From Canadian networks to Europe: the Chinese cyber threat extends - Analysis

Introduction

Rising geopolitical tensions are manifesting themselves in an escalation of activity in the “gray zone” of cyberspace, with Chinese group Salt Typhoon recently compromising Canadian telecommunications networks for espionage and pre-positioning. This threat extends globally, targeting critical infrastructure such as 5G, essential to economic and national security. The United States has responded with tough sanctions against companies like Huawei and a nearly $5 billion “Rip and Replace” program to remove Chinese equipment from networks. Europe and Italy, while facing significant economic dependence on China, seek to balance cooperation and security through the “EU 5G Cybersecurity Toolbox” and Italy's “Golden Power.” The challenge is to strengthen resilience by diversifying suppliers, promoting public-private collaboration, and investing in talent and research. In sum, the fight against these threats is a battle for digital sovereignty, which requires strategic industrial policies to protect vital assets.

A strong alarm has been sounded by the Canadian Centre for Cyber Security (Cyber Centre) and the U.S. Federal Bureau of Investigation (FBI) regarding Salt Typhoon, a hacking group sponsored by the People's Republic of China (PRC). This group recently compromised Canadian telecommunications networks, an action that, far from being isolated, is part of a broader and more concerning strategy of espionage and offensive pre-positioning.

In mid-February 2025, a major Canadian telecommunications company suffered a significant compromise attributed to the China-linked Salt Typhoon group. The attackers exploited a critical Cisco IOS XE vulnerability (CVE-2023-20198) to gain unauthorized access to three of the operator's network devices. Once access was gained, the threat actors retrieved and modified configuration files from at least one of these devices, specifically to configure a Generic Routing Encapsulation (GRE) tunnel, enabling covert traffic collection from the compromised network.

The Canadian Centre for Cyber Security (Cyber Centre) and the U.S. Federal Bureau of Investigation (FBI) issued a joint advisory, urging Canadian organizations to strengthen their network security. The agencies anticipate that Salt Typhoon intrusions will continue over the next two years, likely diversifying their targets beyond the telecommunications sector.

Technical analysis of this intrusion, focused on obtaining configuration files and creating a GRE tunnel for traffic collection, reveals an objective beyond immediate data exfiltration. Had the primary intent been overt and immediate disruption, the attackers might have opted for deploying ransomware or destructive malware. Instead, the choice to establish a persistent and hidden access mechanism suggests a long-term strategy of intelligence gathering and "pre-positioning." This approach aims to maintain a foothold for future operations, which could include sabotage, rather than an immediate high-impact attack. Such behavior aligns perfectly with grey zone tactics, which aim for a silent weakening of the target. This implies a sophisticated and patient adversary whose intention extends beyond contingent data theft, aiming to establish latent capabilities that can be activated at a strategically opportune moment, thus blurring the lines between espionage and preparation for conflict.

The consistent focus on "network devices" and "edge network devices" as points of compromise is particularly significant. Edge devices (such as routers, firewalls, and VPNs) are often less protected than core network infrastructure, yet they serve as critical gateways to internal networks. Chinese state-sponsored actors are explicitly known for targeting these devices to gain and maintain persistent access to telecommunications service providers. This highlights a systemic vulnerability that extends beyond a single incident. Organizations must therefore reorient their security focus, including comprehensive strengthening and continuous monitoring of edge devices, recognizing them as priority targets for sophisticated state actors seeking initial access and persistent presence.

Modus operandi of Salt Typhoon and PRC sponsorship

Salt Typhoon has been unequivocally identified as a cyber threat actor sponsored by the People's Republic of China (RPC). The group is engaged in a "broad and significant cyber espionage campaign" targeting major telecommunications service providers (TSPs) globally. Their objectives include exfiltrating large volumes of customer data and collecting information on high-value targets, such as government officials, encompassing geolocation data, call monitoring, and SMS message interception. Despite public advisories and reports on their activities, Salt Typhoon actors are assessed to "almost certainly continue to operate," persistently exploiting vulnerabilities in network devices to gain and maintain access to TSPs.

