INDOPACOM Theater Assessment: March 2026

Executive Summary

March 2026 in INDOPACOM is defined by sustained PLA military pressure around Taiwan, hardening confrontation between China and the Philippines in the South China Sea [2], and the completion of a large-scale allied exercise (Cobra Gold 2026) designed to bolster multilateral interoperability[1]. For cyber defenders, the combination of elevated gray-zone coercion, a leaked Philippine government strategy document [3], confirmed PRC offensive cyber capability growth, and active PRC-attributed intrusion clusters across telecom and critical infrastructure sectors creates a threat environment where pre-positioning and espionage operations are almost certainly running at high tempo against INDOPACOM networks, allied governments, and defense industrial base entities.

Military and Diplomatic

• Cobra Gold 2026, one of the largest multinational military exercises in the Indo-Pacific, took place in Thailand from late February through early March (February 24–March 6) with participation from Singapore, Indonesia, Japan, South Korea, Malaysia, and numerous additional allied and partner nations — approximately 8,000 troops from 30 countries[1]. The exercise covered combined arms training, humanitarian assistance/disaster relief scenarios, and for the first time included U.S. Space Force participation, with a focus on preparing forces for multiple regional contingencies.
• PLA military activity around Taiwan remained elevated throughout March. Weekly tracking by AEI documented continued PLA air and naval incursions near Taiwan, including aircraft crossings of the Taiwan Strait median line and naval movements in surrounding waters. This represents a sustained coercion campaign rather than a single spike.
• Philippines-China tensions hardened in the South China Sea. Manila publicly rebuffed Beijing's territorial claims in March [2], continuing to assert sovereignty over features within its exclusive economic zone. Multiple claimant states continue to contest overlapping maritime and territorial claims, with militarization of artificial islands and increased naval patrols raising confrontation risk.
• A leaked internal Philippine government letter exposed fault lines in Manila's SCS strategy, revealing divisions among officials on how assertively to confront China [3]. The leak itself raises serious questions about the integrity of Philippine government communications security.
• The Pentagon's 2025 China Military Power Report (released December 2025, with analysis continuing into March 2026) confirmed that PLA modernization is advancing across all domains, including nuclear forces, space, cyber, and AI-enabled capabilities, despite significant anti-corruption purges in the PLA's senior leadership[5]. The Congressional Research Service updated its INDOPACOM defense primer in February 2026, reflecting current force posture and strategic priorities centered on PRC deterrence.
• Regional scope note: Japan and South Korea participated as full partners in Cobra Gold 2026 and remain central to INDOPACOM alliance architecture, but no significant shifts in their bilateral defense postures were captured in this assessment period's source collection. AUKUS developments, Five Eyes intelligence cooperation, and Pacific island strategic competition were not addressed in the current source set and represent coverage gaps for future assessment cycles.

Cyber Operations

• The Pentagon report specifically identifies PRC cyber capabilities as a growing threat, documenting PLA successor organizations to the Strategic Support Force conducting cyber espionage and offensive operations against defense industrial base, critical infrastructure, and government systems.
• Component intelligence indicates multiple PRC-attributed intrusion clusters remain active against Western and regional infrastructure. Salt Typhoon has been reported across telecom networks globally, and other recently disclosed campaigns continue to expand the known attack surface. Note: Specific cluster names, scope figures, and campaign details referenced here derive from component intelligence and threat reporting not included in this assessment's open-source collection; readers should consult technical threat intelligence products for current indicators.
• DPRK cyber threat vectors compressed in March: Treasury sanctioned six individuals and two entities tied to DPRK IT worker fraud schemes generating nearly $800 million in 2024, while the Contagious Interview campaign expanded with 26 new malicious npm packages targeting developer environments. North Korea's 9th Party Congress (February 19–25, 2026) detailed a new long-term national defense plan involving AI-driven unmanned weapons and assets for neutralizing enemy satellites, signaling likely expansion of DPRK advanced military and cyber capabilities.
• The Philippine government document leak [3] may indicate a compromise of government communications systems or an insider threat. Regardless of the vector, the leak demonstrates how adversaries can exploit information operations alongside kinetic pressure.

