China’s Dual Cyber Strategy: Autonomy, Offensive Projection, and the Race for Digital Sovereignty - Analysis

China's Strategic Duality—Technological Autonomy vs. Asymmetric Offense

China's cybersecurity strategy has evolved into a complex, multi-layered system, reflecting a core strategic tension: the necessity of establishing robust internal resilience and technological autonomy juxtaposed with an aggressive external offensive projection and global influence.

The stated strategic goal, championed by high-ranking officials like CAC Deputy Director Wang Jingtao (Central Cyberspace Affairs Commission), is to accelerate the modernization of the national cybersecurity system and capabilities by 2035, ensuring that high-level security serves as the prerequisite for "high-quality development" (高质量发展) of the nation.

Competitive Advantages and Strategic Strengths

Recognized Shortcomings and Development Gaps

1. Legal Responsibility: The process of shifting security responsibility from users to designers and manufacturers is "relatively slow," which reduces the incentive for integrating Security by Design principles, particularly compared to proactive frameworks in the US and EU.

2. Standards and Resilience: Specific regulations aimed at improving network cyber resilience are lacking. Many security standards (especially for IoT and AI) are often recommended guidelines with weak binding force rather than mandatory requirements.

3. Supply Chain Autonomy: The goal of establishing a totally independent and diversified supply chain for core technologies (chips, basic software) remains an imperative strategic challenge.

Detailed Focus: Technical Architecture, Military Doctrine, and Institutional Development

I. China's National Strategic and Legislative Framework

China's strategy is driven by the political principle of "upholding the Party's comprehensive leadership" over cyberspace.

1.1. Legislation, CII Protection, and Modernization Goals

The legal framework imposes broad requirements on cybersecurity and data handling:

• Foundational Laws: The Cybersecurity Law (CSL), Data Security Law (DSL), and Personal Information Protection Law (PIPL) establish rigorous requirements for network operators and data protection.

• Modernization and AI: Directives from the 20th CPC Central Committee emphasize "strengthening the construction of the cybersecurity system" and "establishing an AI safety supervision system."

• CII Protection and Deep Defense: The Critical Information Infrastructure (CII) Protection Regulation (2021) and the Multi-Level Protection Scheme (MLPS 2.0) govern critical sectors. The current focus is building a system of unified, deep defense (纵深布防) to achieve "discovery at one point, defense across the entire network" (一点发现、全网防御) against high-intensity, state-level attacks.

II. Autonomous Security Doctrines: The Advantage of Intrinsic Control

To overcome dependence and the limitations of reactive models, China promotes innovative, home-grown security doctrines like Trusted Computing and Endogenous Security.

2.1. Trusted Computing 3.0: Active Immunity and TPCM Architecture

"Active Immune Trusted Computing 3.0" (TC 3.0), pioneered by Academician Shen Changxiang, is designed to ensure system predictability by establishing security concurrent with computation, fundamentally addressing the security flaws of the traditional von Neumann architecture.

• Principle Operative: The system implements an "immune system" for the computing platform, using cryptography as a "gene" to implement identity recognition and state measurement, enabling the proactive destruction of harmful substances.

• Granular Technical Architecture:

  • Dual System Architecture: The core is a logically independent protection component that actively monitors the general computing component.

  • Trusted Platform Control Module (TPCM): Serves as the Trusted Root, uniquely initiating before the CPU to establish the chain of trust and execute active control over the host system.

  • Dynamic Control: It utilizes Four-Factor Trusted Dynamic Access Control (Subject, Object, Operation, and Environment) for continuous trust verification, crucial for complex distributed environments.

• Institutional Integration: TC 3.0 provides the technological foundation for the national MLPS 2.0 framework and is integrated into the Cybersecurity Multi-Level Protection Scheme 2.0 / TC 3.0 Key Research and Development Demonstration Base, established in 2020 with guidance from the 11th Bureau of the Ministry of Public Security.

2.2. Endogenous Security and Mimic Defense

The theory of Endogenous Security (内生安全), based on systems engineering and biomimetic biology, is the first internationally recognized theoretical system designed to solve effectively the "unknown unknown threats" by leveraging structural design rather than attack knowledge.

• Technical Principles: The defense relies on the intrinsic properties of dynamism/randomness, diversity/heterogeneity, and redundancy to increase uncertainty and enhance resilience.