The consistent attribution of Salt Typhoon to the PRC, contrasted with the inherent ambiguity of "grey zone" tactics, reveals a critical challenge. Even when attribution is made public, the nature of these operations – designed to remain below the threshold of conventional conflict and allow for plausible deniability – complicates a proportionate response. The persistence of Salt Typhoon's activities despite public exposure further underscores a high-risk tolerance and a long-term strategic commitment by the PRC, suggesting that mere public denunciation is insufficient for deterrence. Effective countermeasures must therefore go beyond technical defense, including diplomatic, economic, and potentially covert responses that increase costs for the aggressor, even in scenarios where full public attribution is difficult or undesirable.

Previous and broader objectives

The Canadian incident is not isolated. Salt Typhoon has a history of compromising major telecommunications service providers (TSPs) globally, including U.S. wireless carriers in 2024. These operations aimed to steal call record data and private communications of individuals primarily involved in government or political activity. Investigations conducted by the Cyber Centre indicate that Salt Typhoon's objective is "broader than just the telecommunications sector," suggesting a wider espionage campaign aimed at collecting information from internal networks or enabling the compromise of additional victims. The FBI's public request for information on Salt Typhoon's activities has also highlighted the compromise of several U.S. telecommunications companies. PRC cyber threat actors frequently attempt to compromise trusted service providers – including TSPs, managed service providers (MSPs), and cloud service providers – to gain indirect access to client information or networks.

The repeated targeting of "trusted service providers" (TSPs, MSPs, cloud service providers) to gain "indirect access to client information or networks" constitutes a significant strategic choice. Instead of directly attacking numerous high-value targets, compromising a single trusted provider grants access to a multitude of downstream clients, including critical infrastructure, effectively multiplying the impact of a single breach. This implies that even organizations with robust internal security can be compromised through a weak link in their supply chain. This necessitates a fundamental shift towards comprehensive supply chain cybersecurity, including rigorous vendor risk management, threat intelligence sharing across sectors, and potentially regulatory frameworks that hold service providers accountable for the security of their clients' data.

Table 1: Key details of Salt Typhoon attacks and precedents

The global cyber grey zone: strategic positioning in critical infrastructure

The threat of Salt Typhoon is not an isolated case, but fits into a broader context of "grey zone" tactics employed by China. This chapter explores the strategic importance of critical infrastructure, such as 5G, and pervasive pre-positioning strategies.

Defining the grey zone in cyberspace

China's "grey zone" tactics are characterized by operations designed to remain below the threshold of conventional armed conflict, allowing Beijing to maintain plausible deniability and avoid direct accountability. This ambiguity complicates international response and attribution efforts. Such operations aim for a "silent weakening" of the target country's capabilities and resilience over time, rather than immediate and overt destruction. They exploit ambiguous legal and operational areas, making them difficult to counter through traditional defense mechanisms. A key aspect of this strategy is "pre-positioning," which involves persistent information gathering and the creation of access points ("footholds" or "backdoors") within critical infrastructure. These access points can be activated for future, potentially more destructive, operations, including intensified espionage or outright sabotage.

The description of grey zone tactics as "silent weakening" and the analogy to the "salami-slicing" approach (mentioned in the maritime context, but applicable to cyber) highlight a critical long-term strategy. Individual cyber incidents, while not crossing the threshold of an "act of war," cumulatively erode a nation's security, economic stability, and resilience. This gradual and persistent pressure is designed to overwhelm traditional detection and response mechanisms and to avoid triggering a decisive counter-response. The difficulty in attributing these attacks further facilitates this cumulative erosion, making it hard to assign responsibility and formulate a proportionate response. This necessitates a shift in national security paradigms, moving from reactive defense to proactive, long-term strategic competition. It requires governments to develop frameworks to aggregate seemingly minor incidents into a coherent understanding of a sustained campaign, enabling a more robust and multifaceted response that addresses the cumulative impact.

The strategic imperative of 5G networks

The "fifth generation" (5G) of telecommunication systems represents a new global standard promising super-fast, low-latency universal connectivity. It is set to revolutionize the Internet of Things (IoT), with an estimated 50 billion connected devices by 2030 and an explosion in global data consumption. 5G is essential for a wide range of innovative applications that can transform sectors such as automotive, healthcare, transport, and energy, with estimated benefits for Europe of up to 113 billion euros per year and the creation of millions of jobs by 2030.

