Building civil preparedness for cyber catastrophe

This article appeared in The Strategist on August 20 2025.

Leading insurance giant Munich Re called for better economic modelling of cyber catastrophe in late July. Australia is only just beginning this journey but in doing so needs a national plan covering preparation for and responses to catastrophic cyber incidents and mitigation of their non-cyber impacts.

In June, the Australian government categorised cyber catastrophe as a new category of emergency requiring detailed and comprehensive preparedness. Such planning should be based on lessons from the inquiry into Australia’s response to the Covid-19 pandemic. But 2025 has also revealed important shortcomings in cyber systems through a complete blackout of the Iberian Peninsula in April and Ukraine’s shut down and destruction of Russia’s Aeroflot’s data in July.

The government needs to develop and issue preparedness plans for a catastrophic cyber incident, including roadmaps for technical responses to cyberattacks and action plans to manage the consequences in key economic sectors, continue delivery of essential services and mobilise all Australians as part of a national response.

Key areas that need attention include emergency law enforcement, crisis communications, regulatory responses for businesses, international cooperation and identification of perpetrators. Prior preparation means these systems can be activated when needed.

While preparedness involves getting ready for crises, resilience is the capability to mitigate and recover from them. Both are essential and mutually reinforcing, and community participation is crucial. The prominence of cyberattacks in global conflicts underscores the urgency of improving Australia’s cyber preparedness.

A national plan would necessitate prioritising cyber civil preparedness and resilience alongside military defence and diplomacy in national security policy. It would also require consequential changes in the machinery of government. This would include a national preparedness plan to set the framework for response, and a national cyber resilience strategy to manage the consequences of catastrophic cyber emergencies.

The importance and vulnerability of critical infrastructure and data sit at the heart of our concerns and we offer a new paradigm for bringing cyber resilience, cyber security and cyber risk management together as a fundamental part of addressing cyber preparedness.

While cyber resilience is important, it tends to address post-incident actions and focus on recovery. That is not sufficient; pre-incident economic and social preparation must also be addressed. This preparedness involves readiness—the ability to respond in timely and effective fashion—and sustainability—the ability to maintain that timely and effective response for as long as needed. The nation needs to be better prepared, not simply resilient, for disruptions to national critical infrastructure which are inevitably underpinned by cyber technologies.

Furthermore, while national resilience may be sufficient in peacetime, it will not suffice in wartime. At ASPI’s Defence Conference in June, the Chief of the Defence Force said that Australia needed to plan to operate warlike operations from home soil. This underscores the need to re-focus not only military preparedness but civil preparedness as well. This civil preparedness should also be related to national resilience. The most likely manifestation of a national crisis for Australia will likely start in the cyber realm.

We recommend that the federal government begin conducting national assessments of cyber civil preparedness and resilience, submitting them to parliament every three years. It should set up a dedicated office of cyber threat intelligence focused on the economy and society.

In addition, Australia needs a national cyber readiness framework and new doctrine and legal authorities for programs in national civil preparedness and national cyber resilience.

So much good work has been done recently in terms of crisis and disaster response, cyber security, cyber resilience, and critical infrastructure protection and resilience. However, the lack of a coherent cyber risk assessment and cyber resilience strategy in Australia cries out for a national integrated approach, which needs to be advanced in parallel with a national preparedness plan.