The selection of Abigail Bradshaw as the new head of Australia's cyber spy agency, the Australian Signals Directorate (ASD), sends a strong message.
It confirms the government's increasing intelligence focus on domestic cybersecurity, both to disrupt foreign influence operations and to promote better protection of our national cyber systems.
The ASD is so far succeeding in its monitoring of foreign influence operations, but struggling when it comes to domestic cybersecurity.
ASD's evolving mission
The initial remit of the ASD's predecessor agencies was to operate as an arm of the Department of Defence by collecting intelligence through the interception of international communications (or "signals" in traditional military parlance).
The aim was to collect information relevant to the national defence of Australia, its diplomacy and foreign military activities.
As early as 2010, however, the distinction between the agency's foreign and domestic operations started to blur.
Today, foreign intelligence collection and support of the armed forces are only two of ASD's five missions. Domestic cybersecurity is now a chief priority - and a starkly ambitious one at that. As the agency frames it in its strategic objectives:
Make Australia the safest place to connect to the online world. Foster national cybersecurity resilience.
This is a substantial mission for the ASD, and in large part justifies the massive new spending for the agency announced by the Coalition government in March 2022 under Project Redspice - an additional A$10 billion over ten years. The government described it as the biggest investment plan for the agency in its history.
The agency also has two other domestic missions oriented towards threats inside Australia - countering cyber-enabled crime (including terrorist use of the internet) and supporting law enforcement.
Home Affairs Minister Clare O'Neil made clear this new focus on domestic threats during a speech in parliament in June 2023:
About a year before our election, our national security agencies informed the Australian people that, for the first time, the biggest national security challenges that we face as a country are espionage and foreign interference.
It is largely for this reason that when Labor came into power in 2022, O'Neil, the new home affairs minister, was given a secondary role as a sworn minister for defence. This practice has continued with the ministerial reshuffle last month when Tony Burke was named the new minister for home affairs and cybersecurity - and sworn in as a minister for defence.
Bradshaw's domestic security background
Like her predecessors, Rachel Noble and Mike Burgess, Bradshaw brings a more diverse range of domestic security experience outside the defence world than would have been the case for a leader of the ASD a decade or two ago.
She previously served as the deputy commander of the Maritime Border Command, deputy coordinator of the National Bushfire Recovery Agency, and head of the ASD's domestically focused Australian Cyber Security Centre (ACSC). She held the role as deputy director of the ASD itself beginning in 2020.
Bradshaw's fellow deputy director appointed to ASD at the time was the government's former counter-terrorism coordinator, Linda Geddes. These two appointments confirmed the direction the agency was moving, with a very strong emphasis on domestic security.
Challenges ahead
Recent speeches by Burgess, now director-general of ASIO, confirm that both ASIO and ASD have largely succeeded in their domestic and international monitoring of foreign influence operations in recent years.
However, improving our domestic cybersecurity presents a much bigger challenge.
Australia is arguably one of the ten safest countries when it comes to cybersecurity. And as a cyber power, the International Institute for Strategic Studies assessed that Australia sits in the same tier as the United Kingdom, France, Canada, Israel, China and Russia - behind the United States, and ahead of Japan and India.
On the other hand, there has been a string of sensational cyber breaches in the country since 2022 in which the personal details of millions of Australians have been revealed. This includes the attacks on Medibank Private, Optus and Latitude.
Australia is only gradually expanding its cybersecurity workforce and bringing private sector firms and even its own government departments into conformity with modest, mid-level indicators of security readiness. The new investments under Project Redspice will improve this.
But Bradshaw will have to be even more enterprising than her predecessors to bring Australia close to being the most cyber-secure country in the world - and the most resilient.