A cyberattack on a Qantas call centre, revealed last week, put cyber risk back in the headlines, as did similar attacks on Medibank and Optus. But these are not one-off shocks: they represent a new normal. Australia cannot afford to treat these threats as episodic. They are persistent and demand constant, adaptive attention.

Given the scale of the threats that confront us, we should consider whether the government can respond on its own. A triage process may allow the government to focus on the threats that matter most and the consequences that cut deepest while enabling specific sectors and individuals to step up their cybersecurity efforts.

Today’s cyber campaigns are multi-vector and highly coordinated. They target critical infrastructure, siphon intellectual property and personal data, and aim to erode trust in democratic institutions. Campaigns have grown increasingly sophisticated, driven by AI, a fractured digital ecosystem and sharper geostrategic competition. Governments, businesses and individuals are all in the blast radius.

Over two decades, big data has shifted from being a prized asset—fuel for marketing and operational optimisation—to a growing liability. Privacy risks, regulatory pressures and escalating cyberattacks have changed the calculus. But high-quality, well-governed data is indispensable: it powers AI systems that drive automation, productivity and national advantage. This tension between opportunity and risk will only intensify.

The Qantas breach, discovered on 30 June, was the result of an attack on third-party software used by the airline’s Manila-based call centre. Hackers gained access to the personal information of as many as 6 million Qantas customers.

This incident shows us what’s at stake. Vast amounts of personal data are stored in interconnected commercial cloud platforms. These systems offer efficiency, but create high-consequence single points of failure.

Malicious states and cybercriminals exploit the seams: misconfigurations, stolen credentials and weak segmentation. They operate at scale, often using automation to accelerate reconnaissance and breach. Once inside, they extract data and assemble it into coherent profiles, ready for identity theft, fraud or foreign targeting.

As cloud adoption grows and AI is integrated across sectors, the attack surface will expand. As data becomes more valuable, it will become riskier to hold. We should expect breaches to become more frequent, more damaging and harder to contain.

Meanwhile, actors such as China and North Korea are intensifying their digital infiltration of critical infrastructure—communications, energy and transport networks—as part of broader strategies to apply pressure and limit freedom of action.

This forces a rethink of what qualifies as critical infrastructure beyond physical networks: cloud storage, data brokerage and software supply chains. These are tightly interwoven into the delivery of essential services and the machinery of government. A failure in one can cascade across many.

That expansion brings pressure. Governments, including Australia’s, are spending more on cyber defence. That should remain a priority. But if the government is expected to defend an ever-growing set of targets, is it also the right actor to respond to every commercial data breach?

Large-scale hacks of commercial providers are troubling, but not every breach is equal. This may require the government to triage its efforts, reserving direct intervention for systemic or high-impact incidents and setting firmer expectations for industry to lead in cases where the risk is more contained. If the government is to focus on defending the most critical systems, this will require others to step forward.

In an environment where personal data is the payload, individuals are no longer just passive victims; they are active participants in the broader system of defence. Small actions—such as using multi-factor authentication, adopting password managers and staying alert to phishing campaigns—won’t preclude large data hacks but can significantly reduce the effect of these breaches when they occur.

But behavioural change cannot be left to individuals alone. Platforms should be required to make secure settings the default, not the exception. Governments could consider mechanisms to reward secure behaviour through awareness campaigns, subsidies or even linking security practices to insurance or identity protections. This could reframe the problem of large data hacks, shifting the focus from defending to building resilience.

Government efforts have rightly focused on raising public awareness and improving the security baseline. Measures such as mandating minimum hygiene standards and requiring breach disclosure were necessary. But in this area, it may be time to view the government less as a coordinator and more as an enabler.

In this way, the government would maintain its focus on sharing threat intelligence, technical tools and policy incentives to harden defences, but invest further in scalable, sector-specific toolkits and expanding trusted threat intelligence exchanges. When needed, it would still act as enforcer, using regulatory powers (strengthened where necessary) to compel uplift where voluntary compliance fails.

This approach could help bridge the growing gap between attacker sophistication and defender readiness, without distracting the government from its core mission of protecting systems of national significance.

The aim is not to eliminate all breaches. Unfortunately, that’s no longer realistic. Instead, it’s to limit their consequences. That shift will be critical as the threat environment becomes more complex and challenging.