NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Realize the Full Value of Microsoft Security
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
      • Internal Penetration Testing
      • External Penetration Testing
    • Assessment & Compliance
      • ARC-AMPE Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • SOC as a Service
      • Microsoft Security Managed Services
      • Splunk Managed Services
      • Tenable Managed Services
      • CrowdStrike Managed Detection and Response (MDR)
      • Zscaler Support Services
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Vulnerability Management
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2023-2024 SLED Cybersecurity Priorities Report
    2023-2024 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Client support
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Industry Insights
    • Security Operations
    • Cybersecurity Technology
    • Security Testing
    • Advisory and Planning
    • Application Security
    • Managed Detection and Response
    • Threat Intelligence
    • Managed Services
    • NuHarbor
    • Cyber Talent
September 3, 2025

China’s 14th Five-Year Plan Ends This Year: A Guide for Public Sector Cybersecurity Leaders

Justin Fimlaid Justin Fimlaid
China’s 14th Five-Year Plan Ends This Year: A Guide for Public Sector Cybersecurity Leaders

 
Last Updated: September 3, 2025

Every five years, China lays out its national blueprint for growth, security, and global influence. The 14th Five-Year Plan (2021–2025) is the current edition — and it officially ends this year. Like all business plans, you always try to end strong and we expect China to do the same. On the surface, it’s a dense government playbook about economic development, infrastructure, and technology. But behind the business words, it’s the roadmap that has guided Beijing’s push to dominate cyberspace, artificial intelligence, and digital infrastructure. 

While Chinese policy and plans may be seen as innocuous, it’s critical we pay attention to the policy and what the policy could mean for us. The behaviors we’ve seen from Chinese nation-state actors over the past five years — the data thefts, the stealthy intrusions into utilities, the campaigns against state and local agencies — are not random. They are the execution layer of this plan. Traditionally, Chinese operations have favored espionage and data collection over outright system destruction. But under this plan, those campaigns have become more aggressive, more patient, and more strategically positioned to disrupt critical services if Beijing ever decides it’s time. 

That means your state agency, your university, your utility, or your municipality may already be part of the electronic battlefield China is preparing. Understanding the 14th Five-Year Plan isn’t about studying foreign policy for its own sake — it’s about connecting the dots between Beijing’s ambitions and the risks hitting your doorstep. 

So, What's In the 14th Five-Year Plan? 

Beijing’s 14th Five-Year Plan is sprawling — covering everything from environmental goals to industrial policy — but its heartbeat is technology and security. For public sector leaders in the U.S., it’s worth stripping away the economic veneer and seeing how these priorities translate into today’s cyber risk. 

  • Self-Reliance in Critical Tech: The plan set a national mandate to achieve independence in semiconductors, cloud, quantum, and advanced telecom. Why it matters: when China can’t buy, it builds — often by stealing. U.S. public networks, state universities, and contractors have been prime targets in this hunt for source code, research data, and intellectual property. 
  • Data as a Strategic Resource: The plan elevates data to the same status as land or capital. That’s not just rhetoric — it comes with tight government control and a pipeline that channels sensitive information into state hands. Why it matters: Chinese cyber operators are hunting for bulk datasets (think DMV records, health data, voter rolls) to train AI models, fuel espionage, and map out U.S. society at scale. 
  • Cybersecurity = National Security: Chinese law now requires vulnerabilities discovered inside the country to be reported to the government before vendors. That gives Beijing a head start in building zero-day exploits. Why it matters: this policy has directly increased the arsenal Chinese APTs can deploy against U.S. targets, including state and municipal systems with limited patch cycles. 
  • Military “Informatization” and “Intelligentization”: The People’s Liberation Army (PLA) is integrating cyber, electronic warfare, and AI into one operating picture. Why it matters: the U.S. public sector is no longer a bystander. State networks, utilities, and transportation systems are viewed as legitimate battlegrounds where pre-positioned access could be weaponized during a crisis. 

Taken together, the 14th Plan shows how policy on paper becomes pressure on networks. It codified China’s pivot from “catch up” to “dominate” in cyberspace. And as we reach its final months, the fruits of that strategy are already hitting home for public sector leaders across the U.S. 

Your Network Is the New Electronic Battlefield

China no longer thinks of cyber as a stand-alone tool. In Beijing’s doctrine, the “electronic battlefield” is where cyber operations, electronic warfare, space assets, and psychological campaigns converge into one fight. The idea is simple but dangerous: if you can blind the enemy’s sensors, jam their communications, sow doubt with disinformation, and simultaneously sit inside their networks, you control the tempo of the conflict before the first missile flies. Most, or much of, the technology they might seek to “jam” is also the same technology we’ve outsourced to them for development. 

