Writing on cyber strategy, statecraft, operations, and geopolitics in a personal capacity. Views are my own and do not represent any employer or client. I use modern research and editing tools; analysis and judgement are mine.

In July 2025, Singapore’s Coordinating Minister for National Security, K. Shanmugam, stood up at the Cyber Security Agency’s tenth anniversary dinner and did something Singapore had never done before. He named a threat actor - UNC3886, a China-nexus APT tracked by Mandiant, and said it was going after the country’s critical infrastructure. He didn’t say “China”. But he didn’t need to. Anyone literate in threat intelligence knew exactly what he was saying.

By February 2026, Singapore confirmed UNC3886 had compromised all four of its major telecommunications providers using zero-day exploits, rootkits, and persistent access mechanisms designed to survive detection. Operation Cyber Guardian was deployed to contain it. No customer data was exfiltrated. No services were disrupted. But the access was real, and it had been there for a long time.

That disclosure is worth studying, not because of what Singapore said, but because of what it reveals about how cyber statecraft actually works once the rhetoric is stripped away. We talk about “cyberwar” as if it’s a thing you can win, or deter, or end, but it isn’t.

Instead, what we are dealing with is something far more mundane and exhausting: industrialised state cyber operations. Persistent access, long dwell times and human operators grinding away quietly in the background. No climactic battles, just attrition.

That matters, because it changes what strategy even means.

Here, strategy is not about demonstrating resolve or setting boundaries. It’s about deciding what you’re willing to live with, and what you’re prepared to make expensive for the other side, knowing full well you’ll pay a price too.

For years, public attribution was largely a practice-driven by the US and its vendors, and adopted within the Five Eyes. Beyond that perimeter, most states avoided it entirely. A values exercise and something you did if you could afford the politics. Safer to stay quiet. That logic is breaking. Not because anyone suddenly got braver, but because silence stopped being cheap.

A quick note on lens

I don’t approach this from the perspective of a single country. I lived in Singapore for fourteen years, I’m married to a Chinese woman, and I’ve worked inside American and British companies; now I sit in Australia in a global role. That doesn’t make me neutral. It makes me allergic to single-lens explanations.

Cyber posture looks very different depending on where you sit — politically, economically, and culturally. So this isn’t a Western argument or an Eastern one. It’s a practical one.

When the grey zone stops being permissive

The “grey zone” once sounded attractive. Low cost. High deniability. Plenty of room to manoeuvre. That worked when operations were smaller and slower. At scale, silence becomes a subsidy.

If an actor sits quietly in your network today, they’re not just stealing information. They’re banking advantage. Mapping dependencies. Improving tradecraft. Preserving options. All without friction. UNC3886 had been active since at least 2021, quietly exploiting zero-days in firewalls and hypervisors using living‑off‑the‑land techniques designed to blend into normal operations, that is, repurposing legitimate admin tools so malicious activity looks like normal system behaviour. Volt Typhoon followed a similar pattern across US critical infrastructure, energy, water, transport, and telecoms, with dwell times stretching into years.

These are not smash-and-grab operations. They are slow, deliberate programmes of strategic pre-positioning. That’s the part people still underplay.

So when you hear terms like “active defence” or “defend forward”, don’t picture cyber punch-ups. What’s actually happening is terrain shaping, making persistence less comfortable, less clean, and less predictable.

The goal is still to make intrusion hard, reducing probability matters, not least because every breach, even one that never becomes operationally disruptive, imposes its own response tax. Teams spin up. Regulators expect notification. Resources shift from forward work to forensic work. And upon discovery, you rarely know how big is big, scoping a compromise can take weeks or months, during which the organisation is burning capacity on a question it can’t yet answer. So prevention earns its keep. But the strategic point is different: for actors operating at this level, some access will be achieved. The goal is to make that access unrewarding, to deny the conditions under which persistence compounds into strategic advantage.

This is one of the ways digital bifurcation becomes self-reinforcing, what I’ve previously described as one of the Five Forces reshaping the geopolitical cyber order. Each exposure hardens the boundary between trusted and untrusted infrastructure. Every burned operation widens the gap between allied and adversarial digital ecosystems. The retooling tax doesn’t just impose cost, it accelerates structural separation in the digital order.