Given its fundamental role, 5G is classified as "critical infrastructure." Its compromise would have a devastating impact on a country's security and economy, whether at a physical (roads, energy), virtual (IT), systemic (financial), or network (telecommunications) level. 5G's reliance on software expands the attack surface compared to 3G or 4G systems, introducing new security challenges such as virtualization vulnerabilities, software dependencies, and supply chain complexities. Hypothetical attack scenarios include distorting signals for autonomous cars, manipulating smart traffic lights, disrupting communications for airlines or railways, stealing trade secrets, spreading false news, or injecting spyware into security infrastructure or financial systems.

The immense economic and social benefits of 5G are directly linked to its technical advancements: ultra-low latency, high data transfer speeds, and massive device connectivity. However, these same advancements simultaneously create an expanded and more complex attack surface. Increased reliance on software and virtualization introduces new vulnerabilities less prevalent in older, hardware-centric networks. This creates a paradox: the more transformative 5G becomes, the more critical and potentially catastrophic its compromise could be. The speed and scale of 5G also mean that cyberattacks can propagate at unprecedented rates, amplifying their potential impact. Nations face the strategic imperative of investing in 5G security to the same extent as its deployment. The long-term economic and national security benefits of 5G are inextricably linked to its resilience against sophisticated cyber threats, requiring a proactive and integrated cybersecurity strategy from conception to operation.

China's pre-positioning strategy

The incident involving the compromise of Canadian networks by Salt Typhoon fits perfectly within the "grey zone" tactics employed by Beijing, particularly in its "positioning" (pre-positioning) efforts. The manipulation of network devices is not only for current espionage but also creates "backdoors" and vulnerabilities that could be activated for more destructive purposes in the future. Another prominent example is the Chinese group Volt Typhoon, which has been observed pre-positioning malware in the IT networks of critical infrastructure in the United States, including the energy, water, and transport sectors. Their stated objective is to "disrupt or destroy" essential services in the event of conflict.

Volt Typhoon frequently employs "living off the land" (LOTL) techniques, using legitimate tools already present in the victim's network (e.g., PowerShell, Bash) rather than deploying custom malware. This makes their presence significantly harder to detect and allows them to blend in with normal system activity. U.S. national security agencies have warned that Chinese state-sponsored actors are "actively preparing IT environments to enable disruptive or destructive effects when it matters most," describing this as "strategic shaping" of the battlefield.

The concept of "pre-positioning" combined with the use of "living off the land" (LOTL) techniques indicates that Chinese APTs are implanting "cyber dormant cells" within critical infrastructure. These are not active attacks, but covert and persistent footholds that can be activated at a time of geopolitical crisis (e.g., a conflict over Taiwan). The LOTL approach makes detection extremely difficult, implying that many of these compromises may already exist undetected, representing a significant latent threat that could be militarized. This shifts the defensive challenge from preventing initial breaches to proactively hunting and neutralizing these hidden threats before they can be activated for destructive purposes. This requires a proactive "assume breach" mindset in cybersecurity, emphasizing continuous threat hunting, advanced behavioral analysis, and robust incident response capabilities to identify and neutralize these hidden threats before they can be activated for destructive purposes.

The vulnerability of trusted service providers

Telecommunications service providers (TSPs) and their networks globally are considered priority espionage targets for state actors due to the vast volumes of traffic and customer data they handle, including communications, location data, and device information. State actors have consistently compromised TSPs worldwide, often as part of long-term intelligence programs to exfiltrate bulk customer data and collect information on high-value targets, such as government officials. Chinese cyber actors frequently attempt to compromise trusted service providers – including TSPs, managed service providers (MSPs), and cloud service providers – to gain indirect access to client information or networks.

Modern digital infrastructure is built on a complex "web of trust" where organizations heavily rely on third-party service providers (TSPs, MSPs, cloud service providers). The fact that Chinese actors "frequently attempt to compromise trusted service providers... to indirectly access client information or networks" reveals a strategic exploitation of this inherent trust model. A successful compromise of one provider can lead to transitive access to numerous client networks, including critical infrastructure, effectively multiplying the impact of a single breach. This implies that even organizations with robust internal security can be compromised through a weak link in their supply chain. This necessitates a fundamental shift towards comprehensive supply chain cybersecurity, including rigorous third-party risk management, threat intelligence sharing across the entire digital ecosystem, and potentially regulatory frameworks that hold service providers accountable for the security of their clients' data.

