Data Security Decoded: Five-Year Plans, Forever Wars — China's Blueprint for Cyber Dominance
Date: August 26, 2025
Host: Caleb Tolan (Rubrik)
Guest: May Danowski (Geopolitical Intelligence Expert, Co-Founder of Natto Thoughts)
Episode Overview
This episode delves into China's comprehensive cyber strategy—how five-year plans, cultural context, and geopolitical ambitions shape its approach to cyber operations. Host Caleb Tolan interviews May Danowski, a leading expert in Chinese threat actors, to reveal the inner workings of China’s cyber apparatus, its distinction from other adversaries, targeting strategies, and what defenders should know in this evolving landscape.
Key Discussion Points & Insights
1. Misconceptions About Chinese State-Backed Threat Actors
[01:51]
- Fragmentation Over Monolith: A common misunderstanding is viewing Chinese threat actors as a monolithic, centrally controlled entity. The reality is more fragmented, involving multiple agencies, military units, and contract groups with varying degrees of autonomy.
- Quote (A, 01:51):
"A common misunderstanding... is view them as a monolithic and centrally coordinated entities operating under unified command and control. However, in realities the Chinese cyber threat landscape is much more complex and fragmented."
- Quote (A, 01:51):
- Case Study — Hafnium/Silk Typhoon:
- Example of Xu Zwei, linked to the Hafnium group and Shanghai Military State Security Bureau, showing the layered, regional, and often convoluted structure of Chinese cyber operations.
- Many actors, including private front companies, contribute to attacks and intelligence gathering, reflecting a decentralized but aligned effort.
- Quote (A, 03:12):
"The Shanghai State Security Bureau manages the Parrot operations directly from recruitment, tasking and feedback loop structured reporting process..."
2. Influence of Culture and Strategy on Cyber Tactics
[05:28]
- Strategic Lens vs. Technical Lens:
- Strategic analysis focuses on motives, incentives, and constraints—key to understanding adversary behavior beyond mere technical analysis.
- Chinese state-backed cyber operations are entwined with national plans such as Made in China 2025 and the Belt and Road Initiative.
- Role of Private Companies:
- ‘Private’ companies in China are closely intertwined with the Communist Party, mandating party groups and connections which influence their actions and priorities.
- Business relationships with local Party committees affect access to contracts and resources.
- Quote (A, 07:09):
"In China, the concept of private company is different from understanding of private company in Western countries, particularly their relationship with the Chinese Communist Party."
3. Comparison With Other State Actors
[08:46]
- China:
- Driven by long-term strategic objectives: economic, military, and global influence.
- Adopts a top-down (central goals) and bottom-up (involvement of private sector) approach.
- Target selection aligns with state priorities, sometimes with complex layers of deniability.
- Russia, North Korea, Iran:
- Russia: Focuses on political influence and critical infrastructure disruption.
- North Korea: Highly centralized, with most operations under the Reconnaissance General Bureau. Historically, nearly all APTs attributed to ‘Lazarus’.
- Quote (A, 11:54):
"In the old days... every square group from North Korea is Lazarus."
4. Targeting: Public vs. Private Sector and Critical Infrastructure
[12:44]
- Strategic, Not Sectoral Targeting:
- Chinese actors are guided less by private/public distinction and more by strategic value.
- Both sectors are targeted based on alignment to national interests—IP theft, intelligence, and now increasingly critical infrastructure.
- Recent focus includes telecom, energy, water, and transport, supporting intelligence gathering and operational preparation.
- Quote (A, 13:11):
"Chinese actors don't really think in terms of public or private the way we might think. Instead they seem to target based on what serves the strategic objectives."
- Evolution:
- Shift from pure IP theft to pre-positioning in infrastructure, fueling concerns about potential battlefield preparation.
5. Defense Strategies for Blue Teams
[15:48]
- Strategic Patience:
- Chinese operations are long-term with patient pursuit of outcomes rather than opportunistic attacks.
- Collection Requirements Framework:
- Attacks fill specific, state-driven intelligence gaps—defenders should analyze what intelligence value their organization represents.
- Quote (A, 16:34):
"Chinese operations are driven by collection requirement that come from the strategic planning process. They are not random targeting organizations."
- Pattern Recognition Over Time:
- Consistent use of specific tools by multiple Chinese groups (e.g., MBTscan, ScanBox)—indicates knowledge transfer and institutional memory.
- Defense should track wider strategic patterns, not only individual groups.
- Quote (A, 19:33):
"[Use] your threat intelligence program needed to track patterns across the entire Chinese eco cyber ecosystem, not just individual apt groups."
- Advice to Defenders:
- Pair technical measures with geopolitical/contextual insights.
- Consider your organization's value within China's intelligence priorities; adapt defenses accordingly.
6. Five-Year Plans: Execution and Surprises
[20:55]
- 14th Five-Year Plan (2021–2025):
- Not just economic growth but also a cybersecurity and technology roadmap.
- Unexpected speed/success in digitalization of the economy and norm-setting on cyber sovereignty in global forums.
- Quote (A, 21:48):
"The plan said ambitions target digitalization across industries. And they largely hit those marks which see massive adoption." - Effective military-civil fusion—private sectors contributing directly to military cyber development.
- Norm-Setting Wins:
- Important advances in promoting China’s model of cyber sovereignty across global institutions.
7. Looking Forward: China’s 15th Five-Year Plan
[24:16]
- Likely Priorities (2026–2030):
- AI Integration: Increased focus on artificial intelligence in both cyber defense and offense; innovation remains top priority.
- Critical Infrastructure Resilience: Bolstering domestic infrastructure security, reducing dependence on foreign technology.
- Data as Strategic Asset: Enhanced regulation (e.g. PIPL, data security laws), stricter control over data flows.
- Quote (A, 26:32):
"I think we will see much more sophisticated approach to trading data as a strategic national resources... including probably more restriction on data flows to other countries."
- Overall Outlook:
- Even more ambitious, interconnected, and technologically advanced cyber strategy expected; future plans should be closely analyzed for global impact.
Notable Quotes & Memorable Moments
- "If you only focus on technical side without understanding the broader strategy context, you're essentially playing defense with a blindfold on."
— May Danowski, [15:48] - "Chinese operations are fundamentally strategic in nature. So our defense needs to equally strategic."
— May Danowski, [19:52] - "The traditional boundaries between the military cyber unit intelligence services and private sector sector cyber capabilities had essentially dissolved, you know, which is incredible."
— May Danowski, [23:03] - "Think AI-powered network defense, automated threat hunting probably AI enhanced offensive capabilities..."
— May Danowski, [25:03]
Timestamps for Key Segments
- [01:51] — Chinese cyber threat actor structure and Hafnium case study
- [05:28] — Cultural and organizational drivers in China’s approach
- [08:46] — Comparing China’s cyber ops with Russia, North Korea, Iran
- [12:44] — Motivation behind public/private and infrastructure targeting
- [15:48] — What defenders/blue teams should do
- [20:55] — Review of the current Five-Year Plan: outcomes & surprises
- [24:16] — Predictions for China’s next Five-Year Plan
Learn More
- May Danowski: Natto Thoughts on Substack, LinkedIn, Blue Sky, and X.
Conclusion:
This episode provides a nuanced, big-picture view of China’s cyber strategy—emphasizing the necessity for defenders to look beyond technical fixes and understand China’s institutional, social, and strategic drivers. Future developments, particularly the next Five-Year Plan, will continue to shape the global cybersecurity landscape.