This is the edited text of a speech to the Public Sector Networks’ Government Cyber Security Showcase Federal on 12 November 2025.

 

It’s an honour to speak with you at a time when the foundations of our digital world are being stress-tested like never before.

The same connectivity that powers our prosperity, and which has driven innovation and growth, has also created shared vulnerabilities and structural fragilities.

We are increasingly seeing how a single weak link, often in a third-party provider, can cascade across industries, economies and borders.

We know adversaries are embedding persistence across a range of critical systems—seeking not just to steal data or intellectual property but to pre-position access that can be weaponised later in crisis.

It’s clear that cyber security is no longer just a technical function limited to chief information security officers. It’s more and more the pressure test of national resilience.

It’s precisely this context that demands of us a shift in mindset—from self-protection to systems stewardship; from compliance to resilience; and from government being central defender to instead being ecosystem enabler.

Why? Because the line between company safety, economic stability and national security is now almost indistinguishable.

Evolving threat landscape

Too often, we still treat every major cyber breach as a wake-up call. But after a decade of alarms perhaps we should already be awake.

What we’re experiencing are no longer isolated failures but are instead structural fragilities that are being surfaced.

As societies we’ve built technological ecosystems that are hyper-interdependent—a web of supply chains, cloud services and shared platforms that connect us, but also bind us.

At the same time, the threats confronting these ecosystems are becoming systemic, strategic and sustained—designed to undermine trust, disable infrastructure and erode confidence in institutions.

Nation-state actors are mapping interdependencies, testing responses and preparing to replicate disruptions at scale.

Criminal syndicates, now operating with state-level capability, are exploiting the same pathways. These malign actors are watching and learning. Studying how outages unfold, and preparing to replicate them at scale.

New technologies—like AI, automation and quantum computing—are amplifying speed and scale.

Each event experienced is a stress test, exposing where resilience ends and fragility begins. Recent incidents—from the Qantas data leak to the Collins Aerospace breach, and even the Amazon Web Services outage in October and the Azure outage only days later (two hyper-scalers in just a week)—offer reminders of this reality.

In this environment, every network is a potential vector, and every dependency a potential vulnerability. A disruption in one node, even when it isn’t of your own making, now ripples across, sectors and even nations.

This means resilience cannot be built in isolation. It needs to be co-produced.

It also means resilience is not a fixed state but an iterative and persistent endeavour, one that needs to evolve as fast as the threats that challenge it.

I suggest our shared task is—to borrow from American cyber expert Jason Healey’s framing in a slightly broader way than Healey might have intended—to ‘shift advantage from offence to defence’. It is to do this not by fighting each incident, but by designing a systems approach focussed on interdependencies and scaling resilience.

From compliance to collective resilience

This means resilience cannot be reduced to compliance checklists. Compliance frameworks provide structure, but they often measure preparedness against static standards rather than dynamic threats.

Instead, resilience demands adaptive capacity.

Why? Because corporate risk management has in many ways become a national security function. The director-general of security, Mike Burgess, captured this dynamic in his Sydney Town Hall lecture last week when he said, ‘Your business might not be in national security but that doesn’t mean national security is not your business.’

Resilience is more and more dependent on the private sector’s ability to anticipate, absorb and recover from disruption.

This requires us to move toward concepts of ‘extended assurance’ grounded in continuous, collaborative and cross-sector engagement—working with partners and third-party suppliers across supply chains, across boards and across borders in ways nations now work with allies and partners.

This becomes less about self-protection and more about systems stewardship.

In this context, leaders need to understand and stress-test interdependencies, validate assumptions and ensure that automation is backed by credible manual fallbacks.

This recognises that resilience is not achieved by the strength of individual defences but instead by the adaptability of an ecosystem or set of ecosystems.

When Collins Aerospace systems went down, airports reverted to paper boarding passes and handwritten baggage tags. While not sophisticated, this kept operations running.

When disruptions occur, the goal needs to be graceful degradation, not collapse. That requires leaders to ask not just ‘are we compliant?’ but ‘are we collectively resilient?’

Government as architect and convenor

Governance frameworks like the Security of Critical Infrastructure Act provide essential guardrails. But, as ASPI’s analysis ^[1] of the Qantas hack reminded us, there are limits to what government can and should do.

With data breaches increasingly a new normal, the scale of the threats that confront means we need to reconsider where government’s focus is best directed.

This forces us to question the necessity of a triaged model, one that concentrates state effort on the threats that matter most and the consequences that cut deepest, while paving the way for sectors and individuals to strengthen their own defences for what remains.

This reconsideration is urgent because at the same time such data breaches are the new normal, sophisticated actors such as China and North Korea are intensifying their digital infiltration of critical infrastructure—communications, energy and transport networks—as part of broader strategies to apply pressure and constrain freedom of action.

Put simply, governments can’t be in all places all at once. But if the state reserves direct intervention for systemic or high-impact incidents, then how do we address the rest? This is where the private sector comes into play.

Ownership and operation of most of Australia’s digital infrastructure by industry means industry is uniquely positioned to lead in safeguarding the infrastructure, bringing the agility, innovation and operational expertise that embodies the private sector to strengthen national resilience.

This approach conceives of the government’s role as more the architect and convenor of a resilient ecosystem—one that empowers, coordinates and catalyses. Think of it—again, to borrow from Jason Healey—as Enable, Engage, Enforce:

—Enable those who want to act but lack capacity, by sharing intelligence, funding uplift programs and developing toolkits;

—Engage those with capability but limited will, through incentives, partnerships and co-funded exercises; and

—Enforce where neither capacity nor will exists, using regulation sparingly but decisively when systemic risk threatens national resilience.