Emerging targets: the healthcare sector

Although the information provided does not directly link Salt Typhoon to attacks against hospitals, global reports indicate that China-linked cyberattacks have targeted the healthcare sector. Hospitals, with their sensitive patient data, valuable medical technologies, and interconnected systems, are attractive targets for both espionage (e.g., information on leaders, medical research and development) and potential sabotage. A new China-based threat group, Silver Fox (alias Void Arachne), was identified in June 2024, engaged in silent attacks on healthcare networks, including weaponized installers for DICOM viewers to deliver remote access trojans. Another China-linked APT group exploited CVE-2025-31324 to target critical infrastructure systems, including medical device manufacturers in the United States. Attacking hospitals is considered an act of extreme gravity, going beyond traditional espionage and approaching a cyber warfare action due to its direct impact on human lives and vital public services.

The targeting of the healthcare sector, particularly hospitals, indicates a profound and alarming escalation in cyber warfare. Unlike traditional espionage or economic sabotage, attacks on healthcare infrastructure directly threaten human lives and public well-being, blurring the ethical and legal boundaries of conflict. The text explicitly states that this "goes far beyond traditional espionage and approaches an act of cyber warfare with direct impacts on people's lives." This suggests a deliberate disregard for established international norms regarding the immunity of non-combatants and the protection of civilian infrastructure in times of conflict. This calls for urgent international dialogue and the establishment of clear and enforceable norms and red lines in cyberspace, particularly concerning attacks on critical civilian services like healthcare. It also requires prioritizing cybersecurity investments in the healthcare sector as a matter of national security, public health, and humanitarian concern.

Table 2: Comparison of Chinese APT tactics in the grey zone (Salt Typhoon vs. Volt Typhoon)

Geopolitical responses and dependencies: a Western perspective

The growing cyber threats from China are prompting the United States, Italy, and Europe to develop diversified responses. This section highlights their approaches and the inherent dependencies that influence their strategies.

The United States: a primary target and a robust response

The United States is consistently identified as a primary target for Chinese cyber espionage, as demonstrated by attacks on U.S. wireless carriers for data theft and the compromise of private communications of government and political officials. The extensive reliance of the United States on interconnected digital infrastructure makes the country particularly vulnerable to sabotage strategies aimed at disrupting critical services.

In response, the United States has adopted rigorous measures and sanctions against Chinese technology companies, particularly Huawei. This crackdown began as early as 2008 and drastically escalated from 2018, culminating in Huawei's inclusion on the Entity List (May 2019) and the expansion of chip supply restrictions (2020). The United States Innovation and Competition Act (USICA) of 2021 further strengthened these restrictions.

To address the presence of Chinese equipment in national networks, the U.S. government established the "Rip and Replace" program. Initially, President Donald Trump signed a bill providing 1 billion dollars to help small telecom providers replace equipment made by China's Huawei and ZTE. Subsequently, Congress authorized an additional 3.08 billion dollars for the Federal Communications Commission's (FCC) "Rip and Replace" program, bringing the total funding to 4.98 billion dollars. This sum was allocated to cover a shortfall of over 3 billion dollars that prevented many operators, particularly those in rural areas, from completing the removal and replacement of equipment deemed a national security risk. The FCC has now received the full authorized amount, allowing recipients to proceed swiftly with the work.

Following the U.S. example, numerous countries, including Australia, Vietnam, New Zealand, the United Kingdom, and Japan, have banned or de facto prohibited Huawei from their 5G networks. Canada mandated the removal of 5G equipment by June 2024 and 4G equipment by December 2027.

The early and aggressive political stance of the United States against Huawei and its consistent public attribution of Chinese cyber activities has acted as a significant catalyst for other Western nations. The subsequent adoption of similar bans or restrictions by a growing number of allies suggests a strategic alignment, albeit with varying degrees of commitment and speed. This indicates that U.S. national security concerns, particularly regarding technological dependence on China, are increasingly shaping a broader Western consensus on digital security. This trend points to the emergence of a collective, albeit complex, security posture in the digital domain among Western allies. However, it also highlights the economic and diplomatic pressures involved in such a "decoupling" or "de-risking" process, and the potential for friction with countries that prioritize economic ties.

