Palo Alto sets a dangerous precedent: are we now so scared of China?
Some are calling out cowardice, others say it’s all very pathetic. One thing is clear, though: Palo Alto’s decision not to tie Beijing to a hacking campaign for fear of retaliation shows how firm China’s grip is. Is the West now so scared of angering the Chinese government?
When Reuters last week that Palo Alto’s Unit 42 chose to blame a “state-aligned group that operates out of Asia,” and not China, in its report on a new cyberespionage campaign, the cybersecurity community was shocked.
Indeed, a draft version of the report by Unit 42, Palo Alto’s threat intelligence arm, said that the prolific hackers – dubbed “TGR-STA-1030” – were connected to Beijing, two Reuters sources said.
But the finished report, posted on Unit 42’s website, instead describes the hacking group more vaguely as a “state-aligned group that operates out of Asia.”
Name and shame? A rarer game
The change, the sources said, was ordered by Palo Alto executives because they feared drawing retaliation from Chinese authorities, either against the company’s personnel in China or its clients elsewhere.
In a way, Palo Alto’s decision wasn’t surprising. The firm was one of about 15 American and Israeli cybersecurity companies whose software had been banned by Chinese authorities on national security grounds in January.
Besides, perhaps presenting it as a sort of compromise, Unit 42’s report includes quite a few clues that Beijing is involved in “The Shadow Campaigns.”
The researchers, for instance, said that the hackers work in the GMT+8 time zone, which includes China. They also said that the hackers attacked Czechia after its president met with the Dalai Lama, Tibet’s spiritual leader despised by Beijing.
Palo Alto was one of about 15 American and Israeli cybersecurity companies whose software had been banned by Chinese authorities on national security grounds in January.
But to Palo Alto’s critics, its decision not to name and shame China in the report still seems confusing, especially since Unit 42 has previously attributed hacks to China.
As a contrast, Google wasn’t shy to directly blame China for state-sponsored cyberattacks worldwide in a recent report.
“In the last several years, China has run more campaigns by volume than any other country or category of threat actors,” an analysis released by Google Threat Intelligence Group said last week.
“One firm reportedly avoided specific attribution due to geopolitical risk. The other named the actor and placed the activity within a broader strategic pattern,” said Justin Bassi, the executive director of the Australian Strategic Policy Institute.
“This is not a morality play. Big tech companies operate globally, face regulatory exposure, and owe duties to shareholders and clients. Attribution is in the public interest.”
Retaliatory whack-a-mole
Google, a tech giant, is, however, much larger than Palo Alto: it’s just too big to care about the Chinese market or potential retaliation.
Smaller companies in the West, on the other hand, do rely on the Chinese market and money. It seems now that they (or, at least, Palo Alto) are now tolerating security threats for fear of financial insecurity – Beijing’s response can be swift and painful.
In January, China banned the use of cybersecurity software from a host of major US and Israeli firms. Some companies such as CrowdStrike simply shrugged and said they weren’t doing business in China, anyway.
There are thousands of high-tech and cybersecurity companies in China. Frankly, Beijing probably doesn’t even need foreign vendors to maintain its tech ecosystem.
But while most of the firms blacklisted do not have significant Chinese clients, some have offices in mainland China, Hong Kong, and Shanghai. The shares of Broadcom and Fortinet immediately fell by 4% and more than 2% respectively.
Trade-offs will certainly be considered. On the one hand, exposing foreign spies can draw industry plaudits and positive publicity. On the other hand, tangling with a foreign intelligence service can trigger reprisals.
This is already happening, and not only in the realm of cybersecurity. There are thousands of high-tech and cybersecurity companies in China. Frankly, Beijing probably doesn’t even need foreign vendors to maintain its tech ecosystem.
But since most Chinese tech firms have, to varying degrees, a connection to the government, a growing number of Western countries have been banning or restricting the use of Chinese equipment.
Most of the time, Beijing, naturally willing to see Chinese exports flourish, has reacted swiftly – and furiously: mostly, by restricting imports from countries that act against its interests.
For example, China has blacklisted numerous US, Canadian, and other foreign companies, adding them to the Unreliable Entity List and thus restricting their ability to work in the country.
In response to Trumpian trade manoeuvres, Beijing also imposed huge tariffs on US goods. China also likes to launch anti-dumping and antitrust investigations into foreign products.
“Shared situational awareness”
The Chinese market is huge and tempting, of course. Palo Alto, with five offices and more than 70 employees across China, is no exception, and to some, its choice to avoid further conflict with Beijing is quite reasonable.
“People have always taken risks by naming names,” Thomas Rid, a professor at Johns Hopkins University who has studied the history of cyber attribution, told Reuters.
“It was always unpleasant, and if you have people on the ground, as large companies do, that’s an additional consideration. Are you putting your own people – your local staff – at risk?”
Bassi, though, is adamant that Palo Alto’s decision was wrong and should concern policymakers and industry leaders alike.
“If attribution becomes contingent on geopolitical exposure, public understanding narrows and trust thins. Governments and companies might privately argue that they are well aware of the threat from China, but democratic societies rely on shared situational awareness,” wrote Bassi.
“This doesn’t exist if strategically significant threats are described obliquely, while less contentious risks are detailed openly. Public debate cannot function on partial disclosure.”
Unlock more exclusive Cybernews content on YouTube.