This isn’t theory. In 2024, the People’s Liberation Army (PLA) dissolved its old Strategic Support Force and created a new Information Support Force — a unit reporting directly to Xi Jinping’s Central Military Commission. Its mission: unify cyber and information operations, harden PLA command-and-control, and prepare for joint operations that rely on dominating the information domain. In plain terms, China has professionalized its hackers and paired them with the military’s war-planning staff. 

For U.S. public sector leaders, here’s the translation: your networks are part of this electronic battlefield whether you signed up for it or not. State-run utilities, county emergency services, higher-ed research labs, and even city transit systems are seen as “soft entry points” into America’s critical infrastructure. For some public utilities, their saving grace has been the safety of outdated analog control panels unconnected from the internet. 

Recent U.S. government reporting makes it clear. Chinese state-sponsored groups — some tracked under names like Volt Typhoon or Silk Typhoon — have been caught burrowing into IT systems tied to power grids, telecom carriers, and water utilities. They weren’t stealing credit card data. They were pre-positioning for disruption: quietly mapping networks and leaving behind access so that, in a crisis, they could flip the switch. 

This is why cybersecurity leaders need to reframe how they think about nation-state threats. The Chinese playbook is less about instant chaos and more about slow, quiet positioning. It’s trench-building on the electronic battlefield. And state CIOs and CISOs must recognize: even if your agency isn’t the target of headline-grabbing espionage, it could still be part of the terrain an adversary plans to fight across. 

AI as a Weapon and a Shield 

Artificial intelligence is where China’s five-year ambitions meet the future of cyber conflict. The 14th Five-Year Plan funneled massive investment into AI research, with the dual goals of fueling the digital economy and “intelligentizing” the military. For the PLA and its Information Support Force, AI isn’t just a buzzword — it’s a force multiplier for espionage and information dominance. 

On offense, AI is becoming the scout’s binoculars and toolkit: 

  • Smarter Reconnaissance: AI models can sift through stolen data at machine speed, correlating identities, passwords, and system maps in ways human analysts never could. That means the terabytes of DMV records, university research, or employee directories stolen from U.S. entities can be weaponized faster and more effectively. 
  • Synthetic Deception: Chinese operators have already tested AI-generated deepfake news anchors and disinformation campaigns. In the future, state CIOs and university CISOs may see AI-driven spear-phishing emails that mimic a colleague’s writing style or deepfake voicemails correlated to recent social media events for adding credibility. This coupled with disruption campaigns could pose challenges to elected officials who make their livelihood by “being public”. 
  • Adaptive Malware: Machine learning models can be trained to adjust malicious code on the fly, evading traditional defenses and persisting longer inside networks. 

On defense, AI is also China’s shield. Beijing is pouring resources into automated cyber defenses at home — tools that can identify intrusion attempts against Chinese infrastructure, limit foreign penetration, and protect the state’s tightly controlled data reserves. That means Chinese hackers can take bigger risks abroad, knowing their own networks are increasingly hardened. 

For U.S. public sector leaders, the message is clear: expect an AI-driven tempo shift in Chinese cyber operations. The ISF’s scouts won’t just collect information; they’ll process and weaponize it at speeds that leave traditional defenses struggling to keep up. 

The upside is that U.S. defenders can also harness AI — anomaly detection, behavioral analytics, and content verification tools are advancing quickly. But leaders must set expectations with their teams: by late 2025, AI will be baked into both sides of the fight. The question isn’t whether your agency will face an AI-enabled attack, but whether you’re ready to recognize it when it comes. 

Surveillance and Supply Chain Risks 

China’s 14th Five-Year Plan didn’t just spotlight AI and cyber power — it doubled down on something Beijing has already mastered: surveillance at scale. Inside China, this means the fusion of cameras, biometrics, big data policing, and strict data governance laws. Outside China, it means exporting those same tools — packaged as “smart city” projects, affordable drones, and telecom infrastructure — to governments and organizations worldwide. 

