Machine overmatch in an age of software-defined war

War is changing

Machine overmatch is an emerging theory of intelligence advantage in which the side that can collect, integrate, and model data at scale, more quickly and coherently than its adversary, gains a decisive edge in understanding and shaping the battlespace. It builds on the shift that Christian Brose describes in The Kill Chain: away from reliance on exquisite legacy platforms and towards the speed, resilience, and connectivity of kill chains that link sensors, decision-makers, and shooters. It also aligns with the trends Paul Scharre examines in Army of None, where autonomous and semi-autonomous systems increasingly sense, decide, and act under varying degrees of human supervision, making data, algorithms, and decision loops central to future conflict. In this frame, campaigns such as China-linked Salt Typhoon are not merely isolated cyber incidents, but part of a broader contest for persistent access to high-value telecommunications and network infrastructure. Such access can support espionage, situational awareness, and the data advantages on which future military and intelligence systems may depend.

Ukraine rewriting how wars are fought

Ukraine has quietly rewritten the grammar of modern war. We still see tanks, artillery, trenches and shattered cities on our screens. But underneath that familiar imagery is a very different operating model: cheap sensors, commercial satellites, drones, cloud platforms, Starlink terminals, battlefield apps, volunteer intelligence networks and rapid software iteration all stitched together into a faster decision loop.

This is not science fiction. It is the practical machinery of modern war. Ukraine’s Delta situational awareness system, for example, has evolved from a volunteer initiative into a Ministry of Defence platform that draws on drones, satellites, cameras, sensors and reconnaissance units to support battlefield decision-making. GIS Arta and related battlefield tools have similarly shown how phones, tablets, drones, radios and satellite links can be used to connect observers, targets and artillery units more quickly than traditional command processes were designed to manage.

The message for boards, executives and policymakers is clear: war is becoming software-defined, data-dependent and commercially entangled. That matters far beyond the battlefield, because the same digital infrastructure that enables productivity, logistics and social life in peacetime can become a source of intelligence advantage in crisis.

Ashley Ruiz’s recent piece in War on the Rocks on machine overmatch and Salt Typhoon is best read against this backdrop. Ruiz argues that the next decisive intelligence advantage may not come from one exquisite secret or one well-placed source. It may come from the ability to collect widely, analyse quickly and model entire digital ecosystems faster than an adversary can respond.

That is the real significance of Salt Typhoon. Public reporting and allied advisories describe a broad pattern of PRC state-sponsored activity against telecommunications, government, transport, lodging and military infrastructure networks. The activity partially overlaps with industry reporting commonly labelled Salt Typhoon, OPERATOR PANDA, RedMike, UNC5807 and GhostEmperor. For more background on this read this from the Australian Signals Directorate’s Australian Cyber Security Centre on countering Chinese state sponsored attacks. The point is not the label. The point is the operating model: persistent access to data-rich environments that can reveal communications, movement, organisational relationships and operational dependencies at scale.

From platform-centric war to data-centric war

Traditional US and allied warfighting has been built around high-end platforms: carrier strike groups, stealth aircraft, exquisite intelligence, surveillance and reconnaissance systems, and carefully controlled battle networks. Intelligence advantage in that model looked like a rare satellite pass, a sensitive intercept, or a human source with privileged access.

That model has not disappeared. Platforms still matter. Munitions still matter. Logistics still matter. But Ukraine has shown that the side able to connect sensors, shooters, software and people at speed can create a different kind of advantage. Delta has been described by CSIS as a practical, agile form of battlefield management that resembles the combined joint all-domain command and control concept Western militaries have been trying to build for years.

This is why the US Department of Defense’s interest in attritable autonomous systems, Combined Joint All Domain Command and Control (CJADC2) and faster sensor-to-shooter integration is not a side issue. It reflects the same lesson: the future force is not just a collection of expensive platforms. It is an adaptive network of humans, machines, data, software and decision rights.

China is watching this too. PLA thinking has long emphasised informatised warfare and now increasingly intelligentised warfare, where information dominance, automation and AI-enabled decision support are expected to shape military advantage. RAND’s work on PLA doctrine describes “systems confrontation” as central to how the PLA understands modern warfare, with “system destruction warfare” functioning as a theory of victory aimed at paralysing an adversary’s operational system rather than simply destroying individual units.

Salt Typhoon sits squarely in that context. It is not just “a cyber incident”. It is part of the data plumbing for a future operating model in which intelligence, cyber, electronic warfare, influence and kinetic operations are increasingly fused.

Ecosystem mapping before the crisis

One of Ruiz’s most useful insights is that campaigns like Salt Typhoon are about mapping foreign digital ecosystems before a crisis begins. That should worry us.

The 2025 joint advisory co-sealed by agencies including CISA, NSA, FBI and ASD’s Australian Cyber Security Centre says PRC state-sponsored actors have targeted networks globally, with a focus on major telecommunications backbone routers and provider edge and customer edge routers. It also states that stolen data from telecommunications and ISP intrusions, as well as lodging and transport sector intrusions, can help Chinese intelligence services identify and track targets’ communications and movements around the world.

In plain language, this is about turning digital exhaust into strategic knowledge. Who talks to whom. Which systems depend on which networks. Which suppliers, ports, substations, cloud regions, identity providers and communications channels matter most. Which people are central to decision-making, logistics or operational continuity.

Modern machine learning and graph analytics make that work more scalable. They can infer organisational relationships from communications patterns, identify anomalies in movement or device behaviour, and highlight nodes whose disruption would create disproportionate effects. The models do not need to be perfect to be useful. At scale, even moderately accurate models can reduce the time needed to target, disrupt, influence or coerce.

