Most cyber analysis begins with incidents. It should begin with intent.
Adversaries sometimes declare strategic priorities, yet cyber incidents that align with them are not assessed accordingly. We should in fact be guarding against intrusions before they happen by taking note of foreign and industrial policies that indicate where they’re likely to concentrate.
This methodology is especially useful for countries and companies defending against Chinese intrusion. China’s five-year plans for economic development can indicate priority terrain. They show where Beijing intends to concentrate effort, reduce external dependencies and close capability gaps over time. From a cyber perspective, declared technology priorities point to where pressure is most likely to build.
Technology features prominently in China’s current planning cycle. Semiconductors, advanced manufacturing, AI-enabling infrastructure and industrial software are consistently elevated. These sectors underpin economic and military capability and sit at the centre of global competition. They’re also areas where China faces sustained external constraint through export controls, standards pressure and supply-chain dependence. That combination makes the areas logical focal points.
This is not unique to China. The United States and Australia similarly publish national cyber strategies and technology policies that link industrial resilience with strategic priorities. Western governments put their strategic priorities in writing. Beijing does the same.
Cyber activity – such as network exploitation campaigns, compromise of identity systems, and cyber-enabled intellectual property theft – supports this scheme of manoeuvre. It’s not a substitute for domestic investment or industrial reform; it’s a supporting function. State-aligned cyber espionage enables access to intellectual property, industrial processes and supply-chain insight, reducing uncertainty and shortening development timelines in ecosystems identified as strategic priorities. Crucially, this activity can occur without crossing thresholds that would normally trigger escalation or coordinated responses.
China operates on long horizons: cyber offers a way for it to apply low and slow pressure and accumulate an advantage.
The pattern is established. Previous five-year plans that emphasised development in aerospace, healthcare, advanced manufacturing and semiconductors were followed by sustained state-aligned cyber espionage targeting those same sectors. Alignment is not always explicit, but the consistency between declared priorities and observed activity suggests more than coincidence. This was evident in China’s 13th five-year plan, which prioritised rapid advancement in 5G and telecommunications infrastructure. State-aligned cyber groups subsequently conducted espionage campaigns against global telecommunications providers to obtain sensitive technical data related to 5G networks and equipment. In several cases, cyber activity has preceded overt competitive friction. This reinforces the role of cyber as an enabling function rather than a crisis trigger.
The 13th five-year plan also marked a broader shift in China’s technology policy. Domestic innovation and technological self-reliance were increasingly framed as matters of national security, particularly in sectors such as telecommunications, semiconductors and advanced manufacturing. As these priorities hardened in policy, the urgency to close capability gaps increased, strengthening the incentive to obtain foreign technical knowledge.
For Australian government and critical infrastructure entities, the relevance lies in anticipation. Attribution explains who caused the disruption; motivation explains why it was done, why the activity persists and where it is likely to concentrate. Foreign industrial and technology priorities can reveal where cyber activity is most likely to support broader objectives.
This exposes a persistent blind spot in cyber decision-making. Many organisations acknowledge strategic competition in principle but continue to assess cyber activity primarily through corporate risk models that are mainly concerned with financial motives and technical effects. Cyber operations are too often assessed in isolation from foreign policy and technology objectives that shape them. The consequence is not ignorance, but delay, as patterns are recognised only after leverage has been established and options have narrowed.
When disruption or theft is visible, response pathways are comparatively straightforward. Legal, regulatory and operational mechanisms can be activated with clarity of purpose. Persistent low-level access is different. Years of observation may not generate headline incidents, public breaches or clear escalation points because, technically, nothing has happened.
But that familiarity alters the strategic balance. Decision-makers are left navigating ambiguity rather than crisis, and ambiguity hampers decisiveness. By the time activity is recognised as strategic positioning rather than isolated access, the scope for proportionate and credible response has already contracted.
Integrating foreign policy and industrial priorities into cyber prioritisation won’t require new authorities or dramatic reform, but rather a shift in how existing information is weighted. Without that shift, cyber incidents tied to long-term strategic objectives will continue to be approached as isolated events rather than as components of a broader campaign. The difference between reaction and anticipation determines whether pressure is recognised early or only after advantage has been secured elsewhere.
