Continue your mission
An analytical assessment, based entirely on open-source reporting and historical precedent, of how cyber operations would likely feature in a cross-strait conflict scenario, covering documented PRC pre-positioning, likely operational objectives, global spillover risk, and defensive implications for critical infrastructure organizations.
# Cyber Operations in the Taiwan Strait Scenario
This article is an analytical assessment based entirely on open-source reporting, published government advisories, academic research, and historical precedent. It does not draw on classified sources. Its purpose is to help defenders, risk managers, and security practitioners understand the defensive implications of a scenario that multiple governments have publicly assessed as a significant risk.
The Taiwan Strait scenario refers to the possibility of a military conflict involving the People's Republic of China (PRC) and Taiwan, potentially drawing in the United States and other allies. This scenario has been publicly discussed by U.S. military commanders, intelligence officials, congressional witnesses, and senior government officials. The U.S. Director of National Intelligence's annual threat assessment, the Defense Intelligence Agency's threat assessments, and multiple publicly released CISA advisories have all explicitly addressed cyber threats related to this scenario.
The cyber dimension of this scenario is distinctive for two reasons. First, the documented pre-positioning of PRC-linked cyber actors in U.S. critical infrastructure has been publicly attributed by the U.S. government, with an explicit assessment that the pre-positioning is intended to enable disruption during a potential conflict. Second, the global economic concentration of advanced semiconductor manufacturing in Taiwan introduces a spillover risk dimension with no precedent in previous conflict scenarios. These two factors together make cyber dimensions of the Taiwan scenario uniquely relevant to a much broader population of organizations than those in the direct geographic theater.
Within the Planetary Defense Model, this topic sits squarely in the TID domain's Predictive Defense Intelligence (PDI) function, which is tasked with tracking state-sponsored pre-positioning and assessed intentions, and the RGA domain's risk governance function, which must incorporate scenario-based risk assessments for clients in affected sectors.
The political context of the Taiwan scenario is long-standing. The PRC claims Taiwan as a province and has never renounced the use of force to achieve unification. Taiwan has governed itself as a distinct political entity since 1949 and maintains its own military, government, and international relationships. The United States maintains a policy of strategic ambiguity: acknowledging without endorsing the PRC's One China position, maintaining unofficial relations with Taiwan, and providing Taiwan with defensive arms under the Taiwan Relations Act of 1979.
The cyber context has developed most visibly since approximately 2021, when U.S. government assessments began to more explicitly characterize PRC cyber activity as preparation for potential conflict scenarios rather than straightforward espionage. The public disclosure of the Volt Typhoon campaign, culminating in the coordinated advisory from CISA, NSA, FBI, and fourteen international partner agencies in February 2024, represented the most explicit public U.S. government statement connecting PRC cyber intrusions to conflict preparation.
The 2024 advisory stated directly: "Volt Typhoon actors are pre-positioning themselves on IT networks to enable lateral movement to OT assets to disrupt functions. The U.S. authoring agencies are concerned about the potential for these actors to use their network access for disruptive effects in the event of potential geopolitical tensions and/or military conflicts." This language, from the U.S. government's premier civilian cyber agency in a publicly released document, establishes the scenario's relevance not as speculation but as stated government assessment.
The historical backdrop includes PRC cyber operations against Taiwan that have been documented for years: intrusions into Taiwan's government networks, military systems, and semiconductor industry, including documented attempts to collect design information from TSMC and other chip manufacturers. These long-running espionage operations sit alongside the more recent critical infrastructure pre-positioning.
Three distinct reasons make this scenario broadly relevant to organizations that may not consider themselves geopolitically exposed.
First, Volt Typhoon's targeting includes telecommunications, power, water, transportation, and logistics infrastructure. These are not government-exclusive systems. They include private sector operators, regulated utilities, and commercial networks. An organization that operates or depends on any of these sectors in the United States may already host pre-positioned PRC access that it is unaware of, regardless of whether it has any relationship to Taiwan policy or Pacific defense.
Second, the NotPetya precedent (June 2017) established that cyber weapons deployed in a geographically bounded conflict cause uncontrolled global spillover. NotPetya was designed to target Ukraine and used a tax software update mechanism to deliver the malware. It infected shipping giant Maersk (estimated $300 million in damages), pharmaceutical company Merck ($870 million in damages), FedEx/TNT ($400 million in damages), and dozens of other global companies with no Ukraine nexus. Total global damages exceeded $10 billion. A conflict involving Taiwan would generate cyber weapons and intrusion infrastructure operating at far greater scale than NotPetya, with equivalent or greater uncontrolled spillover potential.
