutilized tool in the cyber context. The United States has indicted China-linked hackers multiple times, including two hackers linked to the Chinese Ministry of State Security in 2018, and employees of i-Soon — a company that carried out cyber operations on behalf of the Chinese government — last March. Indo-Pacific allies are beginning to take similar steps, albeit less frequently. In 2021, for example, Japanese law enforcement investigated a Chinese hacker over alleged involvement in cyberattacks on about 200 companies, including the Japan Aerospace Exploration Agency. The United States should work with Indo-Pacific allies to develop frameworks to prosecute China-linked hacking, especially for threat groups like Salt Typhoon, that target both the United States and the Indo-Pacific.

The Cyber Shield framework would also encourage its members to levy economic sanctions against known Chinese cyber threat actors. Despite the reported White House walk-back, the United States has sanctioned China-backed hackers multiple times, including Zhou Shuai, a Shanghai-based cyber actor, last March. Similarly, the United States, Australia, and the United Kingdom jointly issued sanctions against Aleksandr Ermakov, a Russian hacker who breached Australia’s largest private health insurance provider, in January 2024. The United States should coordinate similar sanctions regimes with its Indo-Pacific allies after significant cyberattacks, especially if the threat actor targets multiple allied countries.

Finally, the United States and its regional allies should prepare to respond with offensive cyber operations when necessary and legal to make China-backed hackers pay. Seoul and Tokyo are already honing their offensive cyber capabilities: South Korea’s 2024 National Cybersecurity Strategy calls for intelligence and military agencies to “preemptively and offensively respond to threats,” while Japan’s new active cyber defense legislation authorizes the neutralization of adversary servers. This further aligns Indo-Pacific allies with Washington’s Defend Forward cyber posture, which calls for disrupting adversary cyber threats before they reach domestic networks. The United States should take advantage of this alignment in strategy by prioritizing the development of joint offensive cyber capabilities during military exercises like Cyber Flags.

* * *

Without a new framework to counter China-backed cyber operations in the region, Beijing and other state-backed cyber groups will continue escalating their cyber operations to spy, steal, and sabotage with near impunity. A new Cyber Shield would translate the National Security Strategy’s burden-sharing concept to Indo-Pacific cyber defense, enabling allies to take greater responsibility in countering state-backed cyber threats. A Cyber Shield will not eliminate Beijing’s cyber intrusions, but it will finally enable the United States and its Indo-Pacific allies to act faster, coordinate responses, and impose costs on China.

The post America’s Cyber Retreat Is Undermining Indo-Pacific Security appeared first on Just Security.

To date, there is no indication that the intrusion has been fully mitigated. Worse, Homeland Security Secretary Kristi Noem recently testified that the administration “still [does not] necessarily know how to stop the next Salt Typhoon.” As Washington dithers, Beijing is wasting no time probing weaknesses in U.S. critical infrastructure. The Trump administration urgently needs a comprehensive cyber defense strategy to raise the cost of intrusions by PRC-backed hackers.

Undermining U.S. Cyber Defenses 

The Trump administration claims it is addressing the PRC cyber threat, even as it moves to implement policies that undermine cyber defenses. In January 2025, the Trump administration dismissed all members of the Cyber Safety Review Board (CSRB) before it completed its investigation into Salt Typhoon, hindering the government’s ability to address systemic cybersecurity vulnerabilities that led to the breaches. The CSRB previously consisted of multi-agency and multi-sectoral experts and was established by a 2021 executive order to investigate major cybersecurity incidents. As of July 2025, there is no indication the Trump administration has reconstituted the members of the CSRB. While the Federal Communications Commission announced in March that its new Council on National Security will launch an investigation into PRC-backed hackers, it will not consist of multi-agency or industry experts, and is not expected to release a public after-action report. Similarly, the FBI’s April 2025 announcement of a $10 million reward for information on individuals linked to Salt Typhoon is a welcome but insufficient step to ensure both the government and public understand the factors that led to the large-scale compromises in the telecommunications sector.

