Government Isn’t the ‘Fun Police’ Anymore. Australia’s Cyber Agencies are Rewriting the Rules

ANZ | Critical Infrastructure | Government & Policy | Security Operations | Sovereignty

Posted: Saturday, May 09

KBI.Media
$
Government Isn’t the ‘Fun Police’ Anymore. Australia’s Cyber Agencies are Rewriting the Rules

Karissa Breen, more commonly known as KB, is crowned a LinkedIn ‘Top Voice in Technology’, and widely recognised across the global cybersecurity industry. A serial entrepreneur, she is the co-founder of the TMFE Group, a portfolio of cybersecurity-focused businesses spanning an industry-leading media platform, a specialist marketing agency, a content production studio, and the executive headhunting firm, MercSec. Now based in the United States, KB oversees US editorial operations and leads the expansion of the group’s media footprint across North America, while maintaining a strong presence in Australia, and the broader global market. She is the former Producer and Host of the streaming show 2Fa.tv, and currently sits at the helm of journalism for the group’s flagship arm, KBI.Media, the independent cybersecurity media company. As a cybersecurity investigative journalist, KB hosts her globally-renowned podcast, KBKast, where she interviews leading cybersecurity practitioners, CISOs, government officials including heads-of-state, and industry pioneers from around the world. The podcast has been downloaded in over 65 countries with more than 400,000 global downloads, influencing billions of dollars in cybersecurity budgets. KB is known for asking the hard questions and extracting real, commercially relevant insights. Her approach provides an uncoloured, strategic lens on the evolving cybersecurity landscape, demystifying complex security issues and translating them into practical intelligence for executives navigating risk, regulation, and rapid technological change.

i 3 Table of Contents

Government Isn’t the ‘Fun Police’ Anymore. Australia’s Cyber Agencies are Rewriting the Rules

From Karissa Breen

Across Australia and New Zealand, cybersecurity leaders are warning that collaboration between government and industry is no longer optional…it’s becoming critical to survival.

Recently at Atmos Sphere 2026 in Sydney, government and industry representatives said Australia is undergoing a major change in how cyber incidents are handled, with agencies incrementall working alongside businesses during crises rather than operating purely as ‘regulators’.

Michael Boyd, Director at Australian Signals Directorate more commonly known as ASD, said there has historically been hesitation from organisations to engage with government during breaches due to fears around scrutiny, compliance consequences and overall reputational damage.

“I guess historically we’ve always seen government as the fun police,” Boyd said.
“But I think more and more now we’re seeing everyone’s getting out there, everybody, like cyber security is becoming norm. Right. Breaches are becoming a norm nowadays. You see them in the news every other week, every other day.”

Boyd said government agencies are now actively positioning themselves as more of a recovery partner during incidents, helping businesses coordinate responses, recover operations and access intelligence that may otherwise not be available internally.

“The government can help everybody to recover from an incident through either providing, tailored advice and assistance to fill in some gaps that they might have,” Boyd said.

He said the National Office of Cyber Security is also helping organisations manage multiple layers of government during incidents.

“We have our National Office of Cyber Security who can help coordinate across all the government for when there’s responsibilities there that you might need to achieve,” he said.

According to Boyd, businesses that engage early with agencies often recover significantly faster.

“We’ve found that engagement with a lot of the arms of government, not just the regulatory arms, but the parts of government that do want to help you recover from those incidents has shown great benefits,” he added.

“Quicker times to recovery for people.”

James Blakely, Head of Government Relations at Atmos said Australia is now leading globally when it comes to cyber incident coordination between government and industry,

“Australia’s leading the rest of the world in that coordination role that they provide,” Blakely said.

Blakely explained that during major breaches, businesses are often overwhelmed by competing demands from regulators, law enforcement, government agencies and stakeholders all seeking information simultaneously.

“It’s incredibly noisy when you’re working through an incident,” he said.
“When you’ve got 50, 60, 70, 80 of those questions coming in, it just makes a lot of noise for the response.”

He said the role played by the Department of Home Affairs and the National Office of Cyber Security in consolidating requests into a single communication channel is significantly improving operational response efforts.

“With the Department of Home affairs, with the National Office of Cyber Security coming in and buffering those agencies that are needing information, but consolidating that and bringing that down through one pipeline to the business to consider and then provide advice to is a massive help,” Blakely said.

Another collective thought was around trust, particularly around whether organisations feel safe sharing sensitive cyber intelligence with government agencies.

One of the major changes helping drive that trust, according to the cybersecurity leaders, is the introduction of ‘limited use’ disclosure protections, designed to ensure information voluntarily shared with government during an incident cannot later be used for punitive or regulatory action.

Boyd described one incident where an organisation was initially reluctant to engage with authorities before changing its position entirely after those protections were explained.

“We sat down and explained what limited use would be, protections that provide what the information could be used for,” Boyd said.
“And after we did that, you could actually physically see them, like relieved that they were talking to someone who was going to protect their information, not use it for punitive measures.”

Boyd said once trust was established, the organisation disclosed far more information than expected… ultimately helping ASD identify the issue and assist with recovery efforts.

“They actually shared a lot more than we thought they would,” he said. “And they actually recovered.”

From a New Zealand perspective, Anthony Cooke, Partner at Atmos New Zealand warned that the absence of similar protections across the Tasman is creating major barriers to collaboration.

“When an organisation shares intelligence, there’s no protections in relation to that information being used against that organisation,” Cooke said.

Cooke said this overall creates difficult legal dynamics for organisations considering whether to share sensitive incident data.

“As a lawyer makes it tricky. Right. Because I can’t give them any comfort around assurance or confidentiality,” he said.

Mr Cooke described a ransomware case involving a trans-Tasman business where the Australian side of the organisation fully disclosed details to authorities, including ransom information and indicators of compromise, while the New Zealand side withheld details due to legal uncertainty.

“The Australian arm of the business, they reported the ransom, told them the amount, gave them all the details and also the IOCs, because they had that comfort in place,” Cooke said.

Growing concerns around supply chain risk, offshore technology dependence and cyber standards across smaller businesses is also a concern.

Cooke warned organisations can no longer outsource accountability simply because third-party providers suffer breaches.

“We need to shift the conversation where they need to take ownership of using those suppliers in the first place,” he said.

He argued that without stronger minimum standards, businesses will continue choosing low cost providers with weaker security controls.

“It’s a race to the bottom of pricing because you’re just going to go for the quickest option, least security controls,” Cooke said.

Blakely said Australia’s upcoming Horizon 2 reforms (Refer to the 2026–2028 phase of the Australian Cyber Security Strategy) could help strengthen resilience across supply chains and smaller organisations, which he described as the ‘underbelly’ of many larger enterprises.

“There’s going to have a tangible uplift and bring along the people in the supply chain,” Blakely said.

He also floated the idea of introducing mandatory baseline cyber controls for certain businesses, comparing the concept to Australia’s vehicle registration system.

“It’d be amazing if we could have a green slip, pink slip for businesses like what we do for motor vehicles here in Australia,” added Blakely.

Under that model, businesses operating critical infrastructure or handling large volumes of personal information would need to demonstrate ‘minimum cyber controls’ before being allowed to operate.

Another observation was around the complexity and sluggish pace of privacy reform efforts, particularly in Australia.

Cooke described parts of Australia’s privacy regime as outdated and inconsistent with global markets.

“The small business exemption and things like that is just so off market and so off brand compared to the rest of the world and compared to Australia’s trading partners,” he noted.

Australia is beginning to move in the right direction when it comes to cyber maturity and collaboration.