If we can’t name China’s cyberattacks, we lose trust in ourselves
16 Feb 2026|ASPI staff

In the space of just a few days, two big US tech companies took different approaches to China’s cyberattacks. Palo Alto Networks generically referred to a global cyber espionage operation by unnamed actors while Google specifically named China as the globe’s leading cyber security threat.

That inconsistency hurts everyone but China.

A refusal to name and shame China incentivises Beijing to carry on, leaves our public underinformed, and places little pressure on governments to tackle the problem.

The West won Cold War competition against the Soviet Union through the combined power of government policy and private sector innovation. Today, China has taken the upper hand because we do not have that same alignment.

It is true that the defence industry never relied on Moscow’s money the way tech companies rely on China’s now. But we need industry to find its national interest, not just its financial one.

Without a patriotic partnership between Western governments and industry, both sectors will continue treating their relationships with China as too big to fail, forcing them to tolerate security threats for fear of financial insecurity.

Reporting suggests that Palo Alto’s decision not to publicly attribute the cyber campaign to China was due to concerns about potential retaliation against the firm or its clients.

Meanwhile, Google’s Threat Intelligence Group publicly assessed that China conducts more cyber threat campaigns by volume than any other country, including operations targeting defence suppliers and next-generation technologies such as drones and uncrewed systems.

The contrast is instructive. One firm reportedly avoided specific attribution due to geopolitical risk. The other named the actor and placed the activity within a broader strategic pattern.

This is not a morality play. Big tech companies operate globally, face regulatory exposure and owe duties to shareholders and clients. Attribution is in the public interest.

Prudence is of course legitimate. Market access, staff safety and client protection matter, particularly in jurisdictions willing to weaponise regulation. Such due diligence is akin to governments being diplomatic. But prudence and diplomacy cannot mean authoritarian states—in this case China—can do whatever they like while we suffer in resigned silence.

And hypocrisy is to be avoided. All nations spy. But it is China that has fused its public, private, civil and military sectors and continues to steal intellectual property and secrets for commercial gain.

China’s use of economic leverage and cyberspace as instruments of statecraft is well documented. What is increasingly visible is the chilling effect: firms whose mandate is to expose malicious activity, and whose value rests on independent analysis and the willingness to state what the evidence supports, may calibrate public language according to foreign political risk.

The structural question, therefore, is whether commercial caution will set the outer limits of public truth in cyberspace.

That should concern policymakers and industry leaders alike.

If attribution becomes contingent on geopolitical exposure, public understanding narrows and trust thins. Governments and companies might privately argue that they are well aware of the threat from China, but democratic societies rely on shared situational awareness. This doesn’t exist if strategically significant threats are described obliquely, while less contentious risks are detailed openly. Public debate cannot function on partial disclosure.

For more than a decade, Australia and its partners have treated public attribution as a pillar of cyber strategy. Naming malicious state activity is not escalation; it is clarification. It informs citizens, shapes diplomatic signalling and constrains plausible deniability.

Clear-eyed assessment is not belligerence, but rather a prerequisite for informed consent. We already keep the public informed of the terror threat, including by naming the actors that threaten us. We must do the same in cyberspace.

It is tempting to assume that caution preserves commercial position. And it may do that in a market wherein the only competition is between individual companies. But just as alliances have been crucial for nations to maintain comparative advantage over adversaries, industry must work together against the common challenge of China, neither feeling alone in Beijing’s sights nor abandoning others in the hope your turn will never come.

Governments should work with industry to scrutinise supply chains for political exposure. Firms should be rewarded for demonstrating consistent transparency and defending evidence-based attribution through accumulation of both reputational capital and exclusive access to markets. For example, the three AUKUS nations should make it a public policy that, while companies can set up operations in China, those that do so cannot be involved in Pillar Two’s advanced-capabilities work.

In that environment, a principles-based differential—systematically embedded—can become a source of resilience.

Experience clearly matters. Google’s own history illustrates the tension. Its abandoned Project Dragonfly initiative—a proposed search engine that was designed to censor content considered sensitive to the Chinese Communist Party and that would have enabled monitoring of citizens—exposed strain between market ambition and corporate values. Internal protest and public scrutiny saw it shelved in 2018. Now Google continues to publicly attribute and detail China-linked cyber campaigns. Other companies should join.

In the same way, other nations should join Tokyo, learning from Japan’s experiences that show facing China head-on is in the national interest. From 2010 to 2014, in response to a dispute over the Senkaku Islands, China attempted economic coercion by withholding rare-earth exports to Japan. Tokyo both won a World Trade Organization case and reduced its dependence on China. In fact, it was this episode that helped secure the future of Australia’s rare-earths company, Lynas.

Ten years on, in late 2025, Beijing repeated its aggression in response to Japanese Prime Minister Sanae Takaichi stating that Japan would be affected by China invading Taiwan. By naming the threat for what it was, Takaichi gained public trust, and her decision took her to a resounding election win on 8 February.

The lesson is that calling out China’s malign activity will change Beijing’s calculus, might change its behaviour and, even where it doesn’t, ensures public awareness of the threat. Collective attribution is even more effective. Tech giants should of course compete with each other, as should nations, but not when it comes to protecting themselves, their customers and the public from China.

In practice, this means that when credible evidence points to state-linked coercion, companies should name it and countries should back them in.

Author

Justin Bassi is ASPI’s executive director.

 

Image: traffic_analyzer/Getty Images.

 

AI contributed no ideas to this article—Justin Bassi.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2026