These institutional setbacks are now being compounded by proposed budget cuts that would further erode the federal government’s cyber defense capabilities. On May 30, the Trump administration proposed a 17 percent reduction in the Cybersecurity and Infrastructure Security Agency’s (CISA) budget, including nearly 30 percent of the agency’s positions. The White House claims these cuts will remove duplicative efforts and reduce CISA’s role in combating mis- and disinformation, which many Republicans perceive as “off mission.” However, the budget is proposing to cut substantially beyond these areas, jeopardizing core cybersecurity functions of the agency at the front lines of defending against PRC threat actors in civilian critical infrastructure. The FY26 budget request, for example, proposes a $177.4 million cut to CISA’s “Cyber Operations,” including its Threat Hunting team which provides technical support to local governments and critical infrastructure operators facing sophisticated state-backed cyber threats from China, Russia, and Iran. In 2024, the Chairman of the House Homeland Security Committee praised CISA’s Threat Hunting team for saving “millions of Americans” from a series of cyberattacks carried out by Volt Typhoon that sought to compromise critical infrastructure in the communications, energy, transportation systems, and water and wastewater systems sectors.

The proposed budget also reduces CISA’s cyber threat analytical programs that help the United States stay ahead of state-backed cyber groups as their tactics, techniques, and procedures (TTPs) evolve. This includes a $14 million cut to the Joint Cyber Defense Collaborative (JCDC), a hub for cyber threat intelligence and coordinating public-private cyber incident response. The JCDC has helped analyze and share information to identify PRC-backed hacking campaigns that impacted multiple state, local, and tribal territories. The JCDC also helps update the Known Exploited Vulnerabilities catalog, a national cyber vulnerabilities database, and contributes to cybersecurity advisories. Since 2017, CISA has published 23 alerts and advisories that dissect the TTPs of PRC-backed groups like Volt Typhoon and Salt Typhoon. This enables critical infrastructure providers to quickly identify malicious activity and patch vulnerabilities in their networks, even as the capabilities of sophisticated hacking groups change. Cuts to CISA’s threat hunting operations and cyber threat intelligence programs like JCDC will not streamline cybersecurity. Instead, they will dismantle the capabilities most essential to detecting, analyzing, and responding to the PRC’s most dangerous cyber threats.

In addition to budget cuts, several of the Trump administration’s executive orders roll back important cybersecurity measures. A June 6 executive order removed requirements for federal software vendors to submit proof that their products met secure development standards, and eliminated government mechanisms to verify those claims. Without these guardrails, the government will be more vulnerable to state-backed hackers who could exploit insecure software to steal sensitive information or sabotage critical systems at a time of their choosing.

Similarly, the administration’s March 19 executive order calling to review and revise key federal cybersecurity policies with the intent of empowering “state, local, and individual preparedness” risks harming U.S. cyber resilience. While empowering local authorities is important, this order fails to address the fundamental reasons why states and local governments struggle to implement strong cybersecurity: a lack of resources and qualified personnel. The executive order does not propose new federal grant programs or investments to close this gap. Delegating responsibility to under-resourced states without sufficient support will only deepen the disparity in cyber readiness across the country. It will also undermine comprehensive federal responses to national threats like Salt Typhoon that cross state borders.

These decisions undermine essential cyber defenses at a time when critical infrastructure is increasingly vulnerable. Many U.S. critical infrastructure providers struggle to implement basic cyber defense measures due to outdated IT systems, resource constraints, supply chain issues, and a shortage of cybersecurity professionals. Similarly, state and local governments lack the funds, technical expertise, and operational capacity to address sophisticated state-backed cyber threats on their own. The administration’s cuts to federal cyber defense capabilities risk exacerbating these problems as the PRC cyber threat grows.