That global footprint creates a supply chain problem for U.S. public sector leaders: 

  • Surveillance Tech: Many state and local governments have, knowingly or not, deployed cameras, sensors, or software from Chinese vendors like Hikvision, Dahua, or DJI. These aren’t neutral tools. Under China’s National Intelligence Law, any Chinese company must provide access to data or networks if the state demands it. A camera on a courthouse, or a drone mapping local terrain, could quietly feed data back to Beijing. 
  • Telecom & Infrastructure: China has built the world’s largest 5G footprint and is pushing telecom equipment abroad through companies like Huawei and ZTE. Where those footholds exist, there’s potential leverage to monitor or disrupt communications. While most federal networks have banned this gear, state and local entities often lag behind, leaving gaps in resilience. 
  • Data Governance: The 14th Plan codified Beijing’s view of data as a strategic resource. Chinese laws prevent vulnerabilities from being shared outside the country and require data generated in China to stay in China — but they don’t hesitate to seek foreign data through cyber theft or supply-chain access. For U.S. states, this means that bulk data sets like voter rolls, DMV records, or public health databases are prime collection targets — whether through direct hacking or through compromised vendor systems. 

The risk isn’t hypothetical. Several states have had to rip out Chinese-manufactured cameras from government buildings. Universities have been warned about research funding tied to Chinese firms. And federal advisories have cautioned against municipal reliance on DJI drones. Each example connects back to the same strategic driver: China uses its commercial technology footprint as an intelligence pipeline. 

For CIOs, CISOs, and agency directors, this is less about geopolitics and more about procurement. Every piece of hardware, software, and cloud service in your environment is now part of the electronic battlefield. It’s critical you understand your supply chain and risks within it. 

Information is the Key to Discourse of Power 

Not every battle on the electronic battlefield involves malware or zero-days. Some play out in the quieter realm of influence and persuasion — where the target isn’t your firewall, but your people and policies. 

China has invested heavily in what it calls “discourse power”: the ability to shape narratives at home and abroad. This takes many forms. At the high end, it’s state-backed propaganda and slick media campaigns that push Beijing’s preferred version of events. At the grassroots, it’s cultivating relationships with local officials through sister-city programs, cultural exchanges, and university partnerships. The Heritage Foundation warned as far back as 2022 that China sees state and local governments as the “weak links” in America’s political fabric: easier to influence than Washington and just as effective at advancing Beijing’s interests. Think about it – the very organizations that survive because of funding, donations, contributions are the same ones at risk of being influenced by it. 

Universities are another pressure point. Chinese funding, talent recruitment programs, and partnerships can provide real benefits, but they can also serve as conduits for data collection or subtle policy influence. For higher-ed security leaders, vetting these relationships isn’t just about compliance, it’s about protecting institutional integrity. 

The key message: influence operations don’t look like cyberattacks, but they often ride on the back of them. They allow for proximity which makes espionage easier. Public sector leaders must plan for both, because in Beijing’s playbook, every breach or dataset can be repurposed for political advantage down the road.  

What to Expect in Q4 2025 

As China’s 14th Five-Year Plan winds down, we’re already seeing its cyber ambitions manifest. But the final quarter of 2025 could bring a sharper edge, as Beijing looks to close out this phase and set the stage for its 15th Plan. Public sector leaders should be ready for several likely developments: 

  • A Spike in Zero-Day Exploits: China’s policy of funneling software vulnerabilities to the state before vendors has stocked its arsenal. Expect fresh waves of exploits aimed at state agencies, universities, and local governments. Especially those running legacy or niche systems where patching lags. 
  • Critical Infrastructure Recon to Escalate: Groups like Volt Typhoon and Salt Typhoon will continue to burrow into utilities, transportation systems, and telecom networks. Don’t expect fireworks immediately; expect more stealthy positioning so Beijing can trigger disruption later. If tensions flare — Taiwan being the obvious flashpoint — Q4 could be the proving ground for these sleeper accesses. 
  • AI-Enhanced Phishing and Deepfakes: By now, generative AI isn’t experimental for adversaries, it’s operational. Watch for synthetic phishing emails, cloned voices, and AI-generated “evidence” designed to fool even cautious staff. Expect targeting of state officials, local election administrators, and university leaders. I wouldn’t expect anything too overt or “large public scale” because it immediately lessens the impact of future efforts by increased public skepticism. 
  • Influence Campaigns Tied to Local Events: 2025 may not be a federal election year, but that doesn’t mean states are safe. Municipal elections, ballot initiatives, or policy debates could be targeted by Chinese-linked influence operations, with cyber breaches providing the raw material for selective leaks or disinformation. 
  • Supply Chain and Procurement Flashpoints: China may push aggressively to expand its tech footprint abroad before new U.S. restrictions land. Expect cheap offers of “secure” telecom, surveillance, or smart city systems. If it looks too good to be true, it probably is. This is the quarter to double-check what’s already inside your environment. 
  • Signals of the Next Five-Year Plan: Beijing may use Q4 to preview elements of its 15th Five-Year Plan (2026–2030). If new military or cyber doctrines are published, watch closely: these documents often hint at operational priorities that will translate directly into threat activity against U.S. public sector systems. 

