CNAS Insights | The Cost of Silence on China’s Cyber Aggression

Just weeks before the much anticipated meeting between President Donald Trump and General Secretary Xi Jinping, the United States discovered yet another major China-backed cyber intrusion. But instead of confronting his counterpart about Beijing’s cyber aggression, President Trump appeared to stay silent. Trump’s decision to avoid publicly addressing Xi continues a presidential pattern that risks emboldening China to advance its cyber operations against the United States.

On October 15, reporting uncovered that China-backed hackers had carried out a long-term intrusion of F5, a cybersecurity vendor for U.S. government agencies and 85 percent of Fortune 500 firms. The cyberattack was significant enough to trigger an emergency directive by the lead U.S. cyber agency. Just a few months before the F5 attack, Chinese state-backed hackers had exploited a SharePoint vulnerability that compromised data from multiple U.S. federal agencies and impacted hundreds of entities worldwide across critical infrastructure and government. In the fall of 2024, Salt Typhoon carried out a major cyber breach of U.S. telecommunications companies that, according to an FBI official, likely has “stolen information from nearly every American.” The breach even compromised data from President Trump himself.

Despite China’s escalating cyber aggression, U.S. presidents have been inconsistent in confronting the Chinese leader on the issue. President Joe Biden raised “deep concerns” about China’s targeting of critical infrastructure during his meeting with Xi in 2024, but readouts of bilateral meetings from 2021 and 2023 lacked any mention of cyber, despite the United States enduring brazen cyberattacks from Beijing during this period.

In China’s highly centralized, top-down political structure, presidential statements are essential to signal resolve to Xi. Cybersecurity alerts from law enforcement agencies and the occasional, strongly worded statement from a senior official are wholly insufficient. They may even signal weakness. If Washington is serious about signaling resolve to Xi, the U.S. president must deliver the message directly. As the U.S. national cyber director has warned, “We cannot expect [China’s] behavior to change if we're ambiguous about it.”

Of course, cyber competes with many other priorities in the increasingly tense bilateral relationship. Understandably, Trump and Xi’s discussion in Busan was primarily focused on trade and tariffs. But if the president can raise fentanyl—as he should have—then he should also have addressed Beijing’s growing hacks against the U.S. homeland. Both impact ordinary Americans.

For years, China-backed espionage operations targeted select companies and government agencies. Now, Beijing is infiltrating civilian critical infrastructure—jeopardizing the systems that Americans rely on for water, electricity, and transportation, according to testimony from former FBI Director Christopher Wray. He emphasized that Beijing could use this access to sabotage infrastructure during a future conflict to paralyze the U.S. response. Chinese diplomats have reportedly admitted as much, acknowledging that Beijing is infiltrating U.S. critical infrastructure to gain leverage over the United States for its support for Taiwan.

There is even evidence to suggest Beijing has used cyberattacks to hit the Trump administration where it hurts the most. Ahead of trade talks in late summer, Chinese state-backed hackers impersonated Representative John Moolenaar, the chairman of the House Select Committee on the Chinese Communist Party, to target U.S. trade groups, law firms, and agencies with malware. Analysts suspect this was part of an espionage operation aimed at tilting the outcome of upcoming trade talks in China’s favor. By leaving Beijing’s cyber aggression unaddressed, President Trump risks handing Xi a free pass to wield cyber operations to undermine his leverage on a core policy priority in future summits.

As China expands its offensive cyber operations, the United States has fallen on the back foot on cyber defense, making it even more critical for the Trump administration to signal strength to Xi. The legal backbone for cyber incident response, the Cybersecurity Information Sharing Act of 2015, just lapsed, and Congress has thus far failed to reauthorize it. As a result, private sector companies lack the legal clarity to share detailed cyber threat intelligence with the government. This degrades Washington’s ability to respond effectively to cyberattacks on critical infrastructure.

Strong signaling is especially important given the Trump administration’s approach to cyber deterrence. Senior Trump administration officials have repeatedly emphasized the need to improve deterrence against Beijing’s cyber operations, calling to expand offensive cyber capabilities to impose greater costs on Chinese hackers. But deterrence is not only about having the ability to inflict costs; it’s also about making the adversary believe you have the power and intent to do so. Because offensive cyber actions are covert by design, they won’t register with Xi unless paired with clear, public statements.

Silence at the top sends the wrong message—that Washington has accepted Beijing’s cyber operations as the status quo. This is exactly the normalization that China seeks to achieve. To change course, President Trump needs to deliver a message to Xi personally during their next summit: Beijing must stop its escalating cyber aggression against the United States or face real consequences.

Morgan Peirce is a research assistant for the Technology and National Security Program at the Center for a New American Security, supporting the Center’s research on quantum technology and cybersecurity.