Australia’s silence on the attribution of cyberattacks and intellectual property theft emanating from China is representative of a broader silence on irritants and fundamental differences in the bilateral relationship. This silence does not serve Australia’s national interest. Worse, it doesn’t actually work.
Australian industry seeks a stable relationship that facilitates the free flow of goods and services. Universities want stronger and deeper collaboration as China and its institutions prioritise cutting-edge science and technology. In a perfect world, these groups would benefit from a relationship that leveraged complementary skills and expertise and was free of quarrels, tensions and the winds of global politics. This would be—to borrow Chinese Communist Party talking points—a ‘win–win’ for Australia’s economy and our research sector.
But such a relationship is difficult to achieve at a time when, as our economic and research interests converge, the gap between Australian and Chinese societal values, strategic interests and commitment to a rules-based international order continues to widen. And unfortunately, the differences are only becoming starker as Beijing uses its growing power.
Despite our own obvious political challenges, the Australian government exists to empower individuals and is bettered by being transparent, accountable, and committed to values like multiculturalism and a free and inquisitive media. These values aren’t shared by all of our international partners, the CCP included, but they must remain non-negotiable.
There is a lot at stake in the China–Australia relationship and, as we attempt to balance these economic and security interests, there is an element of schizophrenia to our attempts to ‘get the China relationship right’. It’s a deeply important relationship but it’s also incredibly complicated and it’s only going to get more so. There is no right path forward that will please everyone.
But there is a wrong path, and we are in danger of taking it.
In what look like anxious efforts to ‘manage’ all aspects of the China relationship and deny the existence of key differences, what has become starkly apparent is what’s not being said. Even in an environment where the government has made some tough and important decisions, including on the exclusion of ‘high-risk vendors’ from the 5G network and the passing of legislation on foreign interference.
In fact, listening to the thunderous silence that now so often accompanies international policy developments has become as important as taking note of what is said. Over the years, a new international and security policy norm has emerged.
To maintain what we believe are good bilateral relations and in an effort to prevent strident objections from the CCP, its state-owned media and occasionally our own companies, we say less—with very few exceptions—even though there is more to say than ever before.
In a bipartisan phenomenon, we have examined our relationship with China and decided, in contrast to all others, to walk on eggshells and handle it with kid gloves. In so doing, we allow the Chinese state to set new precedents without being challenged—on cyberattacks and economic espionage, on political interference and coercion, and on human rights (notwithstanding Foreign Minister Marise Payne’s recent comments on human rights abuses in Xinjiang).
Left unaddressed, these emerging norms and precedents will take us further and further away from Australia’s values and interests and contribute to a further degradation of the international rules-based order that has so beautifully and conveniently ensured Australia’s security and prosperity to date.
This silence can be clearly seen in the Australian government’s (and other Western governments’) consistent failure to publicly attribute malicious cyber behaviour targeting Australian citizens, businesses and government bodies to the Chinese state—while being comfortable calling out examples of Russian cyber intrusion occurring far from our shores.
In early 2017 Australia and China agreed ‘not to conduct or support cyber-enabled theft of intellectual property, trade secrets or confidential business information with the intent of obtaining competitive advantage’. While this may have led to a short-term improvement in behaviour, in June this year we learned from media reporting that China-based hackers had ‘utterly compromised’ the Australian National University’s computer network. One intelligence official told the Nine Network’s Chris Uhlmann that ‘China probably knows more about the ANU’s computer system than it does.’
Last week, Fairfax Media reported that China’s Ministry of State Security had ‘directed a surge in cyber attacks on Australian companies over the past year’. Soon after, and once again through the media, we learned of reports of alleged targeted data theft enabled by state-owned enterprise China Telecom, which is reported to have diverted internet traffic destined for Australia via mainland China, logging this diversion as a ‘routing error’.
In contrast to our silence on Chinese cyber behaviour, over the past year and through a string of different ministers and departments, the Australian government publicly attributed malicious cyber behaviour to Russia, Iran and North Korea. Last month, Australia even attributed the 2015 hacking of a small UK TV station’s email accounts to the Russian military. That’s strange, given that we’re yet to name the offender(s) behind many costly attacks against Australian targets.
Of course, the naming-and-shaming approach doesn’t always work—it’s unlikely to dissaude the ‘hermit kingdom’ of North Korea, for example. But there are other approaches we should also be exploring to better deter such behaviour. The US Department of Justice has attempted to do so by increasingly using indictments and charging Chinese, Russian and Iranian military or state-supported hackers believed to have crossed from intelligence gathering into criminal activity.
Avoiding talking about the complicated aspects of our relationship with the Chinese state is deeply problematic for a range of reasons. First, it doesn’t work. There is no proof that adherence to the CCP’s long-standing demand that criticism and tensions be raised only behind closed doors has actually resulted in any long-term changes in behaviour. Not only is this approach in stark contrast to China’s own actions, but when it comes to malicious behaviour in cyberspace, for example, research from ASPI’s International Cyber Policy Centre and reporting from Fairfax show us that there’s actually proof to the contrary.
Second, in treating the bilateral relationship with China differently, strategic and policy decision-making has become clouded. This process has become characterised by self-censorship and groupthink that indicates a belief that acting in Australia’s interests will result in unnecessary damage to the broader diplomatic relationship. In fact, we should probably take comfort in China’s pragmatism. Despite a degree of hysteria before key policy announcements, the main reaction we have seen to recent decisions to implement foreign interference laws and reject Chinese investment in critical infrastructure is one of business as usual.
Third, treating China differently fosters an environment characterised by pre-emptive decision-making and, again, self-censorship. The narrative that ‘there is a broader diplomatic relationship to consider here’ leaves little space for a contest of policy ideas in a relationship that needs and deserves a constant injection of creative thinking.
Finally, and most importantly, public attribution and indictments are far more than diplomatic tools. The real issue is that in trying to protect the relationship with Beijing, the government is not being open with the Australian public, who have the right to be informed about new and emerging risks to their businesses, intellectual property and online safety. Regardless of where these threats emanate from, they must be discussed, understood and dealt with. Not doing so is doing a disservice to the public and sends the wrong message to industry and civil society, which are also navigating their own China relationships.
Why, for example, should universities be more open and forthright about their experiences with Chinese hacking in the absence of federal government leadership? We need our universities and businesses to be open about all of the serious cybersecurity threats they face, rather than, as Cyber Security Cooperative Research Centre CEO Rachael Falk has written, continue with the common narrative that they didn’t know about a cyber breach or that no data was stolen.
But the government can only hold others to a standard that it is also prepared to sign up to and it must lead by example. Some government departments are becoming more active in raising such threats with industry at senior levels. This is a welcome step but should be expanded.
To borrow the Australian bureaucracy’s own talking points, the government should take a ‘country agnostic’ approach to cyber attribution and the indictment of hackers. Tough decisions made on foreign interference or critical infrastructure should be publicly explained more often and more clearly. Leading by example starts at the top and must involve both politicians (who come and go) and the senior bureaucracy (which is often the only constant in our relationship with China).
It’s time to stop avoiding, and instead start normalising, talking about the problems in Australia’s increasingly vital but increasingly complicated relationship with China.