For a Ukraine-style conflict, pre-built ecosystem maps could be used to identify the communications links that battlefield applications depend on, disrupt the civilian coordination channels that support resilience, or tailor influence operations to particular military, professional or community groups. This is a very different model from trying to build situational awareness only after a crisis has begun.

The strategic advantage comes from doing the slow data work early.

Commercial infrastructure is now part of the battlespace

Ukraine has also made visible a truth that many organisations still prefer not to confront: modern conflict rides on commercial infrastructure. Starlink has provided critical connectivity. Cloud platforms have supported resilience. Commercial drones have become ubiquitous. Civilian reporting tools and open-source intelligence communities have become part of the information environment.

For democracies, this creates a difficult governance problem. We need commercial innovation, private-sector data and civilian infrastructure to support national resilience. But we also have legal obligations, civil liberties, procurement rules, privacy regimes and political norms that constrain how those systems can be used. Those constraints are not a bug; they are part of what differentiates liberal democracies from authoritarian states. But they do introduce friction.

China’s system is structured differently. Its national security and intelligence laws place obligations on organisations and citizens to support state security work, and its military-civil fusion strategy is intended to integrate civilian technology, industry and data into national strategic capability (Ruiz, 2026, US Congress Report, 2024). That does not mean the system is seamless. Large bureaucracies are rarely seamless. But it does mean Beijing can, in principle, reduce the distance between commercial data, state intelligence requirements and military planning.

The result is an asymmetry in integration speed rather than a simple asymmetry in technical capability. The US, Australia and other allies have extraordinary data, technical expertise and intelligence capabilities. But those capabilities are often distributed across agencies, companies, jurisdictions and legal frameworks. China may be able to fuse some categories of data more quickly into operationally useful models.

That is the governance challenge. Not “how do we become like China?” We should not. The question is how democratic systems can move faster while still preserving legality, accountability and trust.

Ukraine as proof of concept, China as systems engineer

Ukraine has built much of its software-defined warfighting model through necessity. It has had to integrate drones, civilian reporting, commercial satellite imagery, battlefield apps, cloud infrastructure and volunteer technical capability while under attack. That is innovation under pressure.

China is approaching the same problem from the other direction. It is trying to design the doctrine, industrial base, cyber operations and data architecture before the crisis. PLA concepts of systems confrontation and information advantage suggest a worldview in which the adversary is not just a set of military units, but a system of systems that can be mapped, shaped and disrupted.

Salt Typhoon is one visible symptom of that worldview. Compromising telecommunications infrastructure, routers and related high-value network environments is not glamorous. It does not look like a decisive battle. But it can create long-term strategic options: surveillance, target development, counterintelligence insight, coercive leverage and potential disruption in a crisis.

This is where the phrase 'machine overmatch' is useful. It shifts the conversation away from whether one side has a better tank, aircraft or satellite. It asks whether one side can use machines, data and models to understand the other side’s society, infrastructure and military system faster than the other side can understand itself.

That is a much more uncomfortable question.

Implications for democracies and Australia

For liberal democracies, the challenge is twofold:

1. We need to adapt to software-defined, data-centric conflict without eroding the rights and norms we are trying to defend. The debates over surveillance powers, data retention, lawful access, data brokers and cross-border data flows are not just privacy debates. They are now national security debates as well.
2. We must assume that our digital exhaust is already being harvested, correlated and modelled. The 2025 advisory co-sealed by ASD’s ACSC says this PRC-linked activity has been observed in the United States, Australia, Canada, New Zealand, the United Kingdom and elsewhere. A separate 2024 advisory on Volt Typhoon warned that PRC state-sponsored actors were seeking to pre-position on critical infrastructure networks for potential disruptive or destructive activity in a major crisis, and noted that Australian and New Zealand critical infrastructure could be vulnerable to similar activity.

For Australia, this makes data governance a national security discipline, not just a compliance function. Data brokers, identity providers, telecommunications carriers, cloud platforms, managed service providers and critical infrastructure operators all sit inside the strategic risk picture. Boards should treat high-value data aggregations as both assets and liabilities.

This has practical implications. Organisations need to know what sensitive data they hold, where it flows, who can access it, how long it is retained, and how easily it can be linked to other datasets. They need to threat model metadata, logs, telemetry and identity data with the same seriousness they apply to obvious secrets. They need to ask whether a breach would simply expose records, or whether it would help an adversary build a better model of Australian society, infrastructure and decision-making.

That is the shift. Cybersecurity is no longer only about stopping intrusions. It is about reducing the strategic value of what an adversary can learn if they get in.

From cyber incident to data-risk discipline

Ukraine shows that modern war rewards the rapid integration of data, software, sensors and people. China’s data-centric intelligence strategy shows how an authoritarian state can prepare the information terrain long before a crisis. Democracies need a response that is faster and more integrated, but still lawful and accountable.

For boards and executives, the practical message is simple. Data governance, cyber resilience, third-party risk, critical infrastructure security and AI governance are now part of the same conversation. They cannot be managed as separate compliance streams. They are the operating model for resilience in a world where digital exhaust has strategic value.

The future of war is not only about weapons. It is about who can see, model, decide and adapt fastest. Ukraine has shown what that looks like under battlefield pressure. Salt Typhoon shows what preparation for that world can look like in peacetime.

For Australia and its allies, the question is no longer whether war is changing. Ukraine has answered that. The question is whether our institutions, laws, boards and governance practices can adapt quickly enough to protect democratic societies whose data is already part of the battlespace.