Cyber Civil Preparedness and Resilience: Twin Strategic Imperatives

On June 1, 2025, the Australian Government released a national cyber response plan that emphasised, more than before, the importance of preparedness. The new focus on preparedness in this cyber plan marks a significant step forward. The plan introduces a four-tier classification of cyber incidents, with "nationally catastrophic" being the most severe. The idea is that the country needs to be ready to address country-wide cascading non-cyber effects arising from such an incident. While Australia is well placed to address a range of cyber emergencies, it is not sufficiently prepared for one that reaches the level of a national catastrophe. According to the plan, the agency responsible for leading the response to a cyber catastrophe is the National Emergency Management Agency (NEMA), established in 2022. It would be supported by the National Office of Cyber Security (NOCS), set up in 2023. NOCS takes the lead on lower-severity cyber incidents. Yet the NEMA and NOCS websites offer no substantive public discussion of how to prepare for a catastrophic cyber incident.

We would expect the government to produce further analysis in the near future of what these preparedness plans might look like. They would need to include not only roadmaps for technical responses inside cyber systems to the catastrophic incident but also action plans for consequence management in key economic sectors, the delivery of essential services and mobilisation of the citizenry behind inevitably unpopular government decisions. Preparedness also encompasses emergency law enforcement authorities, regulatory responses for business, crisis communications, and geopolitical attribution—each of which falls well outside the current scope of the Department of Home Affairs and/or the Department of Defence. Also in June 2025, Admiral Johnston, Chief of Australia's Defence Force, emphasised the need for a change in national resilience and preparedness across military and civil sectors due to emerging threats.

Preparedness involves preparing for crises, while resilience is the capacity to mitigate and recover from them. Both are essential and mutually reinforcing, with community participation being crucial. The prominence of cyber-attacks in recent global conflicts underscores the urgency of improving Australia's cyber preparedness for extreme crises. This 2025 paper outlines considerations to support Australian stakeholders in developing this new paradigm, both for cyber response and for mitigating non-cyber impacts in the event of a national cyber catastrophe. We argue for placing cyber civil preparedness and resilience alongside military defence and diplomacy at the top of national security policy, and for making consequential changes to the machinery of government. This would include a national cyber resilience strategy to manage the consequences of catastrophic cyber emergencies.