12 November 2025
Director-General of Security, Mike Burgess AM
National security is your business
Thanks Joe, and no pressure. Good morning everyone, it’s great to be here.
I thought I’d start by introducing you to Australia’s security service. We were formed in 1949 off the back of discovering that Australia was penetrated by Soviet spies. We were named the Australian Security Intelligence Organisation some 4 months after we started because, unfortunately, for the first four months we were known as Australia's Security Service and that acronym would not survive in the modern world. So, I would be here today as the Director-General of ASS.
ASIC and ASIO have more in common than you might think.
A—S—I—C and A—S—I—O are separated by a single letter.
ASIC is a watchdog. Hope you don’t mind me describing you by that, Joe.
ASIO is a guard dog.
We are both proudly independent. We make decisions that can impact on lives and livelihoods.
There’s at least one more similarity. Joe, I suspect you might be like me: no one smiles when we walk into a room! People always assume I’m bearing bad news.
Unusually though for a spy chief, I’m an optimist. I don’t think it’s good enough for someone in my position to talk about threats without also talking about solutions.
So, this morning I want to focus on a more positive message than you might have expected: while our security environment is degrading, you do not need to be insecure about your security.
While the threats facing Australia are significant, they are not insurmountable.
While foreign intelligence services are targeting your people, your networks, your secrets and your enterprises, there are steps you can take to protect them.
The threats are foreseeable.
The vulnerabilities are knowable.
The risks are manageable.
And while your business isn’t national security, national security is your business.
Threat Environment
First, the bad news. Australia has entered a period of strategic surprise and security fragility.
We are facing multifaceted, merging, intersecting and cascading threats. Major geopolitical, economic, social and security challenges of the 1930s, 70s and 90s have converged.
As one of my analysts put it with an uncharacteristic nod to popular culture: everything, everywhere, all at once.
So, what does this mean for Australia’s corporate sector?
Most obviously, great power competition is driving unprecedented levels of espionage.
A range of countries – some we consider friendly – have a relentless hunger for strategic advantage and an insatiable appetite for inside information.
Most commonly, that manifests in the theft of privileged information about government decision-making, defence capabilities, and intellectual property or cutting edge-research, particularly if it has both military and civilian applications.
Increasingly, though, foreign intelligence services are broadening their collection requirements. They are aggressively targeting private sector projects, negotiations and investments that might give foreign companies a commercial advantage.
And like criminals, they have been aggressively targeting customer data.
ASIO has investigated countless Australian cases.
Nation-state hackers compromised the computer network of a major Australian exporter, making off with commercially sensitive information. The theft gave the foreign country a significant advantage in subsequent contract negotiations.
In another case, they stole the blueprints of an Australian innovation and mass-produced cheap knock-offs that nearly bankrupted the innovator.
Foreign companies connected to intelligence services have sought to buy access to sensitive personal data sets; sought to buy land near sensitive military sites; and sought to collaborate with researchers developing sensitive technologies.
A visiting academic with links to a foreign government broke into a restricted technology laboratory and filmed its contents.
Earlier this year, ASIO partnered with the Australian Institute of Criminology to calculate what espionage costs the Australian economy.
The conservative estimate is that espionage cost Australia $12.5 billion in 2023-24. The figure includes an estimated two billion dollars of trade secrets and intellectual property stolen from Australian companies and businesses by cyber spies in one year.
Of course, if organisations such as yours are unable to deliver the service or function your customers pay for and depend upon, the scale of that damage will be catastrophically worse. And worse still if there was something practical you could have done to prevent it.
I’ll circle back to this later.
Espionage and foreign interference are not our only security concerns.
Growing levels of grievance, conspiracy and anti-authority beliefs are driving spikes in politically motivated violence and making acts of terrorism more likely.
I spoke about this dynamic last week in the Lowy Lecture.
Of particular interest to the business community, we are now tracking a troubling increase in anarchist and revolutionary extremism, often targeting industry.
Since October ‘23, anti-Israel activists have increasingly used disruptive tactics such as arson, vandalism, and violent protests targeting companies accused of providing weapon components.
Rapid advances in technology are incubating and accelerating these security concerns.
As a result of both global and domestic drivers, over the next five years, ASIO expects a complex, challenging and changing security environment will become more dynamic, more diverse, and more degraded.
Dynamic, because Australia has never faced so many threats… at scale… at once – and I note the title of this conference.
Diverse, because threats are intersecting and boundaries are blurring. Foreign spies are increasingly using criminal cut-outs to do their dirty work.
And degraded, because of the depths authoritarian regimes are more willing to go to. They are behaving more aggressively, more recklessly, more dangerously. More willing to engage in what we call ‘high harm’ activities.
Sabotage
Given the title of this conference, I’d like to dive a little deeper into one of those high-harm activities: sabotage.
