Australia’s 2026 National Defence Strategy (NDS) and Integrated Investment Program (IIP) demonstrate a stronger commitment to cyber defence and capability. They reinforce that cyber for Defence is not just about securing networks but also about projecting power.

Offensive capacity has expanded, threat framing has shifted from prospective warning to present-tense alarm, and artificial intelligence is now explicitly identified as a core enabler. Compared with the 2024 strategy, coverage on cyber is more mature and better aligned with the urgency of the threat environment, pairing rhetoric with resources.

Cyber and space still represent two of the five domains under Australia’s strategy of denial. The 2026 IIP describes them as domains that ‘connect people, platforms and systems and shape the modern battlespace in real time’ pointing to an environment where cyber is contested, continuous and central to competition. The language in the NDS reinforces this shift: while the 2024 document framed cyber threats cautiously, noting that state and non-state actors were ‘multiplying’ capabilities, the 2026 version adopts a more urgent tone. Espionage and foreign interference are already at ‘extreme levels’, and authoritarian regimes are increasingly willing and able to disrupt critical infrastructure. The framing has moved decisively from warning to alarm, reflecting a threat environment that has already deteriorated.

This is backed by resource allocation. Between A$27 billion and A$38 billion will be directed to cyber, space and electronic warfare over the decade. This is broadly consistent with 2024 allocations, but the composition has shifted. Investment in offensive and intelligence-led cyber capabilities – particularly work under Redspice, Australia’s signals intelligence and cyber uplift program – has roughly doubled, rising from between A$6.4 billion and A$8.4 billion to between A$10 billion and A$15 billion. By contrast, funding for hardening Defence’s own network infrastructure has halved, possibly signalling a pivot away from passive resilience towards active use of cyber power.

The technical specificity has also matured. The IIP explicitly names advanced encryption and zero-trust architecture, which works on the basis that entities are untrustworthy by default and should always be verified, as the approach for protecting Defence’s networks. This language was entirely absent from 2024 documents. Perimeter-based models, which assume that systems can be secured by defending a clearly defined network boundary and trusting users and devices inside that boundary, are increasingly inadequate against adversaries capable of automating the discovery of vulnerabilities in their targets’ systems. Adopting a zero-trust posture signals a move from acknowledging the problem to committing to a specific architectural response.

The recognition of AI’s role has similarly shifted from implicit to explicit. In 2024, Redspice’s AI component was a background element. In 2026, it is the vehicle for processing increasing data volumes and enabling both offensive and defensive cyber capabilities. The program itself has moved from promise to delivery, with Defence and the Australian Signals Directorate reporting significant progress. However, these claims rely largely on ASD’s own reporting, with limited publicly verifiable evidence of capability or clear metrics.

The strategy is also explicit that this is not a mission Australia can pursue alone. Continued engagement with Southeast Asian partners is identified as a priority, with cyber security named alongside regional and maritime security as a shared challenge. Cyber threats do not respect borders, and Australian companies have suffered major data breaches because of third-party failures overseas. Working with regional partners is therefore important for Australia’s cyber resilience. Information-sharing, confidence-building measures, and capacity-building with Australia’s neighbours will extend the reach of Australia’s own capabilities, multiplying their effect without requiring proportional increases in spending. The regional dimension of the strategy deserves as much attention as the domestic investment figures.

For all its maturation, the strategy faces a challenge it cannot fully address through posture alone. Australia’s defence logistics, command-and-control architecture, and classified communications infrastructure contain substantial legacy components – software designed for threat environments that predate contemporary attack models. These components are difficult to patch without operational disruption and are increasingly visible to adversaries with AI-enabled discovery tools. AI-enabled cyber tools can now systematically map legacy exposure at machine speed across entire attack surfaces.

The post-quantum transition compounds this. The model of harvesting now and decrypting later means encrypted data collected today becomes readable once quantum capability matures. The ASD has set sensible timelines for its transition to quantum-resistant cryptography, aiming for full completion by 2030. But progress among Defence-adjacent entities and critical infrastructure operators remains uneven.

These are real limitations, but they should be kept in perspective. Every defence strategy inherits problems it did not create and operates within constraints no document can dissolve. What the NDS demonstrates is that Defence is asking the right questions, funding the right programs and being honest about the environment it faces.

The next question is what follows. If the strategy is to move beyond signalling, Defence will need to translate intent into demonstrable outcomes. That likely means more concrete guidance on zero-trust implementation across Defence and its supply chain and greater transparency on progress in the post-quantum transition. Just as importantly, Australia will need to show how offensive cyber capabilities are integrated into broader military operations and alliance frameworks without increasing escalation risks. Getting the strategy right is the necessary first step. Demonstrating that it is working will be harder.