While the government’s new Australian Cyber Response Plan is a significant step towards preparing for a crisis, we need to be more proactive in improving cyber resilience so that the plan need never be activated.

The Australian Cyber Response Plan, released in June 2025, addresses cyber incidents classified as crises under the Australian Government Crisis Management Framework. A significant update was the addition of a fourth tier, called ‘Coordination for a Nationally Catastrophic Incident’, which covers events with extreme impact and complexity.

While the government is to be congratulated on this plan, it is only the start of preparing for a nationally catastrophic incident and building national cyber resilience. Ultimately, Australia needs to be proactive in improving cyber resilience. This must be achieved by conducting a threat assessment of the risk and likelihood of nationally catastrophic cyber incidents, and by developing national cyber preparedness plans to meet those identified threats.

According to the plan, tier 4 incidents are expected to be highly complex, causing widespread and severe consequences across multiple jurisdictions, critical infrastructure, government assets and data. These events are likely to overwhelm Australia’s systems and resources, requiring involvement from nearly all government portfolios.

A sophisticated cyber attack targeting Australia’s energy grid is among the most alarming threats, since any country relies heavily on the energy supply to support all other critical infrastructure sectors and its economy generally. The energy grid—comprising power generation plants, distribution networks and transport systems—forms the backbone of all essential services. If disrupted, the consequences would be severe: heating, refrigeration, water supply, manufacturing, financial services, retail, entertainment and more could be crippled. Such an attack could paralyse the economy for more than a year, as rebuilding critical infrastructure systems would be a significant undertaking. Moreover, a well-crafted attack could not only bring down the entire system but also anticipate and undermine response efforts.

Underlining the concern that led to the inclusion of the fourth tier were the comments by Lieutenant General Michelle McGuiness at the Auscert Cyber Security Conference in May, that the nation needs to prepare for a catastrophic cyber incident that could cripple the nation and have long-lasting effects. This suggests that preparedness plans are being developed.

However, before such plans are matured, a Nationally Catastrophic Cyber Incident Threat Assessment is essential in ensuring that the plans are focused on the most pressing cyber threats.

This assessment should inform government entities, the corporate sector and the public about risks to public safety and national security. It should synthesise threat assessments from government and corporate agencies, including intelligence and operational elements related to public safety, border protection, critical infrastructure and economic security.

With a robust threat assessment, Australia can then identify and assess risks. It can determine required capabilities and activities, build and sustain those capabilities, develop preparedness plans, and conduct exercises and simulations to identify gaps. It can also regularly review and update plans and resources.

Illustrative planning scenarios can be used to model plausible future cyber catastrophes, by supporting the threat assessment and guiding preparedness and response planning.

Australia’s preparedness plans should aim to prevent, protect against, mitigate, respond to, and recover from the most significant cyber threats. Preparedness planning would involve:

—Identifying and assessing risk: gather data on existing and emerging cyber threats;

—Estimating capability requirements: determine the specific capabilities needed to address identified risks;

—Building and sustaining capabilities: allocate resources to develop and maintain these capabilities, prioritising the highest risks;

—Planning to deliver capabilities: coordinate plans across all relevant organisations to ensure a unified national approach;

—Validating capabilities: test plans and capabilities through exercises and simulations to identify and address gaps;

—Reviewing and updating: regularly update all plans and resources to keep pace with evolving threats and requirements.

As part of identifying and assessing risk, the government should also identify and map network interdependencies so that harmful cascading effects among systems can be prevented or at least ameliorated.

The ultimate goal of threat assessment and preparedness planning is to build cyber resilience—the capacity to respond effectively to unforeseen or rapidly evolving situations. Rather than simply aiming to avoid or prevent disruptions, resilience is about developing the strength and flexibility needed to adapt, recover and thrive during and after a crisis. For example, regular cyber exercises not only test preparedness plans but also build the adaptive capacity required for true resilience.

The Australian Cyber Response Plan, especially with the new fourth tier for nationally catastrophic incidents, marks a positive step towards strengthening the nation’s cyber resilience. However, it is only an initial measure. It provides a useful way to respond, but ultimately Australia must more proactively improve cyber resilience, by assessing the risk and likelihood of nationally catastrophic cyber incidents and establishing a National Cyber Preparedness Planning System.