Economic and Supply Chain

• The USCC published an updated trade and security bulletin in early March tracking U.S.-China economic and security developments, including technology export controls, entity list additions, and semiconductor restrictions [6]. These measures shape the operating environment for U.S. firms with China exposure and create potential retaliatory targeting of U.S. technology companies.
• China's 15th Five-Year Plan, formally adopted at the National People's Congress in March 2026, codifies the state's commitment to technological sovereignty and self-reliance in core technologies including semiconductors, AI, and computing infrastructure. This emphasis on technological self-reliance will likely support continued growth in offensive and defensive cyber capability development. Note: The specific R&D spending targets in the plan require further analysis from the official English translation; the 7% figure previously cited could not be verified and has been removed.
• Semiconductor supply chain risk remains acute. Elevated PLA activity around Taiwan keeps the TSMC fab concentration threat front and center. Any disruption to cross-strait stability would send shockwaves through global chip supply chains, and pre-positioning cyber operations against Taiwan's semiconductor sector are a logical component of PRC contingency planning.
• Breaking Defense's 2026 preview assessed that China will dominate Indo-Pacific security headlines throughout the year, with continued gray-zone operations as the primary driver of regional security dynamics [4]. Gray-zone operations carry an inherent economic coercion dimension, particularly regarding trade with ASEAN states economically dependent on PRC markets.

PRC-DPRK Coordination

• Evidence of collaboration: The baseline assessment notes munitions and technology sharing, joint sanctions evasion, and intelligence cooperation between Beijing and Pyongyang. DPRK conducted multiple ballistic missile tests during the March exercise period while PRC-attributed cyber operations continued at high tempo against overlapping target sets (government, defense, critical infrastructure). DPRK IT worker fraud and cryptocurrency theft operations, generating hundreds of millions of dollars annually, may benefit from tacit PRC tolerance given that some operations are conducted from China-based infrastructure, though direct evidence of PRC facilitation of DPRK cyber operations specifically is limited in open sources.
• Domains: Military (missile launches timed to allied exercises), cyber (overlapping target sets and concurrent operations), economic (sanctions evasion through shared financial networks).
• Implications for INDOPACOM: The combined PRC-DPRK threat surface is larger than either state's individual capability. Defenders face simultaneous campaigns from both actors: PRC-attributed clusters targeting telecom and critical infrastructure, and DPRK operations targeting financial systems and developer supply chains. The timing of DPRK provocations during allied exercises likely serves PRC strategic interests by dividing allied attention.
• Confidence: Moderate. Direct evidence of operational coordination on cyber campaigns is limited in open sources, but the pattern of concurrent activity and baseline intelligence on broader collaboration supports this assessment.
• Sources:, [5], component briefing context (China, North Korea)

U.S.-Allied Multilateral Defense Integration

• Evidence of collaboration: Cobra Gold 2026 brought together approximately 8,000 troops from 30 allied and partner nations for combined arms training and C4ISR integration in Thailand[1]. Singapore explicitly characterized its participation as strengthening multilateral defence ties [1]. The CRS INDOPACOM primer reflects updated force posture priorities centered on allied interoperability.
• Domains: Military (exercise integration), cyber (shared coalition communications and intelligence-sharing platforms), diplomatic (alliance management and partner capacity building).
• Implications for INDOPACOM: Multilateral exercises create temporary but high-value target windows. Adversary SIGINT and cyber espionage operations almost certainly increase during exercise periods, targeting joint communications networks, logistics systems, and participating nations' military networks. Smaller allied participants (with varying cyber maturity) represent potential entry points into shared coalition systems.
• Confidence: Moderate. Government primary sources confirm exercise participation and objectives.
• Sources:,, [1]

Operational Implications

• Philippine government networks are at elevated risk. The leaked SCS strategy letter [3] may indicate an active compromise of government communications. Whether the source is a cyber intrusion or an insider, adversaries now possess detailed knowledge of internal Philippine strategic divisions, which enables more precisely targeted influence and espionage operations. Allied networks that share information with Manila face spillover risk.

Sources: [2], [3]

• Cobra Gold 2026 exercise networks and aftermath data require defensive attention. Large multinational exercises involve extensive C4ISR integration; the post-exercise period is when adversaries typically exploit harvested credentials or implants placed during the exercise window[1]. Although no specific compromise of Cobra Gold 2026 networks has been reported, large multinational exercises historically present elevated targeting opportunities. Participating nations should conduct post-exercise network sweeps and credential rotations.

Sources:, [1]

• Taiwan-facing sectors (defense, semiconductors, critical infrastructure, telecommunications) should assume elevated targeting. Sustained PLA military pressure tracked throughout March is historically accompanied by cyber intrusion campaigns. Pre-positioning operations against Taiwan's early warning systems, communications infrastructure, and public information environment are a logical component of the coercion campaign.