Italy and Europe: balancing economic ties and security risks

Economic and technological interdependence

For Italy and Europe, the situation is complex and delicate due to a significant economic and technological dependence on China. Global supply chains are often intertwined with Chinese production, and the spread of technologies like 5G has seen a notable presence of Chinese suppliers. The vulnerabilities that allowed attacks in Canada are often globally shared. European telecommunications networks and critical infrastructures use similar technologies and face analogous security challenges. Incidents affecting allied countries serve as a wake-up call, demonstrating tactics that could be replicated against Italy or other EU member states.

The EU 5G cybersecurity toolbox

In January 2020, the European NIS cooperation group adopted the "EU 5G Cybersecurity Toolbox," a strategic framework outlining measures to strengthen 5G network security, assess suppliers, and apply restrictions to those considered high-risk for "key critical assets." Despite this framework and the commitment of all 27 EU Member States to fully implement it (June 2023 report), actual implementation remains heterogeneous and slow. By mid-2023, 34% of mobile network access equipment in the EU was still from Huawei and ZTE. In some countries like Germany, Austria, the Netherlands, Greece, and Hungary, the incidence of Huawei and ZTE equipment remained stable or even increased.

Only ten EU Member States had fully banned or significantly restricted "high-risk" telecom providers for their 5G infrastructure by 2024, despite almost all having a regulatory framework in place. The reluctance to implement immediate bans is often attributed to technological impracticality, high replacement costs, and limited availability of national alternatives, especially for countries with weaker economies. The European Commission itself has adopted measures to avoid exposure of its corporate communications to mobile networks using Huawei and ZTE and urges Member States to "accelerate their efforts" to reduce the presence of Chinese companies.

The significant market share of Huawei and ZTE in European 4G and 5G networks (e.g., 64% of the EU-27 population on Chinese 4G in 2019, 34% of access equipment from Huawei/ZTE by mid-2023) underscores a deep economic entanglement. The slow and heterogeneous implementation of the EU 5G Cybersecurity Toolbox, particularly the reluctance to ban "high-risk" providers due to "technological impracticality and high costs" and "limited alternatives," reveals a profound "cost-benefit" dilemma. For many Member States, the immediate economic disruption and financial burden of a complete ban outweigh the perceived long-term security benefits, leading to a fragmented security posture across the Union. The Commission's own actions to avoid Chinese suppliers, while Member States lag, highlight this internal division. This fragmentation creates exploitable vulnerabilities across the EU's critical infrastructure, undermining collective security. Achieving true EU digital sovereignty will require not only political will but also substantial financial investment and a coordinated industrial policy to develop viable European alternatives and mitigate economic disincentives for security-driven vendor diversification.

The Golden Power regime in Italy

Since 2019, Italy has used its "Golden Power" legislation to safeguard national interests in strategic sectors, including 5G communications. This mechanism grants the government special powers to review and impose conditions on foreign acquisitions and contracts involving strategic assets. The scope of the Golden Power is broad, covering defense, national security, 5G communications, and critical civilian sectors such as data, energy, transport, healthcare, and agribusiness. The regime has been particularly active in cybersecurity and 5G, with 3% of Golden Power notifications in 2022 specifically concerning 5G technology. It has been applied with particular attention to non-EU investors from countries where local governments exert strong influence over companies.

The Italian "Golden Power" serves as a concrete example of a nation prioritizing national security interests over pure market liberalization. The government's ability to "block or impose restrictions" on foreign investments in strategic sectors, particularly 5G, directly overrides traditional economic incentives and demonstrates a clear recognition of the geopolitical risks inherent in technological dependencies. The increasing application of this power, especially towards non-EU entities from state-influenced economies, reflects a growing imperative to control critical infrastructure and sensitive technologies. This trend indicates a broader global shift where national security concerns are increasingly becoming a primary determinant of economic policy, leading to a re-evaluation of globalization and a movement towards greater state control or oversight in strategically vital industries.

The pursuit of digital sovereignty

Digital sovereignty is defined as the ability of states, organizations, and individuals to control their own digital destiny, encompassing independent decision-making on data, IT infrastructure, and technological resources. Its objectives include reducing reliance on major technology providers, ensuring data security, and promoting resilience against geopolitical tensions. The EU is actively pursuing digital sovereignty through various initiatives, including the EU Cybersecurity Act (2019), which strengthens the European Union Agency for Cybersecurity (ENISA) and establishes a harmonized certification framework for ICT products and services. The Digital Europe (DEP) program, with a budget exceeding 8.1 billion euros, is designed to accelerate the EU's digital transformation, focusing on supercomputing, artificial intelligence, cybersecurity, and advanced digital skills, with the aim of bridging the gap between research and market deployment.