Third, Taiwan Semiconductor Manufacturing Company (TSMC) produces approximately 90% of the world's most advanced semiconductor chips (7nm and below). A disruption to TSMC's manufacturing operations, whether from kinetic attack, cyber attack, or the anticipatory relocation of production in preparation for conflict, would create multi-year shortages in chips used across automotive, electronics, defense, medical device, and countless other industries. The semiconductor supply chain concentration in Taiwan is a unique systemic risk factor with no parallel in any previous conflict scenario.
Volt Typhoon (also tracked as Vanguard Panda, Bronze Silhouette, and other vendor-specific names) was first publicly attributed to the PRC in a May 2023 joint advisory from CISA, NSA, and FBI. The group had been identified operating in U.S. critical infrastructure, using living-off-the-land techniques that avoided custom malware signatures: native Windows tools, built-in administrative utilities, and techniques designed to blend with legitimate administrator behavior.
The February 2024 advisory provided significantly more detail and explicitly named the pre-positioning-for-conflict assessment. The advisory documented that Volt Typhoon had maintained access to some U.S. victim networks for at least five years, consistent with long-term pre-positioning rather than intelligence collection objectives. It identified targeting across communications, energy, transportation systems, and water and wastewater systems.
Living-off-the-land tradecraft makes Volt Typhoon particularly challenging to detect and evict. The group uses tools like PowerShell, WMI, and Netsh that are present on every Windows system and generate legitimate traffic that is difficult to distinguish from attacker activity without detailed baselining. CISA's advisory included specific detection guidance and hardening recommendations, but acknowledged that the scale of the pre-positioning and the difficulty of detection meant that organizations were likely to find it only through focused, resource-intensive hunting rather than routine monitoring.
The Guam telecommunications infrastructure targeting was specifically notable. Guam is home to critical U.S. military communications infrastructure supporting operations in the Pacific. Pre-positioning in Guam telecommunications systems would enable disruption to U.S. military and government communications in the Pacific theater at the outset of a conflict.
Based on historical precedents (Ukraine 2014-2022, Russia's cyber operations more broadly), the documented targeting of Volt Typhoon, and open-source expert analysis, the likely operational cyber objectives in a Taiwan conflict scenario include the following (this is analytical assessment, not intelligence reporting):
Telecommunications disruption would likely be an early-phase objective. Degrading U.S. and allied military command-and-control communications, disrupting civilian communications infrastructure that doubles as military logistics support, and targeting submarine cable systems would create information gaps at the critical opening phase of any military operation.
GPS and space system interference would be a high-priority objective. Precision munitions, naval navigation, and air operations all depend on GPS. The PRC has invested heavily in both counter-space capabilities and cyber capabilities against space system ground infrastructure. Cyber attacks on GPS ground stations, satellite communications systems, and space system management networks would be more deniable than kinetic anti-satellite weapons and could produce equivalent operational effects.
Taiwan financial system disruption would likely be pursued to create domestic economic pressure and reduce the Taiwanese government's capacity to fund its defense. The wiper attacks used against Ukrainian financial institutions before and during the 2022 invasion provide the operational template.
U.S. critical infrastructure disruption, enabled by pre-positioned Volt Typhoon access, would be pursued to complicate U.S. military mobilization and create domestic political pressure. The specific targeting of transportation and logistics infrastructure suggests interest in disrupting the mobilization of military supplies and personnel.
TSMC's production concentration creates a risk scenario unlike anything in the modern globalized economy. The company produces chips for Apple, NVIDIA, AMD, Qualcomm, and virtually every other major semiconductor designer. Its advanced fabs are located in Hsinchu and Tainan. No equivalent advanced production capacity exists elsewhere: Intel is years away from being competitive at the most advanced nodes; Samsung has some capacity but not at TSMC's scale.
A cyber attack on TSMC's manufacturing systems, its engineering networks, or its supply chain management infrastructure could disrupt production without any kinetic action. The industrial control systems running chipmaking equipment are complex and highly specialized; damage or disruption to manufacturing recipes, calibration data, or process control systems could require months to restore.
