Making Sense of ‘Cyber-Restraint’: The Australia-China Case

Recent Features

Flashpoints | Security | Oceania

Making Sense of ‘Cyber-Restraint’: The Australia-China Case

Why did Australia react to an apparent Chinese hack the way it did?

Making Sense of ‘Cyber-Restraint’: The Australia-China Case
Credit: Illustration by Catherine Putz

News emerged recently that Australian intelligence has concluded that the Chinese government was directly responsible for a cyber-attack before last May’s general election. Instead of calling China out, the Australian government determined to keep news of the attack quiet. For its part, China has denied the allegations.

The outcome is in line with what some observers have come to describe as “cyber-restraint.” Faced even with clear evidence of a cyber-attack, many decision-makers seem to prefer to respond with deescalation, rather than with cyber-attacks of their own. Indeed, it is not uncommon for the victims of cyber-attacks to play down the extent and hide evidence of the attacks. Such decisions may stem from concern over attribution, linkage with other issues, or worries about audience costs; Australians might demand a more aggressive response that the government was capable of or willing to offer. Openly calling China out could result in the exposure of research methods, and could make clear that Australia was simply incapable of either defending itself, or responding in kind. It could reduce the confidence of the Australian public in the security of the Australian electoral system, and consequently of the results of the election. In Australia’s case, the decision seems to have been out of concern that exposing the cyber-attacks would require escalation in other parts of the relationship with China, most notably in the domains of trade and finance.

We know that in certain cases states prefer ambiguous attribution even when the attacks happened in the physical realm. Cyber-attacks do not, apparently, generate audience costs in the same ways that other forms of statecraft can, and so are even less likely to result in escalation spirals. In systemic terms, this may simply mean that concerns over the extent to which cyber-conflict could escalate into destructive “tit for tat” exchange cycles are overblown. As many have noted, the U.S. response to Russian cyber-attacks against intelligence and electoral infrastructure has been somewhat muted, despite strong rhetoric from the intelligence community and the Democratic Party.

That said, even if Australia had responded in some fashion, audiences might never hear about it. Of course, the fact that the Australian intelligence community leaked news of the attack seems to indicate some discontent with the lack of governmental response. However, the fact that the public response in Australia has been relatively muted (little coverage has appeared in Australian news sources), may suggest that the Australian public mood in generally in accord with the governmental response, and thus that audience costs are not really an issue.