Australia must rethink cybercrime to tackle it effectively
21 May 2025| and

Let’s face it: Australia is seen as a soft target for cybercriminals. Its fragmented cybercrime response makes both individuals and institutions more vulnerable.

Australia’s cybercrime framework must be informed by diverse perspectives, and it must focus on victims as much as on perpetrators. This means dismantling outdated binaries between ‘technical’ and ‘non-technical’, challenging the militaristic culture of cybersecurity and building a workforce that reflects the public it serves.

Between 2020 and 2022, scam syndicates across Southeast Asia and Africa targeted thousands of new Australian victims monthly, while intentionally avoiding targets in the United States. In an interview, one of the hackers behind the 2022 Medibank breach reportedly said that ‘Australians are the most stupidest humans alive… they have a lot of money and no sense at all.’ While offensive, the comment points to a broader perception among cybercriminals: Australia is lucrative and underprepared.

Part of this weakness stems from outdated frameworks. A long-standing distinction divides ‘cyber-enabled’ crimes—traditional crimes such as fraud, scams, or sextortion committed via technology—from ‘cyber-dependent’ ones, which rely entirely on digital systems such as hacking and ransomware. This distinction was helpful when internet access was limited. Now, it merely obscures the complexity of cyber threats.

Our perceptions haven’t caught up either. The stereotype persists of the cybercriminal as a male hacker in a hoodie working in a dark room. But this figure is largely mythical. Research shows that cybercriminals come from varied backgrounds, have diverse motivations—including financial gain and thrill-seeking—and have no consistent links to traditional forms of crime. What they do tend to have in common is gender: most are men.

The archetype of the hacker aligns with the model of ‘nerd masculinity’. In this model, once-ridiculed characteristics such as technical expertise and social awkwardness have become assets in the digital era. Such traits are associated with status and control, particularly in cybersecurity and hacking cultures.

This evolution has consequences. As cybersecurity increasingly mirrors military structures, technical skills become a form of power. The hacker, rebranded as a kind of digital warrior, reflects and reinforces dominant masculine norms. Cybercrime is thus framed as a battleground—a contest of skill, prestige and conquest.

Existing frameworks reduce cybercrime to a technical problem requiring technical solutions, obscuring the human and societal costs, particularly for victims of scams, abuse or online stalking. This also fuels a culture of exclusion in the cybersecurity workforce, where hypermasculine norms marginalise women and other diverse voices.

Feminist criminology—which focuses on women offenders, women victims and women in the criminal justice system—is an important, yet underused lens for understanding cybercrime. One useful theory is Raewyn Connell’s ‘hegemonic masculinity’, which argues that culturally idealised masculine traits, such as dominance, control and emotional detachment, are rewarded and reinforced. Offline, these traits underpin acts of violence and coercion. Online, they shape how cybercrime is both perpetrated and policed.

Indeed, research shows that men often view cybersecurity as the protection of systems and infrastructure, while women more commonly emphasise cyber safety or the protection of people from digital harms. Both are important. But Australias current policy response, including the establishment of a ‘hack the hackers’ taskforce after the Medibank breach, leans heavily toward the former. This retaliatory, militaristic posture positions cybercrime as a battlefield for elite operatives, not a public safety issue.

The impact is felt in the data. Australians lost over $3.1 billion to cyber fraud in 2022 alone, though the figure is likely much higher due to underreporting. Only one in four victims report these crimes, partly due to a culture of victim-blaming that casts them as careless or gullible. This mindset is another byproduct of the hegemonic, technicist model: it prioritises system protection over human wellbeing.

In October 2023, the Joint Committee on Law Enforcement launched an inquiry into how well law enforcement is equipped to respond to cybercrime. The hearings included testimony from government, industry and community stakeholders. The inquiry exposed a systemic lack of support for victims of cyber-enabled crimes and identified widespread gaps in cybersecurity awareness among frontline responders. Yet despite its potential to spark meaningful reform, the inquiry lapsed in early 2024. It was an opportunity lost. Meanwhile, Australia’s cybersecurity strategy and funding priorities continue to centre on data breaches and ransomware, leaving broader systemic issues unaddressed.

A critical first step for the new government should be to revive the inquiry, confront persistent stereotypes and publicly release the findings. As for us, we’ll keep pushing for change and shedding light on the issue.

To respond effectively, we need to move beyond yesterday’s logic. Cybersecurity must be inclusive, not exclusive, to be effective. If nothing changes, Australia will remain vulnerable, not only to overseas hackers, but to the blind spots in our own thinking.

Author

Annie-Mei Forster is a senior cybersecurity consultant at Securus and co-hosts the Lost In Cyberia podcast. Anika Guenov is a cyber security analyst at Downer Group and a cybersecurity and criminology student, focusing on researching the human factor of cybercrime.

 

Image: Clint Patterson/Unsplash.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2025