Foreign interference: an identified and recognised threat
Australia’s intelligence and security community has delivered an unequivocal warning. In the 2024 Annual Threat Assessment, ASIO Director-General Mike Burgess stated that espionage and foreign interference sit at CERTAIN – the highest level on the scale. By 2025, ASIO assessed that hostile regimes were increasingly willing to disrupt or destroy critical infrastructure to impede decision-making, damage national capability, and sow discord. Cyber units from at least one state actor were already mapping networks and laying the groundwork for potential sabotage.
The Critical Infrastructure Annual Risk Review 2024, conducted by the Critical Infrastructure Security Centre, added a regulatory perspective to ASIO’s comments, highlighting foreign interference, insider threat, and personnel vulnerabilities as principal security concerns. It emphasised that national security risks are also business risks, with incidents capable of inflicting reputational damage, eroding trust, and triggering cascading disruption across interconnected critical infrastructure sectors.
The Department of Home Affairs’ 2024 publication Countering Foreign Interference in Australia reinforced this assessment. It identified critical infrastructure as a priority target for hostile states, alongside emerging technologies and critical minerals. Methods to achieve foreign interference included hidden affiliation joint ventures, acquisitions aimed at accessing intellectual property, and manipulation of supply chains to undermine Australian competitiveness.
This assessment is echoed in the August 2025 joint cybersecurity advisory led by the Australian Signals Directorate. It confirmed that Chinese state-sponsored actors are compromising networks globally, including telecommunications, transport, and government systems, to sustain long-term espionage operations. These actors have been observed in Australia as well as allied nations, modifying routers and exploiting trusted connections to maintain persistent access.
For directors, executives, managers, employees, vendors of critical infrastructure entities, the message is clear: people are both the first line of defence – and the most attractive target – in the contest against foreign interference.
We need to understand that the threat is real.
From warning to solution: Insider Threat Programs under PSPF Section 7 and Requirement 51
The Australian Government has not confined itself to warnings. It has translated the threat of foreign interference into mandatory protective security policy through the Protective Security Policy Framework (PSPF) – Release 2025.
Section 7 of the PSPF, Countering Foreign Interference and Espionage, establishes the outcome that entities must apply due diligence and manage foreign interference risks across governance, personnel, information, technology, and physical security. At its core, this means addressing the risk of insider threat. In this context, it is important to define key terms.
Insider: any current or former employee, contractor, secondee, or other trusted individual who has, or has previously had, legitimate or indirect access to an organisation’s people, information, processes, technologies, or resources.
Insider threat: the risk that an insider, deliberately or inadvertently, uses their access to harm, compromise, or negatively affect an organisation, its people, operations, assets, or reputation.
Section 7 stresses that insider threat programs must be proactive and prevention-focused to protect people, assets, prevent data loss, and avoid reputational damage.
Requirement 51 of the PSPF operationalises this policy. It obliges entities that manage personnel holding security clearances (from Baseline through Positive Vetting) to implement insider threat programs.
The operative word is manage. If a security-cleared individual is employed, contracted, or seconded into your environment and you direct their work, your organisation is considered to be managing that clearance holder, regardless of who sponsors their clearance.
The PSPF makes a critical distinction here. Sponsorship is a formal role: only authorised Commonwealth entities, and in some cases state, territory, or approved non-government organisations, may sponsor a clearance. But management applies far more broadly.
In practice, if the Department of Home Affairs sponsors the clearance of a Chief Security Officer or engineer working inside a critical-infrastructure organisation, the organisation itself is the managing entity and is responsible for implementing an insider threat program under Requirement 51. Day-to-day protective security responsibilities rest with the organisation’s governance structures for everyone working in or for the entity, including contractors and service providers.
Beyond Requirement 51, the PSPF also prescribes obligations for sponsoring entities and clearance holders. Sponsors must initiate and maintain clearances, monitor ongoing suitability, and act if a clearance holder no longer meets requirements. Clearance holders themselves are obliged to comply with security policies, report relevant changes of circumstance, and maintain their suitability throughout the life of the clearance.
For organisations that manage security-cleared staff, insider threat programs can support employees in meeting these obligations by providing structured monitoring, reporting channels, and wellbeing support — even where the organisation is not the formal sponsor.
For entities that do not employ or manage clearance holders, the PSPF still provides a valuable ‘best practice’ framework. As Australia’s protective security policy framework, the PSPF has shaped wider regulatory approaches, including the Security of Critical Infrastructure Act 2018 (SOCI Act) and subordinate rules, which reflect PSPF principles. Also, the PSPF is the foundation for the Defence Industry Security Program (DISP).
Adopting PSPF Section 7 as a guide allows critical infrastructure entities to strengthen personnel security measures, align with the Critical Infrastructure Risk Management Program (CIRMP) obligations, and demonstrate organisational maturity and resilience to regulators, partners, and stakeholders.
Why an Insider Threat Program matters beyond compliance
An insider threat program enables organisations to identify and manage insider risk in a holistic and coordinated way. An effective program protects critical resources, counters both unintentional and intentional (malicious) incidents, prevents data loss, and shields organisational reputation. To be effective, these programs must be proactive, prevention-focused, and embedded across governance, personnel, cyber security, and organisational culture.
The benefits of insider threat programs include:
- Countering foreign interference: Detecting and mitigating coercion, recruitment, or deception of insiders is the frontline defence against espionage and sabotage.
- Protecting clearance holders: Continuous suitability monitoring supports employees and reduces risks of clearance suspension or withdrawal.
- Regulatory alignment: An insider threat program demonstrates proactive compliance with both PSPF and SOCI personnel-hazard obligations.
- Early detection: Monitoring behavioural and technical indicators allows organisations to address risks before they escalate.
- Cultural uplift: Security awareness becomes embedded across the workforce, making protective security a shared responsibility.
- Trust and credibility: Demonstrates to customers, investors, and international partners that the organisation prioritises resilience and integrity.
International experience underscores these lessons. The U.S. National Counterintelligence and Security Center, in the 2024 Insider Threat Mitigation for U.S. Critical Infrastructure Entities: Guidelines from an Intelligence Perspective, highlights that insider threats are a human challenge requiring human solutions, and that effective programs focus on recognising anomalous behaviours, supporting at-risk individuals, and preventing incidents before they escalate.
Conclusion
Foreign interference is no longer a distant or abstract risk; it is recognised at the highest levels of Australia’s national security community as certain and ongoing. The Australian Government has responded through the PSPF, reinforcing the need for proactive insider threat programs that protect people, assets, and national capability.
For critical infrastructure entities, the message is clear: insider threat programs are not optional extras or compliance exercises. They are strategic safeguards that build resilience, uphold trust, and align organisational practices with the direction of government policy. Whether managing clearance holders or adopting PSPF principles as best practice, organisations that act now position themselves not only to meet regulatory expectations but to withstand the most persistent national security challenge of our time, one that will continue into the foreseeable future.
