Why cyber indictments and sanctions matter
27 Mar 2024|

On 25 March, the US and Britain attributed malicious cyber activity to a China-based hacking group backed by the Chinese government. They issued indictments and sanctions.

The hacking was aimed at influencing opinion, at suppressing criticism of China and at stealing intellectual property. China also sought to strike at the heart of liberal democracies by attacking electoral processes, democratic institutions and political officials. In the attack on Britain, China stole the names and addresses of 40 million voters. 

The British and US responses are weak, in the sense that the consequences for China are virtually nil. Britain sanctioned two people and one front company, while the US charged seven individual hackers. The UK attacks were in 2021, and critics have complained about the lack of urgency. The US attacks took place over the past 14 years. 

Are these reprisals too little, too late? It might be easy to think so, but it must be acknowledged that attributing an attack to a particular country is bureaucratically and technically difficult and politically hazardous. Sanctions and indictments add more layers of complexity. Some countries are still developing the processes and legislative tools required. New Zealand, for example, has yet to develop an autonomous sanctions regime.  

Cyber attributions, sanctions and indictments are largely strategic communication exercises—but can shift actors’ behaviour in the right circumstances. We must maximise the power of these communications by choosing the right message, at the right time, augmented by the right partners. China is conducting hundreds of cyber attacks against Australia, the US, Britain and likeminded Asian partners like Japan every day. Putting out hundreds of attributions would only dilute the strength of our statements. We must pick our moments. 

The US and Britain have taken steps in the right direction. And despite the challenges, Australia and its partners are getting better and faster at these attributions and associated punitive measures, such as sanctions. Supportive statements have come from Australian Foreign Affairs Minister Penny Wong and Home Affairs Minister Clare O’Neil. And New Zealand is accusing China of cyber hacks against its parliament in 2021. 

There is a growing appetite for calling out China, Russia and others for their bad behaviour. In 2018, the US indicted 12 Russians for interference in the 2016 US elections. There was a series of major joint attributions by the Five Eyes and others in 2023, including of Chinese cyber campaign Volt Typhoon and the Russian snake malware. In January this year, Australia sanctioned Russian citizen Aleksandr Ermakov over a 2022 cyber attack on the Medibank health fund. Australia was soon joined by the US and Britain with their own additional sanctions.  

To repay the favour and show solidarity, Australia should now join the US and Britain in sanctioning Chinese hackers. 

Further action should also include the US, Britain, Australia and its partners sanctioning the Chinese government decisionmakers authorising these cyber operations. In the most recent case, we should target Tu Hongjian, the director of the Hubei State Security Department, who probably authorised the hacking activity. 

Democracies should signal that if China’s cyber operations continue then the sanctions regime will escalate to target CCP elites, such as Chen Yixin, China’s minister of state security, or Chen Wenqing, the secretary of the Chinese Communist Party’s Central Political and Legal Affairs Commission, who oversees China’s state security system. 

The cyber attacks described by the US and Britain did not impact Australia, but they represent a trend in Chinese cyber activity of increasingly targeting democratic institutions, social cohesion and critical infrastructure. At the same time, China continues to target Australia with cyber espionage and as part of the global effort that ASIO director Mike Burgess called in October last year “the largest theft of intellectual property in human history”. 

Australia should expect greater interference with our next elections, especially with generative AI and deepfakes. A fake, AI-generated voice from President Joe Biden has already targeted US voters this year.  

The rapid growth of generative AI capabilities will make this even easier and cheaper for any malicious actor. That’s why there have been major international efforts to combat this, including the Tech Accord to Combat Deceptive Use of AI in 2024 Elections, announced at the Munich Security Conference in February this year and signed by 20 major tech companies. 

AI-augmented information operations will be aimed at producing wide-scale fear, uncertainty and doubt about elections, along with hyper-targeting of individuals with sophisticated fake media. Australia needs to understand that this is a threat to our way of life. We can’t allow this to become normalised. It is not normal. 

Democracies run on trusted information. China’s targeting of our electoral systems are attempts to poison the well and create distrust and chaos, weakening our social cohesion. These grey zone cyber attacks may fall short of outright conflict, but they are pushing close up against it. Targeting electoral systems strikes at the heart of our liberal democratic societies, and we cannot stand idly by. 

So how can we respond? Ignoring China’s current reality won’t help. Australia, alongside its partners, needs a clear-eyed strategy. We face a China in 2024 defined by its authoritarian rule, territorial ambitions and sophisticated, industrial-scale foreign interference tactics. This China bullies both weak and strong nations, aiming to reshape the global order in its favour. 

Australia should maintain a focus on cyber sanctions and indictments, enhance international cooperation across public and private sectors and build strong coalitions to counter China’s cyber and information operations, especially those aimed at our electoral systems and social cohesion. When electoral systems are targeted, Australia has a moral imperative to respond. This approach should be deployed in the context of increasing our national cyber resilience, a never-ending job that includes better technical shields and more informed human behaviour.  

We are not at war with China, but we are not really at peace, either. These grey zone activities fall short of conventional conflict but we must take them for what they are: state-on-state attacks.