We expect sabotage, particularly cyber-enabled sabotage, to pose an increasing threat in the next five years – both in terms of adversary capability and adversary intent.
Advances in technology – including artificial intelligence – and a proliferation of capabilities for sale or hire online are making it easier for regimes to obtain the tools and weapons they need to conduct sabotage.
At the same time, our critical infrastructure networks are increasingly interconnected and interdependent, which expands the vulnerabilities and potential access points.
The internet-of-things is only as strong as its weakest password, insecure configuration, unpatched system or careless operator.
These developments are radically improving the capabilities of foreign regimes and their intelligence agencies. But more concerning from my point of view is the evolution in their intent.
I have previously said we’re getting closer to the threshold for high-impact sabotage.
Well, I regret to inform you – we’re there now.
Nation states have been building capability for decades, but their intent has been to commit espionage and foreign interference – to steal and meddle.
With global tensions rising, some are more likely to pull the trigger on the higher-harm activities.
Authoritarian regimes are growing more willing to disrupt or destroy critical infrastructure to impede decision-making, damage the economy, undermine war-fighting capability and sow social discord.
They see sabotage as a tool of coercion, disruption, distraction, and retaliation to test national resolve, readiness, and responses.
Russia’s reckless campaign with incendiary devices in Europe is a potent example. And while Russia’s actions demonstrate that physical sabotage remains a threat, it is cyber-enabled sabotage that presents a more acute concern for Australia.
Cyber is the most immediate vector for sabotage.
It’s an attractive option for foreign regimes because it is a low-cost but potentially high-impact vector, as well as being deniable and scalable.
How real is this threat?
ASIO is aware of one nation state – no prizes for guessing which one – conducting multiple attempts to scan and penetrate critical infrastructure in Australia and other Five Eyes countries, targeting water, transport, telecommunications, and energy networks.
The reconnaissance is highly sophisticated, using top-notch tradecraft to find your networks, test for vulnerabilities, knock on digital doors and check the digital locks.
And when they have penetrated your networks, they actively and aggressively map your systems, and seek to maintain persistent undetected access that enables them to conduct sabotage at a time and moment of their choosing.
You may have heard about the oddly named Salt Typhoon and Volt Typhoon hacking groups.
I know many people are confounded by the silly nicknames – so let me decode these further.
These groups are hackers working for Chinese Government intelligence and their military.
Both groups were involved in the theft of sensitive information, but the real danger was the threat of sabotage - disruption to critical infrastructure.
And while these Chinese hacking groups have similar codenames, they are profoundly different.
Salt Typhoon’s intent was espionage – they penetrated the United States’ telecommunications system to gain access to the nation’s communications through a strategic spying operation.
And they have been probing our telecommunication networks here in Australia too.
In contrast, Volt Typhoon’s intent was disruptive.
The hackers compromised American critical infrastructure networks to pre-position for potential sabotage. The penetrations gave China the ability to turn off telecommunications and other critical infrastructure.
And yes, we have seen Chinese hackers probing our critical infrastructure as well.
And once access is gained – the network is penetrated – what happens next is a matter of intent not capability.
I do not think we – and I mean all of us – truly appreciate how disruptive, how devastating, this could be.
I spend a lot of time thinking about the CIA.
Confidentiality, integrity and availability.
Not the Central Intelligence Agency.
Let’s be honest, there is plenty of evidence that companies continue with our struggle to keep data safe. Confidentiality.
Companies that fail to protect their data from theft, have little or no chance of protecting their critical systems or services from disruption.
The question of availability keeps me awake at night.
The loss of availability in any part of our critical infrastructure can be devastating.
Devastating for the company, devastating for consumers and devastating for the nation.
Consider what’s happened when we’ve experienced relatively short and isolated outages in the telecommunications sector, unrelated to sabotage.
The cascading effects were more significant and widespread than most people expected.
There were social impacts when families could not communicate, critical medical impacts when the sick could not call triple-zero, financial impacts when businesses could not process transactions and transport impacts when a vehicle charging system went down. Services that people take for granted proved uncomfortably fragile.
That’s one phone network not working for less than one day.
Imagine the implications if a nation state took down all the networks? Or turned off the power during a heatwave? Or polluted our drinking water? Or crippled our financial system?
I assure you; these are not hypotheticals – foreign governments have elite teams investigating these possibilities right now.
There are multiple scenarios where a nation states’ intent could shift from stealing and meddling to disruption and damage.
To cripple an Australian company as a trade competitor.
To cause disruption or panic during a critical decision here in Australia, like an election or a negotiation.
Or to deter or even prevent Australia from being able to defend its national interests in a peacekeeping or conflict scenario overseas.
Some of the scenarios the Australian Institute of Criminology modelled for our Cost of Espionage report were eye-opening and eye-watering.
The cyber-enabled sabotage of critical infrastructure will cost the economy $1.1 billion dollars per incident.
An economy-wide, week-long disruption will cost six billion dollars.