The retooling tax (and why it’s misunderstood)

Public exposure is still dismissed as “naming and shaming”. That’s a lazy read. In a persistence model, attribution isn’t about morality. It’s about forcing work.

Once an operation becomes legible, infrastructure gets burned. Tooling is shelved. Access paths collapse. People have to rebuild things they thought were settled. Oversight tightens, tempo drops and mistakes creep in and that’s the retooling tax.

The point isn’t to end persistence. It’s to break the conditions that let persistence compound unchecked.

Inside the adversary’s system, exposure triggers internal review. Resources shift from expansion to damage assessment. The incentives temporarily shift from risk-taking to caution. For programmes built on patience, that friction matters.

But here’s the uncomfortable part: capable adversaries plan for this. At scale, they amortise the cost. Modular tooling. Redundant infrastructure. Parallel accesses. Burning one campaign becomes maintenance, not defeat. The i-Soon leaks in February 2024 confirmed what many suspected — industrial depth matters.

The retooling tax falls unevenly. It genuinely disrupts mid-tier operators. For top-tier actors, it can prune the field and concentrate persistent access among those best equipped to sustain it, so no, this doesn’t stop them.

What it does is change the economics. Persistence still exists, but it becomes slower, noisier, and less reliable. Over time, that compounds.

Transparency is not free — it’s finite

This is where many defenders get sloppy. Disclosure isn’t binary. It’s not silence versus exposure and it’s a finite resource.

Every time you go public, you teach the other side something: what you can see, what you care about, where your telemetry is strong, and where it isn’t. A serious opponent studies your disclosures the same way you study their campaigns.

They don’t fear noise. They curate it. False flags. Proxies. Cheap tooling is combined with bespoke access. The aim is simple: raise attribution costs and weaken confidence.

What complicates this further is that states no longer fully control disclosure timing. Vendor reports now drive much of public attribution, sometimes aligned with government objectives, sometimes not. Commercial incentives often lack a clear alignment with operational discipline, potentially leading to premature disclosure of sensitive information.

Yes, noise can deny permissiveness, but unmanaged noise degrades the signal. Transparency without discipline isn’t bold. It’s counter‑productive.

The cost you pay at home

None of this comes for free. Once something goes public, it stops being a technical problem and becomes a political one. Attention spikes. Media flattens nuance. Ministers want certainty that doesn’t exist.

Security teams lose room to manoeuvre. Bureaucracies react to headlines rather than evidence. Over time, the public either panics or tunes out—and institutions themselves can habituate to noise, dulling response when it actually matters.

This friction isn’t a side effect; it’s the price of admission and only states with strong institutional discipline can absorb that pressure without turning disclosure into theatre. Many can’t. For them, visibility creates more risk than it removes.

Singapore, as an example – not a template

Singapore’s handling of UNC3886 is instructive precisely because of what it didn’t do.

Minister Shanmugam named the threat actor cluster—a Mandiant designation—without saying “China”. The exposure was technical, bounded, and calm. No chest-thumping. No moralising. There was no attempt to publicly corner anyone.

Beijing’s response was equally calibrated. The Chinese Embassy expressed “strong dissatisfaction” via local media while avoiding direct escalation. The unspoken rules of exchange were honoured.

Seen through a Sun Zi lens, the objective was never deterrence of China. It was preservation of operating space under constraint—denying permissive terrain without forcing escalation.

It works because Singapore understands its constraints: economic exposure, regional dynamics, and the need for institutional cohesion. It also quietly reassures investors, insurers, and critical service providers that persistent access is being managed competently rather than denied until failure forces the issue.

When attempted without those conditions, the same approach leads to noise, panic, and poor decisions.

Who this actually works for

This approach isn’t universal. It favours states with strong legal authority, high trust in institutions, and the ability to tolerate ambiguity. It disadvantages those with fragile politics, exposed economies, or a taste for moral theatre.

