Prologue
In October and November 2025, the heads of Australia’s two most significant strategic intelligence assessment agencies made public their views on the geostrategic threats confronting Australia today. In those remarks, both leaders set out some of the threats and explored some of the consequences that could be inflicted upon Australia, including Australia’s critical infrastructure assets, if action is not taken now to detect, deter, and defend against these threats to Australia’s national security.
Australia has been warned for years by its intelligence agencies, and by its allies, of the threats to our critical infrastructure by threat actors including hostile nation states, organised crime, and issue-motivated groups and individuals. Have Australian governments, private sector entities, or citizens responded in any meaningful way to these warnings, or have we been party to a slow-motion car crash, which we belatedly realise we are in the drivers’ seat for?
Introduction
In October 2025, the Director-General of the Office of National Intelligence, Andrew Shearer, at the 62nd Annual Australia-Japan Joint Business Conference, said that Australia today faces a moment of profound complexity, fluidity and disruption in global affairs. Shearer observed that the certainties of the post-World War II era that delivered remarkable stability and prosperity to Australia and its near region are eroding, with a very different future now in view.
In November 2025, the Director-General of Security, from the Australian Security Intelligence Organisation (ASIO), Mike Burgess, made two speeches: the 2025 Lowy Lecture, and at the Australian Securities and Investment Commission’s (ASIC) annual forum. In the Lowy speech, Burgess stated that security threats are damaging Australia’s social cohesion, and thus amplifying overall security risk to Australia. In the ASIC speech, Burgess warned that ASIO assessed that a number of nation states, especially China, have already infiltrated Australian critical infrastructure networks and will continue to attack these for the purpose of disrupting Australia’s critical infrastructure operations at a time of their choosing to achieve the strategic objectives they seek.
Key issues set out by Shearer and Burgess
Both observed, from different vantage points, that the future Australia has now entered is more fragmented, having moved from bipolar (Cold War) to a multipolar geopolitical system which is more dynamically contested and less predictable than has been the norm since 1945. This change is no longer poised at a distant frontier. It has arrived and affects all aspects of Australia’s being – people, society, government, business, national security, defence, and economy. And it all happens now at the speed of light with low barriers to entry to global messaging and communication, platforms Australia’s adversaries are using effectively to inflict harms.
On geopolitics, Shearer recounted that Australia’s national intelligence community has warned for years that Australia’s strategic environment is deteriorating rapidly. Shearer said, “If we paint a word picture of the world today, some words come up time and time again: disruption; contestation; fragmentation; deterioration; and acceleration.” With the rules that have governed global relations since the late 1940s, generating the greatest levels of prosperity that humans have ever known, coming to an end. Seamless globalisation is now history.
Shearer further observed:
- Conflicts are proliferating and intensifying, crises are more frequent, and both malign state and non-state actors are more willing to test boundaries.
- The military balance is shifting against the West and deterrence is eroding.
- We are entering a world of competing technological ecosystems, splintered supply chains and rival economic spheres.
- Some states are increasing their challenge to the post-1945 rules-based order, often acting by proxies including national and international organised crime, front companies, or armed groups.
- Australia and like democracies are uniquely exposed when it comes to economic security risks. Hyper-digitisation and interconnected infrastructure, from grids and ports to undersea cables, satellites, data centres and consumer devices, create almost infinite opportunities for attack. Public reporting and allied intelligence assessments indicate that China has deployed offensive software in the form of SALT TYPHOON to infiltrate and attack telecommunications, transport, and energy networks for the purpose of disrupting them.
- For Australia’s adversaries, our open society, media, and economy provide access and leverage to infiltrate and disrupt. Our way of life leaves us vulnerable to malign and antagonistic influence. The attributes we value as a society are weaponised against Australia’s people and national interest.
Burgess, at the Lowy lecture, explained that the threats to Australia from adversary nation states are real.
He cited a recent example involving a foreign intelligence service trying to cultivate and recruit several Australians. The foreign intelligence service arranged for an Australian to travel by plane and then boat to a third country for a face-to-face meeting. The foreign spies wanted to provide a list of intelligence requirements which included confidential information on Australia’s economy, critical minerals and AUKUS. ASIO worked with a partner intelligence service to deliver an unwelcome surprise to the intelligence officers when they arrived at the meeting: they were not met by their target but by an ASIO officer.
