Each major cyberattack is treated as a wake-up call. But by now, we shouldn’t be surprised. Last week’s Qantas data leak and September’s Collins Aerospace breach have revealed a pattern of tightly interconnected systems with weak collective accountability. Airlines, airports and their web of contractors are so closely linked that one breach can ripple through the entire network.
This isn’t about assigning blame or calling for more regulation. The aviation breaches reveal a broader structural risk as corporate risk planning hasn’t kept pace with digital interdependence. The same connections that make modern economies efficient also make them fragile, threatening aviation, energy, logistics, health and finance.
Much of the public focus has understandably been on the personal data lost—names, addresses, contact details—but that’s only one layer of risk. In aviation, personal data systems (used for bookings, loyalty programs and payments) are distinct from operational systems (which manage air traffic, ground handling, fuel delivery and logistics). Leaking personal data exposes individuals; breaching operational systems can immobilise an entire industry.
That’s why Australia’s Security of Critical Infrastructure Act 2018 designates civil aviation as critical infrastructure. This subjects the industry to risk management programs and cyber incident reporting, and allows the government to intervene where a system’s compromise could threaten national security or public safety.
But the Qantas and Collins Aerospace incidents expose a broader structural weakness that is less discussed. Each airline, airport and technology provider is now part of a broader national ecosystem where a single weak link can cascade through supply chains. Compliance frameworks provide important guardrails, but they can’t anticipate every interdependency. The Australian Cyber Security Centre’s essential eight—comprising eight baseline cyber mitigation strategies—should be the floor, not the ceiling.
Cyberattacks no longer just cause isolated breaches but can also lead to major systemic disruptions—indeed, this is also one of the key observations in the Australian Signals Directorate’s 2024–2025 Cyber Threat report.
The challenge for boards across sectors is to therefore move from compliance to a new concept of extended assurance: continuous, collective and practical collaboration on cyber resilience across supply chains. Extended assurance means working across corporate boundaries in the same way Australia and other countries now work across borders in the Indo-Pacific through initiatives including joint cyber exercises with partners such as the United States, Singapore and Japan.
But unlike states, many companies still see cyber resilience as a zero-sum pursuit: internal defences are strengthened while suppliers and partners are left to fend for themselves. This insularity creates an illusion of safety. A well-protected company can still be paralysed if a vendor’s system is breached or if data it depends on is compromised upstream.
Effective corporate leadership will increasingly require looking beyond corporate perimeters. Just as the Australian government and its partners work to build regional cyber capacity among less-resourced states, businesses need to identify and address the less mature links in their own ecosystems. That could mean investing in co-funding joint security audits or rehearsing coordinated response plans. The point is not to dominate or compensate for partners but to pressure test and validate interdependencies and intersections. In a connected economy, one firm’s weakness becomes everyone’s exposure.
Companies need to shift from self-protection to system stewardship. Boards that focus only on compliance within their own organisations may meet regulatory expectations but still fail collectively. The stronger measure of resilience is how well an entire ecosystem can anticipate, absorb and recover from disruption. Real cyber maturity will increasingly come when companies see themselves not as isolated fortresses but as co-guardians of a shared, networked future.
That requires a greater focus on supply-chain governance. Contracts should embed security-by-design principles, require regular penetration testing and enforce strict breach-notification timelines. Liability clauses should link security outcomes to commercial consequences, making cyber negligence as serious as financial mismanagement.
But even with the best defences, failures will occur. So critical sectors such as aviation should also rehearse for cyber disruption with the same seriousness as they prepare for fire or terrorism. Regular red-team exercises and cyber-physical wargames involving internal stakeholders as well as third-party suppliers and government agencies are increasingly vital to uncover hidden dependencies and weak contingency plans. This isn’t simply about adding regulation or stacking new mandates; it’s about embedding realistic manual fallback procedures.
When Collins Aerospace systems went down, airports reverted to paper boarding passes and handwritten baggage tags. It kept operations limping along, but only just. The objective should be graceful degradation, not collapse.
It also underscores the role of Australia’s National Cyber Security Coordinator as a convenor and enabler of cross-sector resilience. The coordinator’s mandate is statutory, but it deliberately doesn’t hold coercive powers. Rather, it is designed to weave together government, industry and regulators in crisis planning and response. Its value lies in leading national risk planning and preparedness: running scenario exercises and building resilience with industry, stress-testing infrastructure and supply chains, and ensuring that responses are rehearsed and fast.
In an age where one supplier’s misstep can expose millions of customers or ground flights across continents, narrow compliance is no longer enough. Aviation, and indeed all sectors across the economy, need a new operating model built on extended assurance, shared responsibility and resilience beyond corporate boundaries. The lesson from Qantas and Collins Aerospace is that cyber resilience is not an IT issue; it’s a leadership imperative. Cyber resilience is leadership, not compliance.