We’re there now
"We're there now":
What business leaders need to know from ASIO's cyber warnings
I’ve been following closely as he has spoken with escalating urgency over the year. His messages deserve attention because they’re backed by intelligence and national security rather than commercial interest. The arc of his warnings tells a story about where Australia stands.
From dark outlook to
"we're there now"
In February, Burgess delivered ASIO’s Annual Threat Assessment, taking the approach of declassifying parts of ASIO’s assessment for the future, warning of “an unprecedented number of challenges and an unprecedented cumulative level of potential harm” through to 2030.
By November 2025, speaking at an ASIC forum in Melbourne, his language had shifted to the present tense. On the threshold for high-impact sabotage, Burgess was blunt:
He identified specific threats – including Chinese hacking groups Salt Typhoon and Volt Typhoon – which have targeted telecommunications networks in Australia and the United States.
As Burgess also noted at the Lowy Lecture, “they actively and aggressively map your systems, and seek to maintain persistent undetected access that enables them to conduct sabotage at a time and moment of their choosing.” The impacts are significant:
- Espionage cost the Australian economy an estimated $12.5 billion in 2023-24.
- Modelling suggests sabotage of critical infrastructure would cost $1.1 billion per incident.
- A week-long, economy-wide disruption would cost $6 billion.
The risks are manageable:
Taking reasonable steps
At the ASIC forum, Burgess posed a question for every board director:
At CSO Group, we focus on the most empowering part of that message, which often gets lost in the doom and gloom: the risks are manageable. His framework offers a practical way to think about what Australian government and business leaders face.
The foreseeable threat:
Increasingly sophisticated
Chinese state-backed hackers are probing water, transport, telecommunications and energy networks across Australia and Five Eyes countries. Burgess described these attempts as “highly sophisticated” and designed to gain persistent, undetected access.
He asked business leaders to imagine the implications of a nation-state taking down all telco networks, turning off the power during a heatwave, polluting drinking water or devastating the financial system. State actors are actively exploring sabotage options to steal intellectual property, undermine companies for strategic advantage or hinder Australia’s ability to support allies in conflict scenarios.
Burgess warned that Australians may not yet grasp the scale.
Consider what happened during a relatively short outage unrelated to sabotage. Families couldn’t communicate, people couldn’t call triple-zero and businesses couldn’t process transactions. That was one phone network for less than one day.
The knowable vulnerabilities:
The signs are there
While threats escalate, investment lags. Government cybersecurity spending faces pressure and business investment hasn’t kept pace with the sophistication of attacks. The gap is widening right when it should be closing in the evolving geo-strategic environment.
The vulnerabilities Burgess highlights are present in your supply chains, third-party vendors and critical infrastructure dependencies. When hackers probe telecommunications or energy networks, they’re mapping pathways into every organisation that depends on those services.
Burgess noted that 99% of security incidents involve a known vulnerability with a known fix. Almost always, he observed, a supervisor says they’re shocked but not surprised. This reflects the Australian complacency Burgess warns against – the assumption that major incidents happen elsewhere.
Supply chain weaknesses create cascading risks. Your security posture matters less if your logistics partner, payment processor or cloud provider has exploitable gaps.
As Rear Admiral (Ret.) Jaimie Hatcher noted at CSO Group’s Executive Leadership Forum:
Many organisations wrongly believe they’re not targets because they don’t believe they hold sensitive data or operate critical systems. However, attackers use AI to identify and exploit these vulnerabilities at scale, turning seemingly insignificant third-party vendors into entry points for critical infrastructure. If your business is in any supply chain connected to critical infrastructure, you’re a potential weak link in Australia’s national security.
This isn’t due to lack of trying. Many organisations pour money into security tools, but the result is multiple tools operating in isolation, less effective, creating inefficiencies rather than coordinated action. We refer to it as the integration trap – tools that talk but don’t listen. Without centralised orchestration, these gaps become vulnerabilities that attackers exploit.
The risks are manageable:
Protected, not paralysed
Threats can be managed. The plots Burgess described in his speeches were stopped, disrupted or pieced together by ASIO and partners. What matters is whether your organisation is also taking reasonable precautions.
Cyber-mature organisations focus on visibility across systems, coordinated response capabilities and partnerships with security experts who can bring together best-of-breed solutions. They move beyond treating cybersecurity as a compliance checkbox and embed it in business operations.
They ask revealing questions: Do we know what data we hold and why? Can we respond to an incident across multiple systems? Are our security investments delivering coordinated outcomes or just more dashboards? Have we assessed our supply chain vulnerabilities beyond our perimeter? How quickly can we respond and recover a minimum viable business, especially if we operate critical infrastructure or contribute to its supply chain?
Strong cybersecurity foundations become a competitive advantage. Organisations with mature security capabilities can innovate faster and move with confidence because they’re protected rather than paralysed by uncertainty.
You’re in the
security business
The threats he describes are active, escalating and targeting Australian enterprises and critical infrastructure now, and will continue to do so. The vulnerabilities sit in fragmented security tools, untested incident responses and supply chain dependencies that remain unmapped.
The manageable risks require action. That means asking whether your organisation is taking reasonable security steps to make cybersecurity central to business strategy.
When the Director-General of Security escalates warnings over the course of a year, from a “dark outlook” to “we’re there now,” the signal is clear. Are governments and businesses listening?
Subscribe
for updates
for expert insights on cybersecurity strategy, trends, and implementation.