Dutch Intelligence Warns China’s Cyber Capabilities Now Equal to the US

What happened

The Netherlands’ Defence Intelligence and Security Service, known as MIVD, has assessed in its public annual report that China has drawn level with the United States in offensive cyber capabilities, a statement that goes further than any previous Western public intelligence assessment on the subject.

The MIVD’s report states that detection, response, and mitigation against Chinese cyber operations are frequently inadequate, and that only a limited proportion of Chinese operations against Dutch interests are ever detected. It attributes China’s improved operational tempo to a 2024 restructuring of the People’s Liberation Army’s cyber organization, which dissolved the Strategic Support Force and created a standalone Cyberspace Force. According to the MIVD, that reorganization enabled Chinese hackers to continuously adapt their tooling and infrastructure throughout 2025. The report also discloses previously unpublicized details about PLA hacking units, including that multiple components within the same unit competed to find vulnerabilities in a specific category of edge device during 2025.

The Salt Typhoon and RedMike espionage campaigns gained access to routers at smaller Dutch hosting and internet service providers in 2025. The MIVD describes telecommunications firms as priority targets because of the intelligence value of the data they carry. Dutch authorities joined a 13-country advisory in August 2025 attributing those campaigns to three Chinese technology companies acting on behalf of Beijing.

The report forecasts a further increase in campaigns targeting edge devices including routers, firewalls, and VPN solutions in 2026, and warns that China can now better integrate offensive cyber capabilities with military operations. The MIVD echoes assessments by US officials and Five Eyes partners regarding Volt Typhoon, the PLA-linked group assessed to be pre-positioning implants in Western critical infrastructure for potential activation in a future conflict, with Taiwan identified as the most likely trigger. The report also notes that China has never excluded the use of military means to annex the island.

Who is affected

Dutch telecommunications providers, internet service providers, and hosting companies have been directly targeted. Dutch researchers, businesses, and universities in the semiconductor, quantum computing, and aerospace sectors face active technology theft campaigns. The MIVD explicitly states that Chinese groups structurally target EU and NATO members, placing allied organizations across Europe within the threat perimeter.

Why CISOs should care

A Western intelligence service publicly declaring China at parity with the US in offensive cyber capability is not routine language. Combined with Google’s finding last month that China-linked groups doubled their zero-day exploitation in 2025, and the MIVD’s own estimate that only a fraction of Chinese operations are detected, this assessment points to a threat that is both more capable and more invisible than most enterprise security programs are calibrated to handle.

The edge device focus is the most actionable near-term signal. Routers, firewalls, and VPN concentrators are the entry points Chinese groups have repeatedly exploited, and the MIVD is forecasting more of the same in 2026. For organizations that treat perimeter devices as lower-priority patching targets, that forecast is a direct challenge to that posture.

3 practical actions

1. Prioritize patching and monitoring of edge devices as a top-tier control: The MIVD explicitly forecasts increased targeting of routers, firewalls, and VPN solutions in 2026. Review patch currency on all perimeter devices, implement integrity monitoring where available, and treat anomalous outbound connections from these devices as high-priority alerts.
2. Assess your organization’s exposure to Chinese intelligence collection priorities: The MIVD identifies semiconductors, quantum computing, aerospace, and telecommunications as active targeting sectors. Organizations in these industries or their supply chains should evaluate whether their threat models adequately reflect state-level adversaries pursuing long-term technology acquisition rather than immediate financial gain.
3. Review detection capabilities against living-off-the-land and low-visibility intrusion techniques: The MIVD’s assessment that most Chinese operations go undetected points to a gap in visibility, not just prevention. Evaluate whether your detection engineering covers the edge device persistence techniques and quiet lateral movement patterns associated with Salt Typhoon, RedMike, and Volt Typhoon activity.