Despite these efforts, significant divisions persist within the EU, with some Member States advocating for continued Chinese technology investments, while others push for stricter measures to ensure "EU digital sovereignty." Extraterritorial laws, such as the U.S. CLOUD Act, which allows U.S. authorities to access data stored by U.S.-owned European companies regardless of their physical location, pose a challenge to EU data sovereignty and raise concerns about foreign oversight. Europe is actively forming strategic alliances with partners like the United States and Japan to enhance cybersecurity and reduce dependence on Chinese digital technology, as outlined in the "European Economic Security Strategy" (June 2024).

The EU's pursuit of "digital sovereignty" is not merely a technical or economic objective, but a fundamental geopolitical imperative in an era of great power competition. The challenges posed by both Chinese technological dominance and U.S. extraterritorial laws like the CLOUD Act highlight that control over data and technology is a central battleground for influence and autonomy. Internal divisions within the EU further complicate a unified response, demonstrating that diverse national economic interests can hinder collective security and the realization of a truly sovereign digital space. Digital sovereignty is becoming a defining characteristic of national power in the 21st century. Achieving it requires a complex balance between fostering domestic innovation, strategically diversifying supply chains, navigating international legal complexities, and building strong alliances, all while managing internal political and economic divergences.

Table 3: Implementation status and challenges of the EU 5G cybersecurity toolbox

Strategies for strengthening resilience

Building national and collective resilience against sophisticated cyber threats requires a multidimensional approach that goes beyond traditional defense, moving towards proactive and strategic measures.

Diversification of suppliers

A fundamental strategy to mitigate risks, such as intentional backdoors or vulnerabilities, is to reduce reliance on a single technology supplier, especially for critical infrastructure components. This involves actively encouraging the development of reliable Western suppliers and promoting diversification across the entire supply chain to strengthen national security and economic resilience.

While "diversification of suppliers" is presented as a "fundamental strategy," previous analysis highlighted the "high costs" and "limited national alternatives" that hinder its rapid implementation in Europe. This implies that market forces alone are insufficient to achieve the necessary level of security-driven diversification. Therefore, achieving true supply chain resilience requires strategic state intervention through industrial policies, including targeted investments, subsidies, and incentives to foster national or allied technological capabilities. This transforms security from a mere cost center into a strategic economic investment. This indicates a future where national security considerations will increasingly drive industrial policy, prioritizing resilience and self-sufficiency in critical technology sectors over pure cost efficiency, potentially leading to re-shoring or friend-shoring of key supply chain elements.

Strengthened public-private collaboration

Countering sophisticated state cyber actors requires close and continuous collaboration between government entities, intelligence agencies, and the private sector. This collaboration must include timely and secure sharing of information on emerging threats, vulnerabilities, and attack methodologies from the private sector to the government, and reciprocal government support for protection and recovery efforts.

The call for "strengthened public-private collaboration" is a widely recognized necessity, but its effective implementation often faces a "trust gap." Private companies are often reluctant to share sensitive information due to concerns about proprietary data, legal liabilities, and market reputation, while government agencies may face difficulties in securely and promptly disseminating classified threat intelligence. Building this trust requires clear legal frameworks, secure communication channels, and a shared understanding of the mutual benefits of collective defense. The success of national cybersecurity strategies against state-sponsored threats depends on the ability to effectively bridge this trust gap. Without a continuous flow of information and coordinated action, the "whole-of-society" approach to defense remains an aspiration, leaving critical vulnerabilities exposed.

Robust security standards and certifications

The implementation and rigorous enforcement of robust cybersecurity standards, coupled with independent certifications and frequent audits, are essential to elevate the overall level of protection for national infrastructures. The EU Cybersecurity Act (2019) provides a framework for voluntary, but highly recommended, cybersecurity certifications for ICT products, services, and processes, aiming for mutual recognition among Member States and strengthening trust.

While adherence to "robust security standards and certifications" may be perceived as a compliance burden, in the context of persistent grey zone threats, it transforms into a strategic enabler. By elevating the baseline security posture across an entire sector or national infrastructure, standardized requirements make it significantly harder for adversaries to exploit common vulnerabilities at scale. This also fosters trust within the supply chain and provides a common language for assessing and communicating security posture, facilitating cross-border cooperation. The effectiveness of standardization and certification frameworks are not mere regulatory exercises, but critical components of a proactive national and allied cybersecurity strategy, transforming security from a reactive cost center into a fundamental strategic investment that strengthens collective resilience.

