Not theft. Not disruption. Sometimes cyber activity is just quiet observation
10 Feb 2026|

Chinese state-linked cyber activity is most often discussed as espionage: the theft of secrets for political, military or technological advantage. Increasingly it is also framed as preparation for sabotage—positioning for future disruption of critical infrastructure in a crisis.

Both framings are accurate, but incomplete. They miss a central function of cyber operations for China and others that matters just as much: reducing uncertainty, shaping strategic judgement and improving bargaining position long before any crisis occurs.

Australian security and intelligence agencies have repeatedly warned of persistent state-linked cyber activity targeting Defence, other parts of the government, and critical infrastructure. These advisories are commonly interpreted as evidence of attempted data theft or latent sabotage risk. When neither dramatic theft nor visible disruption occurs, activity is often described as inconclusive, unfinished or merely preparatory.

But not all cyber operations are designed to steal data or break systems. Many are designed to observe them. Persistent, low-impact access offers something strategically valuable: real-time visibility into how systems actually function, rather than how they are supposed to function on paper.

By observing these systems in normal operation, a foreign state can see how organisations behave in practice, including decision-making processes, escalation pathways and response times. This reveals how anomalies are detected, how quickly problems are escalated, where responsibility sits, and how resilient—or brittle—systems are in practice.

Crucially, disruption is not required for this access to be useful. In many cases, disruption would undermine the objective. For states that prioritise long-term planning, uncertainty reduction becomes an end in itself.

Chinese cyber activity in Africa illustrates this. Over two decades, China has embedded itself deeply into African economies through state-backed investment: iron ore in Liberia, copper and cobalt in the Democratic Republic of the Congo and Zambia and logistics infrastructure such as the Port of Mombasa. Much of this has been framed under the Belt and Road Initiative, through the underlying strategy predates the branding.

These investments underpin sectors critical to China’s manufacturing base, electrification efforts and defence-relevant industries. As a result, Beijing’s relationship with African infrastructure is one of interdependency.

This perhaps explains why public reporting has struggled to fully interpret Chinese state-linked cyber activity across African government networks, telecommunications providers and infrastructure-adjacent organisations. Much of this activity has featured long dwell times, minimal disruption and no obvious financial payoff. Interpreted narrowly, it looks unfinished. Interpreted differently, it looks complete.

Overseas resource extraction and logistics systems are inherently exposed to political instability, corruption, labour unrest and infrastructure failure. Relying solely on diplomatic reporting, corporate disclosures, or host-nation assurances introduces uncertainty—and uncertainty weakens bargaining power.

In this context, persistent cyber access functions for Beijing as continuous verification. It provides insight into what is happening across production, logistics and supporting services, rather than what is reported through political or commercial filters.

This is often assumed to be espionage in progress, activity waiting to be exploited later. That assumption is shaped by earlier campaigns focused on intellectual property theft. While that history certainly matters, it should not exclude the potential of a broader objective. After all, two things can be true at once. What if the absence of theft or disruption is not a failure, but the objective?

Cyber operations may operate differently, but the logic is similar.

If cyber activity is understood as enabling strategic sensing as much as sabotage, then prevailing risk models need adjustment. A key question then becomes not only whether the data is being stolen or systems are being prepared for attack but what understanding is being gained—and how that understanding might shape future strategic choices.

For Australia, this means recognising that economic engagement, foreign ownership and critical infrastructure exposure shape cyber collection incentives long before any crisis. The task is not to assume malign intent everywhere, but to understand how uncertainty reduction, system observation and strategic positioning also fit within broader patterns of state behaviour.

For the Australian government, the value lies not in treating such activity as immediately actionable but in using it to better understand adversary priorities, dependencies, and intelligence gaps. That understanding can then inform how Australia anticipates behaviour, and calibrates its own responses in future crises.

Cyber operations that quietly observe may be less visible than disruptive attacks—but they can be no less consequential.

Author

Jack Evans is an Australia-based cyber threat intelligence practitioner.

 

Image: seamartini/Getty Images.

 

AI contributed no ideas to this article—Jack Evans.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2026