Building an Integrated Cyber Defense Strategy

To correct course, the administration must adopt an integrated defense strategy, just as the military uses integrated air and missile defenses. This approach should rest on four pillars:

First, the Trump administration should support congressional efforts to set baseline cybersecurity measures across critical infrastructure sectors. The United States lacks a national law mandating minimum cybersecurity defenses for critical infrastructure, as Congress prefers to leave such regulation to the states. On a national level, there is only the Cyber Incident Reporting for Critical Infrastructure Act of 2022, which mandates cyber incident reporting requirements, and voluntary guidelines such as the NIST Cybersecurity Framework.

This decentralized system has led to uneven cybersecurity readiness across critical infrastructure sectors. While the finance sector has stronger federal cybersecurity requirements, the only federal law addressing the water systems sector is a 2018 Act requiring providers to submit cybersecurity plans, rather than mandate specific cybersecurity measures. Unsurprisingly, a 2024 Environmental Protection Agency assessment found nearly 100 drinking water systems had critical or high-risk cybersecurity vulnerabilities. The PRC is actively exploiting these weaknesses for the purpose of future sabotage, underscored by a March 2025 breach by Volt Typhoon of Littleton Electric Light and Water Department in Massachusetts.

Mandating basic cybersecurity practices like multi-factor authentication (MFA), prompt vulnerability patching, and network segmentation could have significantly blunted Salt Typhoon’s 2024 intrusions. MFA would have blocked PRC access to high-level management accounts, while applying software patches would have forced the PRC hackers to develop new malware. Network segmentation would have restricted lateral movement within the telecommunications systems, limiting the attack’s scope.

Second, the Trump administration can strengthen U.S. cybersecurity by improving federal coordination. Experts note the United States lacks a unified federal operational strategy to respond to cybersecurity incidents in critical infrastructure. While CISA created the JCDC to improve interagency coordination through collaboration, it lacks clear powers to direct interagency response efforts. And while Congress created the Office of the National Cyber Director (ONCD) in the White House in 2021 to improve interagency coordination for cyber incident response, it lacks the operational capacity to respond to threats. As a result, the deployment of federal cyber defense capabilities remains “split between national labs, private industry, and federal entities,” according to congressional testimony by a chief power grid scientist. To address federal coordination challenges, the Trump administration should work with Congress to bolster CISA’s incident response authorities or direct ONCD to reduce overlapping mandates among federal agencies.

Third, the Trump administration should bolster public-private partnerships to move beyond information sharing to focus on operational collaboration in response to cyber threats. While CISA’s Threat Hunt teams and JCDC have improved public-private operational collaboration and have successfully eradicated numerous PRC-backed intrusions, these efforts have not matched the unrelenting tempo of the PRC’s cyber campaigns. More can be done to scale up public-private operational planning, intelligence sharing, capacity-building training, and the deployment of federal incident response resources. The 2023 National Cybersecurity Strategy and its Implementation Plan highlighted public-private operational collaboration as a national priority, tasking ONCD with identifying policies that support it. As the Trump administration fills leadership roles at ONCD, it should ensure this objective remains a central focus.

Finally, one of the most effective steps the Trump administration can take for U.S. cyber defenses is to apply the same principles used in national air and missile defense to cyberspace: assume attackers will get through the first line of defense and focus on mitigating damage. This is the concept behind Zero-Trust Architecture (ZTA)—a cybersecurity framework that verifies every user and device trying to access sensitive information, rather than trusting them just because they are inside the network. On top of a firewall, which defends the perimeter of the network, the framework calls for encryption of traffic, network sensors, as well as data segmentation. While a Biden administration executive order required agencies to adopt ZTA by September 2024, several have not yet completed adoption. Meanwhile, the Defense Department is expected to have implemented about 60 percent of ZTA requirements by 2027. The Trump administration should accelerate efforts to adopt ZTA across the federal government.

Rather than dismantling U.S. cyber defenses, the Trump administration must pursue a robust, forward-looking strategy to counter increasingly sophisticated threats like Salt Typhoon. Failing to do so will leave the United States vulnerable, ceding strategic ground to countries like China that are actively exploiting weaknesses in critical infrastructure.

The post What It Takes to Stop the Next Salt Typhoon appeared first on Just Security.