Dynamic Business Logo
Home Button
Bookmark Button
The worst-case cyber scenario A call to action for Australian organisations

AI-generated

DB Brand Account

The worst-case cyber scenario: A call to action for Australian organisations

David Shields

David Shields

November 6, 2025

A recent headline about a cyber breach caught my eye. It suggested that the disclosure of personal information is the “worst case scenario” when a cyber breach occurs. While such incidents spark significant public concern, I don’t think this is in fact “The Worst-Case Cyber Scenario” as it was made out to be. This article isn’t about any specific breach, but rather takes a deeper look into what that “Worst-Case Cyber Scenario” could truly be for Australia.

For years, I’ve maintained that if, by the end of the decade, the worst cyber impacts are limited to ransomware and personal data leaks, it would be a win for the cyber industry and society. Perhaps I’m desensitised by supporting numerous organisations through their breaches, but hear me out.

The global geopolitical landscape heavily influences cyber threats. As U.S. Defence Secretary Pete Hegseth stated at the Shangri La Dialogue in May 2025, Beijing is “…credibly preparing to potentially use military force to alter the balance of power in the Indo-Pacific. We know. It’s public that Xi has ordered his military to be capable of invading Taiwan by 2027. The PLA is building the military needed to do it. Training for it every day. And rehearsing for the real deal.” While opinions on the likelihood of conflict in the South China Sea vary, the risk of escalation is undeniably high. Offensive cyber operations will be a compelling tool for all involved. From Australia’s perspective and in the context of assumed support of the U.S., at least in principle, if not militarily, it’s highly probable that our interests would be targeted to distract, demotivate, and degrade our ability to respond, aiming for national paralysis.

Russia’s invasion of Ukraine offered crucial lessons in cyber doctrine supporting military objectives. Initially, the focus was on intelligence and pre-positioning, followed by propaganda and degrading emergency services, aligned with an assumed swift decapitation of Ukrainian leadership. When this failed, objectives shifted to intelligence gathering and supporting kinetic warfare, and surprisingly, kinetic warfare supporting cyber objectives, aiming to sap Ukraine’s will to fight through attacks on critical infrastructure.

However, we also learned that prior preparations make a difference. Russian cyber forces were pre-positioned for months, even years. This pre-positioning reveals targeting specifics and adversary priorities, which, when uncovered through advanced threat hunting, allows defenders to prioritise resources effectively, increasing the likelihood of successful defence.

Our potential adversaries have also learned from Russia’s limitations, particularly the need for tighter coherence between strategic and tactical cyber and military goals. We must defend where the enemy attacks this time, not where they attacked last time.

In a sustained cyber campaign by a sophisticated, well-resourced adversary with access to undisclosed vulnerabilities and the capacity for multiple global operations, logical Australian targets could include:

  1. Economic Pain Points: Coordinated targeting of banks, financial exchanges, and superannuation providers to impact access to funds and liquidity at all societal levels. The mere fear of such an impact could be profound.
  2. Critical Infrastructure: Coordinated targeting of high-impact providers like water, electricity, and telecommunications to distract and degrade our national functioning. Telecommunications providers are also valuable espionage targets.
  3. Government Departments: Coordinated targeting of defence, national security, law enforcement, and emergency services to degrade the government’s ability to respond to regional military crises and support the broader Australian community and economy.
  4. Defence Contractors: Coordinated targeting of those providing warfighting or critical support functions to Defence, further degrading our response capabilities.
  5. Information Operations: Leveraging automated systems and Large Language Models (LLMs) to flood the Australian information sphere with propaganda in the form of localised misinformation and deepfakes via both traditional and non-traditional media. Responsible vendors are constantly improving how they manage this issue, however there are many vendors outside of the control or influence of Australia and her allies with differing applications of LLM alignment and national goals. Furthermore, the technical barriers to running LLMs locally are now so low that small open source LLMs can be run on commodity hardware to generate realistic content with virtually no limitations already.

The key takeaway is that a “Worst-Case Cyber Scenario” will deliberately exploit our most sensitive vulnerabilities to keep us compliant, distracted, and fearful, while limiting our ability to respond directly to a crisis. These scenarios are not exhaustive, and indeed, we may find our adversary seeking to overwhelm us by broadly targeting multiple pressure points at the same time.

Tough decisions will be necessary regarding cyber-defence resource prioritisation. The potential impact of a worst-case scenario far exceeds the capacity of any single organisation. While the Government will play a vital coordinating role and provide bespoke technical capabilities, they cannot assist the potentially dozens or hundreds of large organisations that will need to respond quickly and effectively.

Similar to “Victory Gardens” during World War II, self-sufficiency will be critical. Many organisations will need to recover and self-sustain after such impacts. This scenario is a sobering reminder of what’s at stake and what a plausible “worst-case scenario” looks like in the current geopolitical climate.

My advice to all Australian organisations providing critical products and services is:

  1. Implement an ongoing threat hunting program now. While well-tuned alerts have their place, advanced threat actors are highly capable and will invest significant time and effort to bypass common defences. Proactively rooting them out is the goal, and must be a priority for the foreseeable future.
  2. Reduce technical debt and offload workloads to the cloud where possible. Ukraine’s “sovereign first” policy disintegrated at the war’s outset. Cloud vendors offer greater resilience, and policy controls are easier to deploy at scale than legacy configuration controls. Ukraine significantly increased its resilience to Russian cyber aggression by moving workloads to the cloud.
  3. Proactively validate the security of your IT footprint and cyber defences across people, process, and technology now. A major campaign will still be painful, but the impacts will be far less for organisations with enhanced preparations.
  4. Ensure your incident response plan is resilient in the context of a widespread regional campaign. Discuss with your retainer provider how they scale during major campaigns. Prudent planning may suggest that more than one retainer may be required. 

Disclaimer by Dynamic Business: This article is presented by Mandiant, part of Google Cloud. Organisations may consider implementing these practices and assessing solutions that best fit their context.

Keep up to date with our stories on LinkedInTwitterFacebook and Instagram.

What do you think?

    Be the first to comment

Add a new comment

David Shields

David Shields

David Shields has been supporting the Australian Government for his entire working life, including as a soldier in the Australian Army and within the Australian National Intelligence Community working on our nation’s biggest cyber security challenges. He is currently the ANZ Government Consulting Lead for Mandiant (part of Google Cloud) where he focuses on cyber resilience for the Australian and New Zealand Government, State Owned Enterprises and Critical Infrastructure.

View all posts