The broader observation for risk assessment purposes is that even organizations with no Pacific presence, no government contracts, and no direct connection to Taiwan or U.S. military infrastructure are exposed to this scenario through their dependency on semiconductors. This makes the Taiwan scenario a systemic risk event rather than a targeted geopolitical risk, and justifies risk assessment inclusion for virtually any technologically dependent organization.
The U.S. government has been unusually explicit in providing defensive guidance connected to the Volt Typhoon and Taiwan scenario threat assessments. CISA's advisories on Volt Typhoon included specific detection guidance, IOC lists, and hardening recommendations. The advisory recommended organizations conduct proactive threat hunting specifically looking for Volt Typhoon's living-off-the-land signatures.
CISA's Voluntary Systematic Vulnerability Remediation Agreements (VSRAs) and sector-specific directives issued under CISA's Critical Infrastructure Security authority represent the policy response to the pre-positioning assessment. Organizations in critical infrastructure sectors subject to these directives face compliance obligations specifically anticipating this threat environment.
Network segmentation between IT and OT environments was a central recommendation across CISA's Volt Typhoon guidance, reflecting the advisory's assessment that the actors were seeking to move laterally from IT networks to operational technology systems for physical disruption capability. Organizations that have not completed IT/OT segmentation in their critical infrastructure operations are particularly exposed.
CDA's PDI methodology treats the Taiwan scenario as an active threat assessment context for all critical infrastructure clients, not a future contingency. The U.S. government's public assessment that pre-positioning has already occurred in U.S. critical infrastructure means this is not a scenario planning exercise for these clients; it is a current incident response and threat hunting priority.
For CDA clients in telecommunications, energy, water, transportation, and logistics, PDI assessments include a specific Volt Typhoon TTP overlay: are there indicators of living-off-the-land activity in administrative tool usage patterns? Are there baseline deviations in IT-to-OT network traffic? Are there dormant accounts or scheduled tasks that do not correspond to documented administrator activity? These questions need to be answered now, not after a conflict begins.
For CDA clients who are not critical infrastructure operators but who have semiconductor supply chain exposure or complex dependencies on Pacific telecommunications routing, PCA engagements incorporate Taiwan scenario supply chain risk assessment as a component of business impact analysis and continuity planning.
The RGA implication is broader: the scenario requires boards and executive leadership to treat geopolitical conflict scenarios as operational risk events, not geopolitical abstractions. Business continuity plans that do not address the possibility of simultaneous cyber disruption of communications, power, and logistics infrastructure during a period of heightened geopolitical tension are incomplete for organizations in the current environment.
The U.S. government has explicitly assessed that PRC-linked cyber actors (Volt Typhoon) have pre-positioned in U.S. critical infrastructure with the likely intent of disrupting those systems in a potential conflict, not merely conducting espionage.
Volt Typhoon uses living-off-the-land techniques (native OS tools, legitimate administrative utilities) that make detection difficult and require active threat hunting rather than passive monitoring.
Likely cyber operational objectives in a conflict scenario include telecommunications disruption, GPS and space system interference, Taiwan financial system disruption, and U.S. critical infrastructure disruption to complicate military mobilization.
TSMC's ~90% share of advanced semiconductor production creates a unique systemic economic spillover risk that extends the Taiwan scenario's relevance to virtually all technologically dependent organizations globally.
The NotPetya precedent demonstrates that cyber weapons deployed in geographically bounded conflicts cause uncontrolled global spillover. Scale and blast radius should be assumed to exceed targeted effects.
CDA's PDI methodology treats Volt Typhoon detection as a current priority for critical infrastructure clients, not a future planning exercise. CDA's PCA methodology incorporates Taiwan scenario supply chain risk into business continuity and impact analysis for clients with semiconductor or Pacific telecommunications exposure.
CDA Theater missions that address topics covered in this article.
Lazarus Group is North Korea's primary advanced persistent threat operation, operating under the RGB (Reconnaissance General Bureau), the DPRK's primary foreign intelligence service.
Salt Typhoon is a Chinese state-sponsored advanced persistent threat (APT) group that conducts signals intelligence collection operations against telecommunications infrastructure.
Evidence collection, chain of custody, forensic imaging, and analysis techniques for incident investigations.
Written by Evan Morgan
Found an issue? Help improve this article.