There’s a further complication. Most corporate risk frameworks are calibrated for criminal operators—ransomware, data theft, business interruption—because those threats produce quantifiable losses that fit neatly into a risk register. The state persistence model described here requires a fundamentally different posture: patience over speed, managed coexistence over rapid eviction, and strategic disclosure over reflexive transparency. Holding both models simultaneously is genuinely difficult, and the insurance and loss-quantification ecosystem keeps pulling boards towards the criminal lens at the expense of the strategic one. That tension doesn’t resolve. It has to be managed.

There are also real tail risks. Get attribution wrong and credibility evaporates, not just for the attributing state, but for the coalitions that rely on shared confidence. Push too hard and partners fracture. Make everything public and intrusion becomes background radiation.

This isn’t deterrence by punishment. It’s attrition by design and attrition always cuts both ways.

The realist corrective: endurance as strategy

We still look for decisive moments. Cyber doesn’t offer them.

As Cyber Persistence Theory makes clear, there is no final victory here, only a continuous contest for initiative. By choosing to make the silence noisy, states are acknowledging that the grey zone is no longer a place of comfort but a frontline of industrialised attrition.

The retooling tax isn’t a win. It’s a maintenance fee, the price paid to ensure that while adversaries remain persistent, they never remain comfortable.

Silence is no longer cheap. The question now is how deliberately we choose to spend it.

References & Further Reading

Singapore’s UNC3886 Attribution

• K. Shanmugam, “CSA 10th Anniversary Dinner — The Next 10 Years: Securing Our Cyberspace and Digital Future,” Ministry of Home Affairs Singapore, 18 July 2025. https://www.mha.gov.sg/mediaroom/speeches/csa-10th-anniversary-dinner-the-next-10-years-securing-our-cyberspace-and-digital-future

• Cyber Security Agency of Singapore, Singapore Cyber Landscape 2024/2025, September 2025. https://www.csa.gov.sg/resources/publications/singapore-cyber-landscape-2024-2025/

• BleepingComputer, “Chinese Cyberspies Breach Singapore’s Four Largest Telcos,” February 2026. https://www.bleepingcomputer.com/news/security/chinese-cyberspies-breach-singapores-four-largest-telcos/

• Louise Marie Hurel, “What Singapore’s First Public Cyber Attribution Tells Us,” Royal United Services Institute, 30 July 2025. https://www.rusi.org/explore-our-research/publications/commentary/what-singapores-first-public-cyber-attribution-tells-us

Volt Typhoon & PRC Cyber Pre-Positioning

• CISA, NSA & FBI, “PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure,” Joint Cybersecurity Advisory AA24-038A, February 2024. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a

• Ciaran Martin, “Typhoons in Cyberspace,” Royal United Services Institute, 2025. https://www.rusi.org/explore-our-research/publications/commentary/typhoons-cyberspace

• Mandiant, “Cloaked and Covert: Uncovering UNC3886 Espionage Operations,” Google Threat Intelligence, 2023. https://cloud.google.com/blog/topics/threat-intelligence/uncovering-unc3886-espionage-operations

i-Soon Leaks

• Associated Press, “Leaked Files from Chinese Firm Show Vast International Hacking Effort,” February 2024. https://apnews.com/article/china-cybersecurity-leak-isoon

Cyber Persistence Theory & Strategic Literature

• Michael P. Fischerkeller, Emily O. Goldman & Richard J. Harknett, Cyber Persistence Theory: Redefining National Security in Cyberspace, Oxford University Press, 2022.

• Jon R. Lindsay, Age of Deception: Intelligence Warfare in the 21st Century, Oxford University Press, 2025.

Attribution as Statecraft

• Florian Egloff & Max Smeets, “Publicly Attributing Cyber Attacks: A Framework,” Journal of Strategic Studies, 2022.

• Herb Lin, “Attribution of Malicious Cyber Incidents: From Soup to Nuts,” Journal of International Affairs, Columbia University, 2016.

Sun Zi & Calculated Restraint

• Sun Tzu, The Art of War, translated by Roger Ames, Ballantine Books, 1993. (Ames translation recommended for its emphasis on strategic context over aphorism.)

For more on the distinction between strategy and activity in cyber, see Cyber Strategy Is Not Activity.