If they simply implicated an "APT" in wrongdoing, they would have released it, as it would have been unremarkable and fit neatly within the Overton window of hissing-chinese spys justifying an even more expansive national security apparatus and general anti-sino sentiments among the ruling class in Washington.
This leads me to two possible, non-exclusive outcomes: the links to China are tenuous, and the attribution is flimsy (e.g., they accessed a machine at 9 am Beijing time!); or the report implicates the system itself as unauditable by design, which was bound to happen given the design of the intercept tools.
These reports would be useful for any other attacker interested in their infra, it’s obvious why the companies wouldn’t want to release them in this manner.
If they can't provide it to us for national security purposes, certainly they could to the appropriate congressional subcommittee
Yes, most organizations are shy to release reports that make them look incompetent or highlight systemic problems. That's why we have laws that now require disclosure of incidents that may have exposed customer data.
>That's why we have laws that now require disclosure of incidents that may have exposed customer data.
I don't think there's any jurisdiction that requires public disclosure at this level of detail. It's really an extraordinary ask. How many of these reports have you seen?