The public revelation this month that the Pacific Islands Forum (PIF) Secretariat had been hacked has exposed significant cybersecurity vulnerabilities in the region.
This breach, which possibly went undetected for months, has again thrust the Pacific islands into the middle of a cyber blame game between China and Australia. Australian government cyber experts believe, according to media reports, that the attack was the work of hacker group linked to China—though China has denied any such claim, dismissing the allegations as disinformation.
The incident underscores an urgent need for the Pacific nations to invest in cyber defences and capacity-building efforts to defend against and deter future actions.
The timeline of the attack—it was discovered in February 2024 but only revealed publicly after the PIF Leaders Meeting in September—shows how easily malicious actors can infiltrate the networks of vulnerable states and regional organisations. Classified as an advanced persistent threat (APT), it granted the perpetrators long-term, unauthorised access to the secretariat’s communications, enabling them to quietly monitor, steal and manipulate sensitive information.
Given the geopolitical importance of Pacific nations and their strategic partnerships with major powers, they are increasingly becoming targets of cyber espionage.
What is particularly troubling is the complexity of attribution in this case. Australia reportedly identified the group behind the attack, but China’s swift denial and accusation of ‘fake news’ have muddied the waters of responsibility. The Chinese embassy in Fiji called the accusation a ‘purely made-up story’ and warned against spreading disinformation. China’s rebuttal was quickly picked up by Pacific media, as China sought to reframe the incident as part of the broader competition between China and the West.
This divide puts Pacific leaders in a difficult position. While they value Australia’s cybersecurity expertise and support, they must also navigate the political sensitivities of China, a major power. China’s deep involvement in economic projects in the region gives it significant diplomatic weight. For many countries, calling out China would risk alienating a crucial partner, while staying silent could undermine the region’s growing commitment to transparency and democratic governance.
If the PIF had more robust cyber capacities, it could have responded differently. It is important to note that Australia and New Zealand are also members of the PIF, and have contributed expertise, skills and funds through initiative like Pacific Cyber Security Operational Network.
However, due to limited resources, it remains challenging for Pacific nations to achieve self-reliance in this domain. Maintaining strong collaborations, not only with regional powers such as Australia and New Zealand, but also with the major tech companies, such as Microsoft’s Digital Crime Unit, is therefore crucial for strengthening the region’s cyber defences.
The PIF secretariat hack is not an isolated incident, either. Earlier this year, Palau accused China of stealing more than 20,000 documents related to its relations with the US, Japan and Taiwan. Although less evidence was provided in Palau’s case, the region’s increasing cyber vulnerabilities are well-documented.
These cyberattacks are more than data theft. They reflect broader strategies aimed at weakening regional cohesion, manipulating political processes and disrupting alliances via hybrid tactics. The Pacific islands are becoming increasingly entangled in this web of great power competition, and without the means to defend themselves, Pacific nations risk becoming coerced pawns in a larger geopolitical game.
While Australia’s conclusion that China was responsible for the PIF hack may be correct, a more transparent and collaborative approach to cyber intelligence sharing would benefit all parties involved. As would the creation of local capacities to deter, detect and attribute attacks in quick order. It would also allow them to achieve full digital sovereignty and minimise their own future vulnerabilities.
Building cyber capacity in the Pacific is no simple task, given the region’s economies, cultures and levels of digital infrastructure. Any capacity-building effort must be multifaceted and adaptable. The PIF can pursue several approaches, including cybersecurity partnerships with extra-regional countries, such as Japan and India, and engagement with international organisations to provide long-term funding, technical expertise and training. The International Telecommunication Union, for example, provides assistance to small developing island states. Additionally, existing mechanisms like the Pacific Fusion Centre could host technical experts to upskill local professionals.
Establishing cybersecurity policy and governance is also crucial. The PIF could support its members in drafting comprehensive national cybersecurity strategies, outlining legal frameworks and emergency response protocols. These policies should include clear guidelines for cooperation with partners and pathways to attribution in a transparent, multilateral manner.
As technical investigation into the PIF hack continues, Pacific leaders will carefully assess the findings. While this cautious approach reflects the delicate geopolitical balance in the region, its inaction reinforces the Pacific’s vulnerabilities. By investing in cyber capacity now, Pacific nations can ensure that the next time a breach occurs, they will be ready to respond.
- This report has been slightly amended to clarify that the Australian government has not formally attributed the hacking attack to a Chinese state-backed group.