For state CIOs, CISOs, and higher-ed security leaders, the key isn’t to predict every move — it’s to assume heightened activity, more advanced tools, and a broader blending of espionage with influence. Q4 will be less about whether China shows its hand, and more about whether U.S. public sector leaders are ready when it does. 

Guidance for Q4 2025 Public Sector Leaders 

For U.S. state and local leaders, the threats in the Five-Year Plan aren’t abstract — they’re already probing your utilities, universities, and agencies. The good news: while Beijing plays the long game, there’s still time to harden defenses and build resilience. Here’s where to focus as 2025 closes: 

  • Double down on the basics relentlessly: Patch management, multifactor authentication, and network segmentation may sound unglamorous, but they’re the very gaps Chinese operators exploit. Treat cyber hygiene like public health: lapses don’t just affect you; they create exposure for the whole community. 
  • Exercise for the electronic battlefield: Tabletop scenarios shouldn’t stop at ransomware. Run drills that assume pre-positioned adversaries are already inside your environment, waiting for a geopolitical trigger. Test your ability to operate if critical systems are degraded; from 911 dispatch to payroll. 
  • Treat threat intelligence as a team sport: Share what you see and listen hard to what others report. CISA, the FBI, and MS-ISAC are lifelines, but so is your neighboring state or university. If Volt Typhoon is mapping their networks, you may be next on the list. 
  • Plan for influence, not just intrusion: A stolen dataset today could be a weaponized leak tomorrow. Work with communications teams and state leadership on rapid response playbooks for disinformation campaigns. That means knowing who speaks publicly, how quickly you can verify facts, and how you counter AI-generated fakes. 
  • Scrutinize your supply chain: If you don’t know where your cameras, drones, or general technology gear come from, find out. If they’re Chinese-manufactured and network-connected, they’re a risk. Many folks might say rip-and-replace but we all know this isn’t possible for most institutions. For now, put some pressure on vendors and suppliers to provide bills of materials. 
  • Think like a resilience officer, not just a security officer: Your mission isn’t just to keep adversaries out, it’s to keep services running when they get in. That means continuity planning, backup communications, and cross-agency coordination. In a crisis, public trust depends more on how quickly you restore confidence than on whether you can trace the attacker’s IP. 

China’s strategy is patient, persistent, and pragmatic. The lesson for U.S. public sector leaders is the same: you don’t need perfection, but you do need discipline and resilience. By treating your networks as part of the modern battlefield and preparing accordingly, you ensure that when Beijing’s scouts come knocking — or lighting their traps — your shields hold firm. 

Need help creating your own cybersecurity plan? We can help. 


Don't miss another article. Subscribe to our blog now. 

Subscribe now

 

Included Topics

  • Industry Insights,
  • Advisory and Planning,
  • Security Operations
Justin Fimlaid
Justin Fimlaid

Justin (he/him) is the founder and CEO of NuHarbor Security, where he continues to advance modern integrated cybersecurity services. He has over 20 years of cybersecurity experience, much of it earned while leading security efforts for multinational corporations, most recently serving as global CISO at Keurig Green Mountain Coffee. Justin serves multiple local organizations in the public interest, including his board membership at Champlain College.

Related Posts

Compliance 4 min read
6 Changes Coming in PCI DSS 3.0 That You Should Plan For Read More
Industry Insights 12 min read
The First 101 Days as a New Chief Information Security Officer: A CISO Roadmap Playbook
Read More
Compliance 6 min read
The 9 Considerations to find the Right Cybersecurity Insurance Policy for Your Organization Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 200 - Reflections of Pwned...Until Next Time
April 03, 2024
Episode 200 - Reflections of Pwned...Until Next Time
Listen Now
Episode 199 - When a BlackCat Crosses Your Path...
March 21, 2024
Episode 199 - When a BlackCat Crosses Your Path...
Listen Now
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
March 08, 2024
Episode 198 - Heard it Through the Grapevine - Beyond the Beltway, 2024
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2025 NuHarbor Security. All rights reserved.