Cyber espionage sits in a zone where power politics override norms, economic dependence limits enforcement, and international law has failed to keep pace with technology, writes Paul Budde.
NEARLY EVERY OTHER DAY, another report appears describing how Chinese state-sponsored actors have hacked a government agency, infiltrated a software supply chain, or quietly embedded themselves inside critical digital infrastructure. Sometimes it is a defence contractor, sometimes a university, sometimes a health provider, a port operator, or a telecommunications system.
The pattern is now so familiar that it barely causes alarm.
What is far more striking is this: if governments are confident enough to publicly name Chinese state-linked actors, why is there so little sustained diplomatic pressure on the Chinese government to stop sponsoring them?
This question goes well beyond cybersecurity. It cuts to the heart of how diplomacy functions, or increasingly fails, in the digital age.
Australia is not a bystander. Australian universities have been repeatedly targeted for research theft. Government departments, defence-linked contractors and critical infrastructure operators have all been warned of persistent cyber intrusions. In 2020, a major cyber campaign against Australian institutions was formally attributed to a “sophisticated state-based actor”, widely understood to mean China.
More recently, attention has shifted to supply-chain compromises. Rather than dramatic attacks, these involve quietly infiltrating widely used software products, updates, and cloud services, providing long-term access that may remain undetected for years. These intrusions are strategically far more valuable and far harder to counter.
Yet beyond carefully worded statements, diplomatic responses remain muted.
Western governments now openly attribute cyber operations to China. Joint statements by the United States, the European Union, NATO and partners such as Australia routinely identify Chinese state-linked groups. Indictments are announced. Sanctions are occasionally imposed.
But behaviour does not change.
The core problem is that attribution has become cheap, while enforcement remains weak. Cyber espionage occupies a grey zone. It is hostile but not war. Intrusive but not clearly illegal under international law. Highly damaging but often invisible to the public.
There is no global cyber equivalent of the International Atomic Energy Agency (IAEA), which monitors nuclear activity through inspections and enforceable rules. In cyberspace, there is no binding treaty with verification powers, no inspection regime, and no neutral authority capable of compelling state behaviour. Attribution is political, not judicial, and China simply denies responsibility and moves on.
From Beijing’s perspective, cyber espionage is not criminal behaviour but normal statecraft. All major powers conduct cyber operations. The United States’ global surveillance programs, revealed by Edward Snowden, remain a convenient counterargument whenever China is accused of wrongdoing. In that context, Chinese officials see Western complaints not as principled objections but as selective outrage.
China also draws a clear distinction between cyber espionage and cyber warfare. Intelligence gathering, even at a massive scale, is considered legitimate. There is no international legal framework that clearly prohibits it, and certainly none with teeth for enforcement. As long as cyber operations remain below the threshold of kinetic conflict, Beijing calculates, correctly, that diplomatic protests will remain largely symbolic.
There is another constraint governments are reluctant to admit: economic dependence. Australia’s experience should have dispelled any remaining illusions. Beijing has demonstrated its willingness to use trade as a political weapon. That reality shapes every diplomatic calculation. Public attribution is one thing. Sustained pressure that risks economic retaliation is another.
The result is a familiar pattern: strong language, limited action, and a rapid return to business as usual.
Governments, therefore, emphasise defence. Systems are hardened. Networks segmented. Detection improved. This is necessary, but it is also fundamentally limited. Against well-resourced state-sponsored actors, no system can be secured indefinitely. Given enough time, funding and access to supply chains, defences will be bypassed.
Hardening does not stop attackers; it changes the economics of attack. It raises costs, slows progress and limits damage. It buys time. But it cannot deliver permanent exclusion. Treating cybersecurity as a purely technical problem creates a dangerous illusion of control.
This asymmetry favours the attacker. One attacker can probe thousands of systems; defenders must secure everything. Attackers choose the time and method; defenders react. For state actors, success does not require total compromise. Persistent access, optionality and future leverage are enough.
Another uncomfortable truth further weakens diplomatic resolve: China is not alone. Russia, Iran, North Korea, Israel and the United States all conduct cyber operations. What distinguishes China is scale, persistence and alignment with national industrial strategy, not moral uniqueness. No state is eager to legitimise retaliation against practices it quietly relies on itself.
In practice, governments have accepted that cyber espionage cannot be diplomatically stopped. The response has shifted toward hardening critical infrastructure, reducing supply chain exposure, and improving intelligence sharing. This is not diplomacy; it is damage control.
For Australia, this leads to a deeper question. As I mentioned before, how can a country claim digital sovereignty when it has almost no control over its data infrastructure, cloud platforms, software supply chains or identity systems? Europe has at least begun grappling with this through regulatory frameworks such as the Digital Services Act. Australia largely has not.
So why is there so little diplomatic action on Chinese state-sponsored hacking? Because cyber espionage sits in a zone where power politics override norms, economic dependence limits enforcement, and international law has failed to keep pace with technology.
Hardening defences is necessary, but it is not decisive. Until cyber operations carry real diplomatic, economic or strategic costs, state-sponsored hacking will continue.
The real question for Australia is not why diplomacy fails, but whether we are prepared to rethink sovereignty itself in a permanently contested digital world.
Paul Budde is an IA columnist and managing director of independent telecommunications research and consultancy, Paul Budde Consulting. You can follow Paul on Twitter @PaulBudde.
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivs 3.0 Australia License
Support independent journalism Subscribe to IA.