Burgess said that Russia has always been a significant espionage threat but the ongoing war with Ukraine added urgency to its intelligence gathering.
In 2024, two Russian-born Australian citizens were arrested and charged with an espionage-related offence in Australia.
Russia’s brazen acts of sabotage in Europe demonstrated its willingness to use a wider range of tools and tactics to coerce, intimidate and damage perceived adversaries. Australia is not immune from Russian acts of espionage and disruption.
Russian operatives are covertly stoking and amplifying division in Australia. ASIO recently uncovered links between pro-Russian influencers in Australia and an offshore media organisation that almost certainly receives direction from Russian intelligence. The Australians publish extreme online narratives justifying the invasion of Ukraine and condemning Australia’s support for Ukraine. Deliberately hiding their connection to Moscow, the propagandists try to hijack and inflame legitimate debate using social media to spread polarising commentary on anti-immigration protests and pro-Palestinian marches.
Great Power competition in Australia’s region is contributing to multiple territorial disputes including in the South China Sea, Kashmir, the Taiwan Strait and the Korean peninsula. This competition drives a relentless hunger for strategic advantage and an insatiable appetite for inside information. ASIO assesses that Great Power competition is driving an unprecedented increase in the targeting of Australians for espionage and foreign interference.
Burgess opined that all these international drivers of threat are being accelerated by rapid advances in technology. In terms of social cohesion, the internet is the greatest incubator of grievance narratives and conspiracy theories with social media accelerating and spreading these. And while the internet incubates and social media accelerates, artificial intelligence (AI) exacerbates. ASIO is very concerned about the potential for AI to take online radicalisation and disinformation to entirely new levels with ever more harmful consequences.
The result of these compounding dynamics is a domestic security environment with an unprecedented number of challenges, and an unprecedented cumulative level of potential harm. Burgess said that Australia has never faced so many different threats … at scale … at once.
Australia’s social fabric is fraying due to actors within Australia and from outside it. Adversary nation states are deliberately trying to set the fabric alight and fan the flames in a manner not seen before in Australia.
Regimes are operating in a security ‘grey zone’… using non-traditional tools to interfere in decision-making, promote discord, amplify distrust and spread false narratives in Western democracies, including Australia. Authoritarian regimes exploit fault lines in countries they consider hostile.
Burgess said this is a newer and more disturbing dynamic, and the reason he said the threats facing our social cohesion are unprecedented.
In his speech to ASIC’s annual forum, delivered to an audience of private sector entities subject to ASIC regulation, Burgess made the following key points.
The threats facing Australia are significant, they are not insurmountable.
Foreign intelligence services are targeting businesses’ people, networks, secrets and enterprises. However, there are steps that can and should be taken to protect them.
For boards, directors, and senior executives they have advice from ASIO about foreign threats: the threats are foreseeable, vulnerabilities are knowable, risks are manageable.
Burgess made the larger point that while your business isn’t national security, national security is your business.
Australia has entered a period of strategic surprise and security fragility. We are facing multifaceted, merging, intersecting and cascading threats. Major geopolitical, economic, social and security challenges of the 1930s, 70s and 90s have converged.
What does this mean for Australia’s corporate sector?
Burgess said that Great Power competition is driving unprecedented levels of espionage. A range of countries – some we consider friendly – have a relentless hunger for strategic advantage and an insatiable appetite for inside information. Most commonly, that manifests in the theft of privileged information about government decision-making, defence capabilities, and intellectual property or cutting-edge research, particularly if it has both military and civilian applications.
Increasingly, foreign intelligence services are broadening their collection requirements. They are increasingly targeting private sector projects, negotiations and investments that might give foreign companies a commercial advantage.
Consistent with criminal tradecraft, they have been aggressively targeting customer data.
Foreign companies connected to intelligence services have sought to buy access to sensitive personal data sets; attempted to acquire land near sensitive military sites; and pursued collaboration with researchers developing sensitive technologies.
On the topic of sabotage, ASIO expects sabotage, in particular that cyber-enabled sabotage will pose an increasing threat over the next five years, reflecting both growing adversary capability and adversary intent.