Sources:,,

• Priority intelligence gap: the operational status of PLA cyber units following leadership purges. The Pentagon report confirms modernization continues despite churn[5], but open sources do not clarify whether specific cyber units were disrupted by purges or whether the reorganization of the Strategic Support Force successors changed tasking or capability. This gap affects threat modeling for the entire theater. In the absence of clarity, defenders should maintain threat models based on peak observed PRC capability rather than assuming degradation. Monitor for changes in PRC cluster TTPs, C2 infrastructure rotation rates, or targeting patterns that might indicate organizational disruption.

Sources:, [5]

• DPRK developer supply chain attacks require sector-specific alerting. The Contagious Interview campaign's expansion into enterprise npm packages creates risk for any organization in the INDOPACOM theater with software development operations, particularly defense contractors and technology firms. This threat intersects with DPRK's stated advanced military technology development priorities.

Sources: Component briefing context (North Korea)

Outlook

April 2026 will likely see continued PLA military pressure on Taiwan and further friction between China and the Philippines in the South China Sea, particularly if Manila follows through on more assertive postures previewed in leaked documents [2][3]. The conclusion of Cobra Gold 2026 creates a post-exercise vulnerability window for participating nations' networks[1]. We assess that an escalatory indicator to watch would be any PLA amphibious or joint exercise activity beyond routine patterns around Taiwan, which would signal a shift from coercion to rehearsal. A de-escalatory signal would be renewed diplomatic engagement between Beijing and Manila, or a reduction in PLA median-line crossings in the Taiwan Strait.

Sources:, [1], [2], [3], [4],,

Sources

• [1] "SAF Strengthens Multilateral Defence Ties at Exercise Cobra Gold 2026, held in Thailand" - Ministry of Defence Singapore, https://www.mindef.gov.sg/news-and-events/latest-releases/6mar26-nr/
• [2] "Philippines Rebuffs China Claim as South China Sea Tensions Harden" - Modern Diplomacy, https://moderndiplomacy.eu/2026/03/17/philippines-rebuffs-china-claim-as-south-china-sea-tensions-harden/
• [3] "Leaked letter exposes fault lines in Philippines' South China Sea strategy" - South China Morning Post, https://www.scmp.com/week-asia/politics/article/3343226/leaked-letter-exposes-fault-lines-philippines-south-china-sea-strategy
• [4] "China to once again dominate the headlines: 2026 preview for the Indo-Pacific" - Breaking Defense, https://breakingdefense.com/2026/01/china-to-once-again-dominate-the-headlines-2026-preview-for-the-indo-pacific/
• [5] "Latest Pentagon Report: China's Military Advancing Amid Churn" - War on the Rocks, https://warontherocks.com/2026/01/latest-pentagon-report-chinas-military-advancing-amid-churn/
• [6] "China Bulletin: March 4, 2026" - U.S.-China Economic and Security Review Commission, https://www.uscc.gov/trade-bulletins/china-bulletin-march-4-2026

• [1] SAF Strengthens Multilateral Defence Ties at Exercise Cobra Gold 2026, held in Thailand | Ministry of Defence (https://www.mindef.gov.sg/news-and-events/latest-releases/6mar26-nr/)

• [2] Philippines Rebuffs China Claim as South China Sea Tensions Harden - Modern Diplomacy (https://moderndiplomacy.eu/2026/03/17/philippines-rebuffs-china-claim-as-south-china-sea-tensions-harden/)

• [3] Leaked letter exposes fault lines in Philippines' South China Sea strategy | South China Morning Post (https://www.scmp.com/week-asia/politics/article/3343226/leaked-letter-exposes-fault-lines-philippines-south-china-sea-strategy)

• [4] China to once again dominate the headlines: 2026 preview for the Indo-Pacific - Breaking Defense (https://breakingdefense.com/2026/01/china-to-once-again-dominate-the-headlines-2026-preview-for-the-indo-pacific/)

• [5] Latest Pentagon Report: China's Military Advancing Amid Churn (https://warontherocks.com/2026/01/latest-pentagon-report-chinas-military-advancing-amid-churn/)

• [6] China Bulletin: March 4, 2026 | U.S.-China Economic and Security Review Commission (https://www.uscc.gov/trade-bulletins/china-bulletin-march-4-2026)