Technology companies’ reluctance to publicly attribute cyber attacks to China undermines global deterrence, leaves the public insufficiently informed and reduces pressure on governments to address cyber threats, according to a new report released by the Australian Strategic Policy Institute.
The report argued that the absence of clear public attribution weakens diplomatic signalling and limits accountability, allowing alleged state-linked cyber activities to persist without strong international scrutiny. It emphasised that transparency in identifying cyber threats plays a critical role in informing citizens, shaping policy responses and constraining plausible deniability by state actors.
The think tank criticised Palo Alto Networks Inc. for not publicly attributing a cyber espionage campaign to China, suggesting that concerns about potential retaliation against the company or its clients may have influenced the decision. The report stated that commercial considerations, including fears over market access and possible reprisals, often discourage firms from naming China directly.
It contrasted approaches among firms based in the United States, highlighting differences between companies that issue general threat alerts and those that openly identify the alleged source of cyber operations. According to the report, such divergence reflects broader industry caution shaped by geopolitical and commercial sensitivities.
The report cited assessments from Google’s Threat Intelligence Group, which publicly stated that China leads cyber threat campaigns by volume. These operations reportedly include activities targeting defence suppliers and emerging technologies such as drones and uncrewed systems. The think tank said public acknowledgement of such trends strengthens awareness and supports policy formulation.
It argued that closer cooperation between governments and industry is necessary to counter cyber threats effectively. Without what it described as a stronger partnership, governments and companies may continue treating economic ties with China as “too big to fail,” leading to tolerance of security risks due to financial considerations.
The report maintained that caution and diplomacy should not translate into silence about alleged cyber activities by authoritarian states. Public attribution, it said, clarifies threats rather than escalating tensions and contributes to informed debate and strategic responses.
To encourage transparency, the think tank suggested governments could reduce incentives for corporate silence while rewarding companies that demonstrate openness. Proposed incentives include enhancing reputational credibility and granting privileged access to certain markets for firms that support evidence-based attribution.
As a policy example, the report referred to the AUKUS security partnership, suggesting that its three member nations could adopt measures preventing companies with operations in China from participating in sensitive advanced-capabilities projects under Pillar Two. Such steps, it argued, could reinforce supply-chain security and reduce political exposure.
The report also called for governments to work with industry to scrutinise supply chains more closely. It said identifying political vulnerabilities within supply networks would strengthen resilience against cyber and strategic risks.
Emphasising the broader implications, the think tank concluded that public identification of malicious state activity informs citizens, shapes diplomatic messaging and limits plausible deniability. Greater transparency, it argued, would help strengthen deterrence while ensuring governments and industries remain accountable in addressing evolving cyber security threats.