Advances in technology – including artificial intelligence – and a proliferation of capabilities for sale or hire online are making it easier for adversaries to obtain the tools and capabilities to conduct sabotage.
At the same time, Australia’s critical infrastructure networks are increasingly interconnected and interdependent, which expands the vulnerabilities and potential access points. The security of internet-facing systems is only as strong as its weakest password, insecure configuration, unpatched system or careless operator.
Burgess said that these technological developments are radically improving the capabilities of foreign regimes and their intelligence agencies. But more concerning, he said, is the evolution in their intent.
Having previously said that Australia was getting closer to the threshold for high-impact sabotage, ASIO’s assessment is that Australia has reached that threshold. ASIO assesses that the threat of sabotage is now present. Nation states have been building capability for decades, but their intent has been to commit espionage and foreign interference – to steal and meddle. With global tensions rising, some are more likely to move ‘up the scale’ towards higher-harm activities, including sabotage.
Burgess said: “I cannot be clearer, if the risks are foreseeable and the vulnerabilities are knowable, there is no excuse for not taking all reasonable steps.”
What steps can be taken to protect critical infrastructure assets and operations?
Pentagram offers the following advice to critical infrastructure entities, informed by the public threat assessments offered by Shearer and Burgess as leaders and the public voices of the Australian national intelligence and security agencies they lead.
1. Noting that threat is a product of the adversary’s intent and capability, and reflecting on assessments outlined by Shearer and Burgess, critical infrastructure companies should understand adversary intent and capability relevant to Australia today:
- the threat from foreign intelligence services is real,
- the threat from domestic and foreign organised crime is real and,
- the threat from issue-motivated groups is real.
2. Acknowledge that any or all these threat sources may be acting now, or may act in the future, to harm organisational assets and operations.
3. Threats are constantly changing, and responses need to change accordingly. Good security cannot be a point in time; it is an enduring responsibility. Establish credible and effective sources of threat information, both within the enterprise and externally.
4. Resolve at Board and ‘C-suite’ level to undertake a security risk assessment to identify key assets, likely threats, vulnerabilities, and effective risk mitigation.
- All critical infrastructure entities should have undertaken a security risk assessment by August 2023 to ensure a defensible understanding of likely threats to their assets and operations.
5. Effective defence against the threats of espionage and sabotage shares many characteristics with the management of other foreseeable corporate risks, such as theft, fraud, workplace accidents, and equipment failures. The function of security risk mitigation is akin to existing functions in the enterprise, so commit to incorporating security into everyday operations across the enterprise to become business as usual.
6. ASIO has noted that over 90% of security incidents involve a known vulnerability with a known fix that was not addressed. Almost always, a supervisor says they are shocked but not surprised. The signs were there but, again, the vulnerability was not addressed so the risk was realised.
7. Understand that all risks are manageable, but not all risks can be eliminated. Have a plan to act if a risk is realised, preferably developed through scenario workshops, and a plan to communicate with all stakeholders as necessary.
- For critical infrastructure entities, Pentagram’s CIRMP Security Maturity Assessment and Evaluation Model will provide a defensible account of risk-based decision-making in any post-event examination.
8. Manage risk in a coherent and connected way spanning the enterprise, avoiding silos. For critical infrastructure entities, the CIRMP enables and promotes governance and risk management across the enterprise, enmeshing all human and non-human threat sources into a unified operating domain.
Conclusion
Boards and executives of critical infrastructure entities have been warned across the last decade, but especially over the last five years, of the growing and increasingly tangible threats to critical infrastructure assets and operations by hostile nation states, organised crime, and issue-motivated groups and individuals. The commentary in this article, drawn from speeches made in late 2025 by the leaders of Australia’s two most significant intelligence assessment agencies, makes clear the intent and capability of Australia’s adversaries.
Foreseeable security risks abound which directors and executives are obliged to recognise and take reasonable steps to mitigate. For critical infrastructure entities, the CIRMP provides a robust framework for managing security risks and integrating security risk management into the fabric of everyday operations.
Pentagram contends that we are now participating in that slow-motion car crash, realising too late that we are in the drivers’ seat, and could see the oncoming car, but have failed to take effective evasive action.