Investments in talent and research & development

It is crucial to invest significantly in the training and development of cybersecurity experts in academia, law enforcement, and the private sector. Continuous research and development (R&D) of new defensive technologies are imperative to keep pace with the rapid evolution and sophistication of cyber threats. The EU's Digital Europe (DEP) program explicitly allocates substantial funding (over 8.1 billion euros) to strengthening cybersecurity, artificial intelligence, and advanced digital skills, including the creation of cyber competence centers in Member States.

The escalating nature of state-sponsored cyber threats implies a continuous "cyber arms race," where defensive capabilities must evolve as rapidly as offensive ones. The demand for "constant innovation in countermeasures" and "investments in talent and research" directly addresses this dynamic. The existence of programs like the DEP that focus on digital skills implicitly recognizes a critical "talent gap" that, if not addressed, will severely undermine a nation's ability to defend its digital infrastructure, regardless of technological advancements. National security in the digital age increasingly depends on a nation's human capital and intellectual capacity in cybersecurity. This requires long-term strategic planning and sustained investment in education, training, and innovation ecosystems to cultivate and maintain a competitive cybersecurity workforce.

Strategic deterrence

Beyond purely defensive measures, Western nations are developing deterrence strategies that include diplomatic actions, targeted economic sanctions, and, where appropriate, the development of offensive cyber capabilities. The primary objective of these strategies is to increase the perceived costs and risks for aggressors, thereby dissuading them from initiating or continuing cyberattacks. This involves both "deterrence by denial" (strengthening defenses to make attacks harder) and "deterrence by punishment" (demonstrating the capacity and willingness to retaliate).

While traditional deterrence relies on clear red lines and credible threats of retaliation, cyber deterrence is complicated by the inherent ambiguity of grey zone operations and persistent attribution challenges. It is difficult to deter an adversary who can deny involvement or operate below a clear threshold of war. The effectiveness of "deterrence by punishment" is inherently limited if the target cannot definitively identify the aggressor or if a proportionate response risks unintended escalation. This creates an "ambiguity paradox" where the very nature of grey zone tactics undermines traditional deterrence models. This suggests that cyber deterrence cannot be a standalone strategy, but must be deeply integrated into a broader, multifaceted national security framework that combines robust defense, the establishment of international norms, and calibrated responses, recognizing the unique complexities and inherent ambiguities of the cyber domain.

Operational resilience and business continuity

Recognizing that it is almost impossible to prevent every cyberattack, a fundamental shift in focus towards operational resilience is imperative. This means developing the ability to rapidly detect an intrusion, contain its spread, restore essential services, and learn from the incident to improve future defenses. Key components include robust business continuity plans, regular exercises and simulations to test response capabilities, and proactive risk management frameworks that anticipate and mitigate potential impacts.

The emphasis on "operational resilience" and the recognition that "it is almost impossible to prevent every attack" indicates a mature and pragmatic evolution in cybersecurity thinking. This shifts the paradigm from an ideal of absolute prevention to a focus on "survival" – the ability to withstand, recover, and adapt to inevitable breaches. This requires not only technical controls, but also a strong organizational culture, well-defined processes, and trained personnel capable of responding and recovering quickly. This redefines cybersecurity success not as the absence of incidents, but as the speed, efficiency, and effectiveness of recovery, ensuring the continuity of critical services even under sustained and sophisticated cyberattacks. It underscores the importance of investing in recovery capabilities as much as, if not more than, in prevention.

About Extrema Ratio

Extrema Ratio is a leading, widely known organization specializing in Open Source Analysis and Intelligence (OSINT), with a particular focus on China's liminal global influence and the complexities of international relations. Through in-depth research, analysis, and expert commentary, Extrema Ratio provides valuable insights into national security, foreign malicious interference, and strategic challenges posed by emerging global powers.

The organization's mission is to inform the public and advise policymakers, public and private institutions, businesses and professionals on the risks and opportunities of today's rapidly changing geopolitical landscape. For more analysis and resources, visit Extrema Ratio's blog and publications.