Australia’s security risks are sharpest where people and technology meet. This is the space where data flows, disinformation spreads and innovation thrives—and where defences can be breached.
Australia’s Cyber Security Strategy recognises that lasting protection depends on behavioural change: building trust, awareness and capability before introducing binding requirements as the system matures. This graduated model works because it recognises that evolution is continuous. If resilience stalls, adversaries and malign actors should be expected to exploit gaps between voluntary cooperation and enforceable standards, turning good practice into weak protection and exposing national institutions, communities and innovation systems to escalating harm.
Espionage and foreign interference are escalating at unprecedented levels. Australia’s Director-General of Security, Mike Burgess, has warned of record activity, and the Australian Institute of Criminology has estimated that espionage cost more than $12 billion in just one year. Arrests by the Australian Federal Police this year have shown that these threats are no longer abstract; they penetrate communities, universities, businesses and media. As previously written, espionage and foreign interference—including state-linked cyberattacks on government and critical infrastructure, and information operations that manipulate opinion and corrode institutional trust—form distinct but connected parts of a covert, persistent effort to steal secrets, siphon intellectual property and shape Australia’s decisions.
Sectors appearing safe today may become tomorrow’s targets, and arrangements therefore need to evolve persistently. This means that technical standards, awareness and cultural change should be interdependent rather than siloed. By co-designing solutions, raising awareness, training institutions and embedding best practice—not just implementing technical controls—we build shared ownership of change.
This principle underpins the government’s approach. As recent analysis notes, we’ve seen this with the National Cyber Security Coordinator’s ‘limited-use’ information-sharing protections, which let companies alert government early without fear their data would result in penalties or inform regulation. The results are clear: before the reforms, the Australian Signals Directorate issued 620 notifications a year with 55 percent business response; after, notifications jumped to 1,700 and responses to 75 percent. This is proof that legal safeguards and cultural trust can dramatically strengthen engagement, improve visibility of threats and enhance the nation’s capacity to respond.
Against this strategic backdrop, Home Affairs Minister Tony Burke used his keynote speech at the 17 September Australian Financial Review CyberCX Summit to mark a decisive shift in Australia’s cyber strategy: the move from Horizon 1—which focused on assuring strong foundations for national cybersecurity resilience and risk-management posture, and is on track for completion by year’s end—to Horizon 2. Now under consultation, Horizon 2 is about embedding strong cyber standards and practices; empowering businesses and citizens to protect themselves; and enhancing frameworks, workforce and ecosystems to drive nationwide cyber resilience. The shift makes clear that the era of quick defences is giving way to one of cultural and systemic resilience, where prevention begins well before technical standards are set.
Burke stressed that laws and technology, while essential, are not enough. The human dimension—employees, staff behaviour and awareness—is the decisive factor. His own encounter with a scam call showed how easily trust can be exploited, which is why the government’s core practices—multi-factor authentication, prompt updates and strong passphrases—now have a fourth element: ‘Stop. Check. Protect.’ The advice is simple not because rules require it, but because survival increasingly depends on it.
The evolving threat and response landscape underscores why the Technology Foreign Interference Taskforce (TechFIT) matters. Established in the 2024–25 Budget, TechFIT builds on the earlier University Foreign Interference Taskforce, which provided a model of sustained engagement with universities and produced practical guidelines that heightened awareness of foreign-interference risks. TechFIT represents the natural next step, broadening that foundation across the entire innovation ecosystem, from start-ups and research institutes to small businesses and civil-society organisations that face the same vulnerabilities.
TechFIT sits within the Department of Home Affairs, giving it natural links to national security agencies and the broader Countering Foreign Interference framework while also supporting national productivity. Home Affairs manages the flows of goods, people, data and ideas that underpin the economy. It sees how foreign interference corrodes economic confidence, disrupts supply chains and stifles innovation—making it the right home for a program that must blend security and prosperity.
But TechFIT works because it operates in close partnership with others. The Department of Industry, Science and Resources offers expertise in commercialisation and advanced technologies, ensuring security measures support innovation and growth. The National Intelligence Community adds intelligence insights and early warning to sharpen risk assessments, while the Department of Education links the program to universities and critical talent pipelines. The Department of Prime Minister and Cabinet provides whole-of-government coordination and keeps the effort aligned with national priorities.
TechFIT’s current focus—appropriately for its early stage—is cultural uplift and government guidance. As the threat landscape evolves and the scheme matures, two aspects merit attention.
—Statutory authority and technical controls. Over time, the government should consider shifting TechFIT from an advisory role to a legislated power with clear mandates that enable continuous risk assessment and provide the legal basis for implementing technical safeguards. This should include mandatory reporting, data-sharing requirements and enforceable compliance standards.
—Transparent performance metrics. Because TechFIT was only established in the 2024-25 Budget, it has not yet been included in the department’s performance framework, which currently reports broad measures of foreign-interference resilience. As TechFIT matures, the government should consider discrete metrics or key performance indicators—ideally published periodically with clear baselines and targets—to track progress and capability uplift across the entire economy, not just within government.
Burke’s speech underscores a foundational aspect of the government’s approach: Australia is entering a new era in cyber strategy where the human firewall is as important as the technical. Horizon 2 goes beyond securing networks to securing institutions, protecting communities, preserving trust and defending the nation’s prosperity. Early results show that legal safeguards and cultural change can markedly lift response and capability. This is a welcome government push that stresses that lasting security requires shared risk, continuous adaptation and participation from every sector.