Australia’s cyber strategy needs a vulnerability disclosure upgrade
9 Apr 2025| and

Australia is in a race against time. Cyber adversaries are exploiting vulnerabilities faster than we can identify and patch them. Both national security and economic considerations demand policy action.

According to IBM’s Data Breach Report, the average cost of a data breach in Australia reached a record $4.26 million in 2024. By contrast, identifying vulnerabilities through ethical hackers costs on average $1670, according to HackerOne’s annual security report.

The equation is simple: preventing breaches through the disclosure of vulnerabilities is far cheaper than dealing with the fallout of a successful attack.

While vulnerability disclosure programs are mandatory for Australian government entities under the Protective Security Policy Framework, they are not required for other organisations. Any organisation can start such a program without significant outlay, though some use rewards to incentivise testing.

Certainly, the Australian government has made progress. Amendments to the Security of Critical Infrastructure Act imposed stronger cybersecurity obligations. The Cybersecurity Act, passed in November 2024, also lays a foundation for addressing cyber risks. One promising element of the act is the development of a security standard for connected devices, which will require manufacturers to provide structured channels for ethical hackers to report vulnerabilities.

This measure should be an early step toward a national coordinated vulnerability disclosure policy. Such disclosure, often including a public-facing vulnerability disclosure program, is a cybersecurity best practice that provides clear guidelines for ethical hackers to report vulnerabilities to organisations before malicious actors can exploit them. Coordinated vulnerability disclosure may also encompass vulnerability rewards programs, also known as bug bounty programs, that, through reward, incentivise ethical hackers to responsibly disclose vulnerabilities.

In addition to the rising costs of breaches, our cyber adversaries are pushing ahead with the exploitation of existing bugs and hoovering up new ones.

The widely reported Volt Typhoon operation offers an insight into the national security threat. Since at least mid-2021, state-backed Chinese hackers strategically pre-positioned themselves within critical systems in the United States.

The 2024 Annual Threat Assessment from the US Office of the Director of National Intelligence underscores the intent behind such operations:

If Beijing believed that a major conflict with the United States were imminent, it would consider aggressive cyber operations against U.S. critical infrastructure and military assets. Such a strike would be designed to deter U.S. military action by impeding U.S. decision-making, inducing societal panic, and interfering with the deployment of U.S. forces.

Cooperation with Five Eyes partners has led to joint advisories and critical network threat-hunting efforts, but the Volt Typhoon operation underscores that unmitigated vulnerabilities pose a strategic risk for Australia.

China has taken deliberate steps to make operations using unmitigated vulnerabilities not only viable but the new normal. To get to this operational footing, China integrated vulnerability reporting into its national cybersecurity framework. Under China’s 2021 National Security Law, all cybersecurity vulnerabilities, particularly those in critical infrastructure, must be reported to authorities regardless of mitigation status. By all accounts, China has done a remarkable job of setting up a framework to industrialise vulnerability disclosure to further its strategic objectives.

Australia is making progress, but not quickly enough to keep pace. Other states’ vulnerability collection and exploitation efforts are advancing much more quickly. China’s strategic use of zero-day exploits demonstrates how adversaries can rapidly identify, collect and weaponise vulnerabilities, gaining a significant tactical advantage.

As the Australian government moves into Horizon Two of the National Cyber Security Strategy 2023–2030, it must prioritise addressing long-term vulnerabilities and increasing resilience. The next phase of the strategy should include the formalisation of a national coordinated vulnerability disclosure policy, including the strong endorsement of vulnerability disclosure programs to encourage an economy-wide ‘see something, say something’ approach to cybersecurity.

One important element of it could also include federal funding of bug bounty programs across the federal government. This would also bring Australia in line with the US and Britain, who have embraced these programs to identify and report vulnerabilities in their defence portfolios. At a time when the security of the AUKUS program is paramount, any gap that leaves Australia’s defence systems vulnerable to undetected exploits could jeopardise national security and undermine our allies’ confidence in Australian information security.

In an era of evolving cyber threats, Australia’s national security and economic future depend on the resilience of its digital infrastructure. A national coordinated vulnerability disclosure policy is essential for addressing vulnerabilities before they are exploited. With cyber adversaries such as China shifting their cyber doctrine to exploit vulnerabilities, the time to act is now.

Author

Adam Dobell is a director for global security and technology strategy at Venable, a Washington law firm. He was previously the first secretary for the Department of Home Affairs at the Australian embassy in Washington. Ilona Cohen is the chief legal and policy officer at cybersecurity company HackerOne, where she manages the public policy portfolio and oversees legal matters.

 

Image of a figure coding on a smartphone and laptop: Sora Shimazaki/Pexels.

Tags
Share

The Strategist — The Australian Strategic Policy Institute Blog. Copyright © 2025