Red Teaming Australia's National Cyber Strategy (2025)

07 Sep 2025

Imagine you are part of a cybercriminal gang, deciding which region of the world to target next. Australia has always been lucrative, but now there’s talk of a new national cybersecurity strategy. Could this change the game? You start digging. The documents are public, so you read them closely, asking: does this strategy raise the risks for us, push us elsewhere, or reassure us that Australia is still open for business?

This is the approach I took to respond to Home Affairs’ consultation on developing Horizon 2 of the 2023-2030 Australian Cyber Security Strategy.

I built a threat actor profile and examined every intervention from Horizon 1 and every proposed action area in Horizon 2 through the perspective of this adversary.

My objective was to surface the deep assumptions and blind spots embedded in Australia’s Cyber Security Strategy 2023-2030.

Meet Policy Ghost

This is the cyber adversary that I designed:

Key Findings

I reviewed every intervention listed in Appendix B, “Status of Horizon 1 Initiatives”, as well as each proposed Action Area for Horizon 2.

For each item, I asked: “Would this intervention/action deter, detect, delay, or defend against Policy Ghost?” Each was assigned one of four ratings: Low Impact, High Impact, Monitor (relevant but insufficient information available), or Not Applicable.

In Horizon 1, 21 of the 60 interventions reviewed (35%) showed some relevance to impacting a cyber adversary such as Policy Ghost. In Horizon 2, 9 of the 23 action areas (39%) were assessed as relevant.

Both horizons include items relevant to adversaries like Policy Ghost, but none qualify as “High Impact” due to:

• Weak Causal Linkages: The link between many interventions and actual disruption of the cybercrime model is unclear. For instance, it is not evident how participation in the International Counter Ransomware Task Force (ICRTF) would measurably affect a group like Policy Ghost. Rhetoric is not enough—impact must be demonstrated with data to justify a “high impact” classification; otherwise, it should be considered low.

• Insufficient Information: Several interventions that appeared potentially relevant lacked adequate publicly available information to enable a robust evaluation of their effectiveness.

Analysis

Applying an adversarial methodology to the Australian Cyber Security Strategy enabled a systematic review of every intervention in Horizon 1 and every action area in Horizon 2, assessing their potential effectiveness against a defined threat actor.

This process led me to identify what I believe are fundamental weaknesses in the current Cyber Security Strategy:

• The “cyber shields” lack measurability. Without defined criteria, they cannot function strategically. What is needed are clear, evidence-based strategic priorities that can be tracked and evaluated.

• While the documents mention metrics, none are actually provided. Home Affairs already has access to a wealth of data that could be used. Publishing these metrics would not only strengthen accountability but also enable independent review by the wider industry.

• The causal links between interventions and goals are often tenuous or undefined. In some cases, the goals themselves may be unattainable (i.e., “Break the ransomware model”). A rigorous and complete systems view, grounded in scientific method, is essential before interventions are designed and implemented.

• Finally, interventions should be explicitly mapped to risk scenarios. This would clarify which threats you intend to mitigate, which adversaries you are prioritising, and how success will be measured. Such mapping would align strategic intent with operational reality and invite meaningful collaboration with industry.

Rethinking the Strategy’s Model

Below is an example of how Home Affairs could rethink its model in accordance with the rubric proposed in the previous section:

1. The guiding North Star is to strengthen Australia’s resilience against cyber attacks. Progress toward this goal need not be speculative: it can be measured using data already available from the OAIC, the Australian Signals Directorate, and industry reports that track the average cost of a breach within Australia.

2. Australia’s resilience to cyber attacks will improve as organisations invest more substantially in cybersecurity. This investment can be measured in absolute dollars or as a percentage of the IT budget allocated to security. Such data could be captured under the SOCI Act, and complemented by industry surveys that already track expenditure of this kind.

3. Finally, with regard to interventions: I have outlined some examples, but ultimately it is for you to determine which measures will most effectively increase investment in cybersecurity. Whatever course you select, the interventions must once again be framed in ways that are independently measurable.

Mapping Interventions to Risk Scenarios and Threat Actors

Not every intervention in the Cyber Strategy is meant to reduce risk scenarios or counter threat actors. But where that is the intent, the mapping must be explicit.

When an intervention is described, it should state plainly: which risk is being reduced, which threat actor it addresses, and what metrics will be used to measure its effect.

Without this, Home Affairs cannot know whether an intervention is working. Nor can those tasked with improving it, since the aims and measures are left unclear.

Conclusion

While the approach used to analyze the strategy has limitations, it rendered the strategy both quantifiable and measurable, and it is replicable by any subject matter expert seeking to “soft test” the strategy against adversaries they regard as priority targets.

The analysis revealed two key findings:

• First, just over one-third of the strategy’s measures appear directly relevant to impacting threat actors (this is not necessarily a problem).

• Second, many interventions are articulated only at a high level, with insufficient data to verify their likely effectiveness – this should be addressed.

This creates an opportunity for Home Affairs, working together with industry and subject matter experts, to sharpen strategic goals, ensure interventions are measurable, strengthen causal links, use scientific methods, and align all actions with reducing the risks posed by specific scenarios and threat actors.

For more information read the full paper.