This is what fellow US cyber policy expert Robert Knake separately calls the Home Depot approach to cybersecurity: you can do it; we can help.

Clarifying government’s role—from central defender to ecosystem enabler—is necessary. It builds trust, sets realistic expectations and ensures resilience is co-produced, not commanded.

When we extend this model to the Indo-Pacific, the same logic still holds.

The Australian government’s role—both at home and abroad—should be seen as creating the architecture, setting the standards and catalysing cooperation, not fighting every battle.

By enabling those willing to act; engaging those able but hesitant; and enforcing where necessary, we shift advantage from offence to defence by distributing resilience more evenly.

Collaboration as shared advantage

As recently as this year, Jaguar Land Rover was crippled by a devastating cyberattack that cascaded through its supply chain.

This forced production shutdowns and prompted a £1.5 billion emergency loan from the British government to keep operations afloat.

It was a stark reminder that even the most advanced manufacturers remain exposed.

It was also a stark reminder that collaboration needs to be not rhetorical but practical and continuous. This means:

—First, moving beyond coordination to co-creation, not just sharing information but building shared capabilities and shared accountabilities; and

—Second, shifting from individual afterthought to shared foresight, looking not just at what should already be happening, but also at what adaptations should come next.

How do we give effect to this in practice? I’d suggest the following, which builds on the robust cyber security foundations we already have.

—First, real-time threat intelligence, not retrospective reporting.

Building federated, cross-sector platforms where anonymised telemetry and compromise indicators are exchanged at machine speed.

This helps ensure detection in one network instantly strengthens another.

—Second, continuous joint exercises, not occasional simulations.

Moving from annual red-team events to persistent live-fire ranges— a safe, isolated environments where real attacks and defences are practised on realistic systems—that link government, industry and academia.

This allows for dynamic stress-testing of supply chains, and validation of response plans under realistic pressure.

—Third, crafting response architectures, not ad hoc playbooks.

Establishing interoperable national and regional crisis frameworks that integrate sovereign authorities, critical-infrastructure operators, insurers and vendors.

This helps ensure command clarity, pre-negotiated data-sharing protocols, and decision authority before—not after—a breach.

—Fourth, hard governance, not soft awareness.

Treat cyber negligence as a fiduciary breach.

This embeds minimum resilience standards into corporate law, procurement rules and director duties.

And so it makes boards accountable for measurable cyber performance in the same way they are for financial solvency.

—And finally, shared innovation pipelines.

Co-fund open-source security tools, joint R&D for supply-chain assurance, and sovereign testbeds for high-risk technologies

This helps ensure resilience becomes a competitive export, not just a defensive posture.

The Japanese automotive sector provides a compelling example of how to achieve such a structural shift.

After a wave of cyber incidents that disrupted production at Nissan, Honda and Toyota, and exposed vulnerabilities across the supply chain, Japan’s leading manufacturers realised that piecemeal efforts were no longer enough.

In response, the Japan Automobile Manufacturers Association (JAMA) established a Cybersecurity Working Group under its Electronic Information Exchange Committee in 2019.

It brought together representatives from industry, government and the expert community to coordinate threat intelligence, establish shared standards, and strengthen collaboration across Japan’s automotive ecosystem.

The driving motivation was not charity: as vehicles became more connected, as supply chains became more digital, and as the industry moved toward autonomous and software-defined vehicles, cybersecurity had become not just a technical concern but an existential business issue.

The working group developed national cybersecurity guidelines, improved supplier maturity across thousands of SMEs and created a trusted channel between manufacturers and government for incident reporting and coordinated response.

In effect, Japan’s automotive giants learned what many sectors are now discovering: collaboration is not a substitute for leadership; it is leadership.

Shared stewardship transforms cybersecurity from a cost centre into a competitive advantage. It protects intellectual property, strengthens brand trust, reduces downtime and ensures continuity in an industry that underpins national prosperity.

It’s an investment in operational continuity, reputational capital and strategic influence.

Adaptive collaboration

Ultimately, collaboration needs to evolve as fast as the threats that challenge it.

Static resilience is always going to fail in a dynamic threat environment.

The pace of technological change, from AI-enabled attacks to the growing weaponisation of data, means resilience built today can quickly be obsolete tomorrow. Added, given malign actors are sophisticated and learning, we should assume that the next crisis won’t look like the last one.

And so, our challenge is to measure our maturity not by whether we prevent disruption entirely, but by how effectively we adapt, recover and strengthen in the aftermath.

This challenges us to conceive and commit to collaboration that is adaptive by design. This can mean a range of things, but at its core I’d suggest it means:

—Embedding joint cyber exercises—both anticipated and unanticipated—into operational planning;

—Integrating resilience metrics into procurement, governance and performance frameworks, and building a maturing pathway that supports and rewards improvement over time;

—Treating capacity building as a standing investment, not an emergency response triggered by crisis; and

—Maintaining agile, transparent partnerships across sectors and borders to sustain shared awareness and coordinated action.

Shared responsibility, shared strength

With interdependence set to deepen, not diminish, effective resilience can no longer be treated as a solo effort—it’s a collective discipline, built and sustained together.

We are increasingly being challenged to see Australia’s strength—or for that matter, the strength of any individual commercial enterprise or the Indo-Pacific region more broadly—not in isolation.

If we align around a shared purpose—across government, industry and our regional partners—to counter threats together, to build shared capacity responsibly, and to adapt persistently—then we give ourselves the best change to shift the balance of advantage in our collective favour.

In the days ahead I’d suggest leadership on cyber resilience will mean shaping, securing and stewarding the ecosystems that connect us all—not just the ones we control.