In its report, the Institute stressed that these are extremely conservative calculations and the real-world impacts could be significantly higher.
The impacts of the successful sabotage of critical infrastructure could extend well beyond the financial.
So, What Can You Do?
So, what can you do?
I’m always loath to be too prescriptive about how organisations should respond to these threats.
ASIO is your security service, not your security manager.
We are not a regulator like ASIC. (That’s probably a good thing – I doubt I’d be a benign regulator!)
As a rule, an effective defence against potential espionage and sabotage shares a lot of DNA with an effective defence against other foreseeable corporate challenges – like criminal theft, fraud, workplace accidents and equipment failures.
So why are boards and leadership teams surprised when they are faced with an outage or compromise?
And why do they struggle?
I fear I’m starting to sound like a regulator – or worse, like a lecturer! – but it’s something I am passionate about.
99% of security incidents involve a known vulnerability with a known fix – it just wasn’t addressed. Almost always, a supervisor says they’re shocked but not surprised. The signs were there but, again, the vulnerability wasn’t addressed.
I appreciate there is no such thing as 100 per cent security.
Yes, nation states can deploy zero-day attacks on IT systems and can successfully recruit people inside an organisation who display no behavioural concerns. But these are edge cases.
I think we – all of us – need to do better. Much better.
Failures to maintain the confidentiality and integrity of data occur literally daily in this country.
We cannot assume we’re doing a better job protecting the availability of our critical infrastructure.
This is concerning because the threat is foreseeable. Nation states are already mapping our networks.
The vulnerabilities are knowable.
Again, almost every security incident involves a known problem with a known fix and/or a manager who is shocked but not surprised.
And the risks are manageable.
There are simple things you can do to protect your networks.
Start by understanding what is valuable and what is vulnerable in your business.
What data, systems, services and people are particularly important to you and your customers?
What data, systems, services and people are at risk?
Where are things stored? Who has access? How well are they protected?
Once you understand all that, manage the risk in a coherent and connected way.
Look across your whole enterprise, recognising that good security is a connected web, not silos of excellence with chasms in between.
Threats are constantly changing, and responses need to change accordingly.
Good security cannot be a point in time; it’s an enduring responsibility.
And as a leader or as a board, ask yourself this question.
If these threats are foreseeable, and our vulnerabilities are knowable, what are we doing to manage this risk – both at the operational and governance level?
Boards need to be curious and discerning about the information provided to them. You can’t PowerPoint your way out of this risk. Don’t let management do that to you.
The best advice I’ve received about a leader’s responsibilities in this space came from the late Margaret Stone.
Margaret was the Inspector-General of Intelligence and Security (the closest thing we have a spy regulator). As a former Federal Court judge, Margaret understood things will inevitably go wrong, mistakes will be made – but she always distinguished between a verdict and a sentence.
Margaret made the point that we can’t prevent all bad things from happening. However, if you are found guilty but took all reasonable steps to prevent the foreseeable harm from happening, that will be considered and reflected in your sentence.
I cannot be clearer, if the risks are foreseeable and the vulnerabilities are knowable, there is no excuse for not taking all reasonable steps.
Complexity is not an excuse; it must be dealt with.
By doing that you protect yourself against uncertainty and adverse findings if a bad event does happen.
Joe, I note you made an eerily similar observation in 2023 when you said, and I quote, “if things go wrong, ASIC will be looking for the right case where company directors and boards failed to take reasonable steps.”
In Margaret Stone’s words… they were foreseeable harms.
And to continue Margaret’s formulation… leaders have a responsibility to take reasonable steps to prevent and mitigate them.
Conclusion
Everyone in this room is a successful leader, managing significant risks within finite resources to deliver an important service for Australia and Australians.
If your business is worthwhile, it’s also worthwhile for a foreign competitor to steal from it, mess with it or turn it off.
So, the question I have for you today is this: if the threat is foreseeable, the vulnerabilities are knowable, and the risks are manageable… are you taking reasonable steps to manage the risk effectively?
Reasonable steps to prepare for and prevent a compromise or disruption?
And reasonable steps to respond to a compromise or disruption?
Espionage, including cyber espionage or compromised networks are more than foreseeable, they are inevitable, literally happening every day.
And as I said earlier, we have now reached the threshold for high-impact sabotage.
Once someone has access to your network, what they do next is a matter of intent not capability.
What you do in response to all this is up to you.
But you can take steps right now to prepare for this dynamic, diverse and degraded future, to protect your people, your business, your customers and the national interest.
Good security doesn’t happen by accident.
This means reflecting on what I have outlined today.
The threat of sabotage is foreseeable.
The vulnerabilities are knowable, and
Your risks are manageable.
You can’t PowerPoint pack your way out of this risk.
Your business may not be national security, but national security is your business.
Thank you.
Director-General's ASIC Annual Forum 2025(Opens in a new tab/window)