• Industrialization: This approach has led to the development of the dynamic heterogeneous redundancy architecture and the commercialization of over 40 types of mimic defense digital products (including routers, switches, and servers). 11 industry standards for these devices have already been published and implemented.

III. Information Warfare Doctrine and Offensive Posture

China's offensive capability is centrally organized under the PLA, focused on achieving information superiority and leveraging technological advancement for asymmetric advantage.

3.1. SSF Mandate and Asymmetric Tactics

• SSF's Strategic IO: The Strategic Support Force (SSF) unifies cyber, electronic, and space warfare for Strategic Information Operations (IO), explicitly aiming to paralyze adversary systems in the initial stages of conflict. Its Network Systems Department (NSD) is responsible for a broad spectrum of operations, including kinetic, cyberspace, space, electromagnetic, and psychological domains.

• AI and Intelligentized Warfare: Doctrine is moving toward "Intelligentized Warfare" (Intelligentized Warfare). AI Acceleration acts as a key force multiplier, increasing the speed and precision of reconnaissance and exploit operations and supporting the development of unmanned intelligent combat systems.

• Military-Civil Fusion (MCF): The MCF strategy integrates civilian capacity into PLA modernization, securing access to dual-use technologies and blurring the lines between commercial and military objectives, extending supply chain risk globally.

3.2. Execution: Pre-positioning and Quantum Threat

• Pre-positioning (Volt Typhoon): The state-sponsored group Volt Typhoon uses vulnerable SOHO routers for Edge Device Exploitation, suggesting the pre-positioning of latent destructive capabilities within adversary critical infrastructure, to be activated during a crisis.

• Quantum Asymmetry: China pursues the "harvest now, decrypt later" strategy, collecting encrypted data today in anticipation of quantum decryption capability. This threat is reinforced by China's leadership in Quantum Key Distribution (QKD), which secures its own communications while potentially compromising rivals' data.

IV. Digital Power Projection and Standardization

4.1. Global Standards Influence

China leverages standardization as a tool of governance and global influence, led by figures like Yang Xudong (Secretary-General of the National Cybersecurity Standardization Technical Committee, TC260).

• Standard Output and Internationalization: China has developed 412 national standards and has 62 international standards projects in progress. Its domestic cryptographic algorithms (SM2, SM3, SM4, SM9, ZUC) have been successfully published as international standards. China will host the ISO/IEC JTC1/SC27 (Information Security) in September 2025.

• Standard AI and New Tech: TC260 has published the Artificial Intelligence Security Governance Framework 1.0 and is actively developing mandatory standards (e.g., Identification Method for AI-Generated Synthetic Content) for generative AI security requirements.

• New IP and DSR: China promotes the controversial "New IP" proposal at the ITU, viewed by many as an attempt to introduce a state-controlled governance model that could lead to a "splinternet" in countries reliant on Digital Silk Road infrastructure.

4.2. Data Control and Regulatory Flexibility

• Coercive Control: Chinese laws mandate that both foreign and domestic entities operating in China must actively cooperate with state intelligence and counterintelligence efforts, imposing expansive obligations with extraterritorial implications.

• Tactical Flexibility (CBDT 2024): In March 2024, the Provisions on Promoting and Regulating Cross-Border Data Transfer (CBDT Provisions) were issued to reduce bureaucratic friction by lessening the requirements for formal security assessments in many cross-border data transfer scenarios, balancing security control with economic stability.

V. Development Gaps and Internal Strategic Focus

5.1. Critical Shortcomings Recognized

1. Responsibility Transfer: There is a recognized "relatively slow" pace in shifting security responsibility from end-users to designers and manufacturers of digital products. This delays the integration of Security by Design and requires acceleration of policies on "production-level cybersecurity."

2. Standards and Resilience Gaps: The legal framework lacks specific regulations to enhance network cyber resilience. Furthermore, standards for new technologies (IoT, AI) are often recommended guidelines with weak binding force, limiting mandatory compliance in critical sectors.

3. Core Technology Autonomy: The critical need remains to increase independent R&D investment in core technologies (integrated circuits, basic software, quantum information) to build a supply chain that is truly resilient, independent, and diversified, moving beyond reliance on high-end foreign components.

4. 
   

Table 1: China's Operational and Normative Architecture