The essence of China’s thinking about cyber warfare is the concept of shi, he says, first introduced in Sun Tzu’s “The Art of War” about 2,500 years ago. The concept’s English translation is debated, but Mr. Thomas subscribes to the rendering of Chinese Gen. Tao Hanzhang, who defines shi as “the strategically advantageous posture before a battle.”

“When I do reconnaissance activities of your [cyber] system,” Mr. Thomas explains of China’s thinking, “I’m looking for your vulnerabilities. I’m establishing a strategic advantage that enables me to ‘win victory before the first battle’ “—another classic concept, this one from the “36 Stratagems” of Chinese lore. “I’ve established the playing field. I have ‘prepped the battlefield,’ to put it in the U.S. lexicon.”…

But what about the argument that the U.S. is shedding crocodile tears? America (and Israel) were almost certainly behind the most successful known cyber attack to date: the Stuxnet virus that impeded Iran’s uranium-enrichment program. There might be some comfort in knowing that the U.S. is doing unto China what China is doing unto the U.S., says Mr. Thomas, but “we don’t seem as intrusive as the other side.” That is illustrated especially, he says, by China’s state-sponsored commercial espionage. He frequently hears complaints from U.S. firms dealing with Chinese counterparts who know their secrets, adding that “I don’t think people really get the security briefing of just how invasive it is.”

Then there’s the argument that all this is overblown because no cyber attack has ever killed anyone. Mr. Thomas responds, somewhat impatiently: “If I had access to your bank account, would you worry? If I had access to your home security system, would you worry? If I have access to the pipes coming into your house? Not just your security system but your gas, your electric—and you’re the Pentagon?”