Punctuated Diffusion: How Chinese Cyber Operations Drive Security Policy Convergence in the Quad (2015-2025)

This paper introduces a "punctuated diffusion" framework to explain how authoritarian cyber threats catalyze policy convergence among democracies. Unlike gradual policy learning models, punctuated diffusion posits that major cyber attacks by strategic competitors create critical junctures that accelerate the adoption and spread of cybersecurity policies across allied nations. Focusing on the Quad partnership (US, Japan, India, Australia) from 2015 to 2025, I employ intensive process tracing of four to six major Chinese state-sponsored cyber campaigns, including attacks on Indian critical infrastructure (2020 to 2021), the Microsoft Exchange Server compromise (2021), targeting of Australian political institutions (2019), Japanese defense contractors (2021 to 2023), and Volt Typhoon operations (2023 to 2024), to trace causal mechanisms from attack attribution through policy entrepreneurship to cross-national adoption. Complementing this with systematic policy content analysis, I code cybersecurity legislation across supply chain security, critical infrastructure protection, data sovereignty, and information sharing frameworks to measure textual similarity and temporal clustering of policy adoption. This paper aims to reveal that Chinese cyber operations function as exogenous shocks that create policy windows, enabling transnational norm entrepreneurs to overcome domestic veto players and accelerate coordinated responses. Through process tracing, I expect to demonstrate how attacks trigger sequential policy adoption, typically US or Australia first, followed by Japan, then India, with substantial textual convergence in policies adopted within 24 months of punctuating events. This illuminates a distinct dimension of so-called digital authoritarianism: how external cyber operations by major powers can paradoxically strengthen democratic cyber resilience through crisis-driven policy coordination. The paper contributes theoretically by synthesizing punctuated equilibrium (PET) with policy diffusion literature, and empirically by providing systematic documentation of Quad cybersecurity convergence patterns driven by geopolitical cyber competition.