Australia's next Budget must treat cyber resilience as essential infrastructure

Australia is approaching a defining budget moment. The federal government is rightly investing in AI, digital service delivery and modern public infrastructure. But there is a hard truth policymakers should confront: none of those investments will deliver their promise if they are not resilient by design. In today’s environment, cyber resilience is not a technical nice-to-have or a compliance line item. It is the operating condition that determines whether digital government works, whether essential services stay available, and whether AI adoption strengthens the economy or widens its exposure to disruption.

The latest market evidence is unambiguous. The Team8 2025 CISO Village Survey found that one in four CISOs experienced an AI-generated attack in the past 12 months. At the same time, 67% of enterprises are deploying AI agents in 2025, while 37% say more than 40% of critical vulnerabilities remain unpatched beyond SLA. Add to that the finding that 68% of breaches are still caused by human actions, and the message is clear: the attack surface is expanding faster than most organisations can govern it. AI is accelerating automation for defenders, yes, but it is also accelerating automation for attackers across impersonation, bots, credential abuse and application-layer attacks.

This matters enormously for Australia’s public sector and for the broader economy. The government has already committed $225.2 million over four years for the APS AI Plan, including $166.4 million to expand GovAI and pilot a secure AI assistant, plus $29.8 million for the AI Safety Institute. It has also articulated expectations for data centres and AI infrastructure developers around national interest, data sovereignty, cybersecurity, clean energy, workforce capability and research access. These are sensible moves. But if the coming federal Budget stops at enablement without materially strengthening resilience, Australia risks building a faster, smarter and more connected digital estate that is also more fragile.

The scale of digitisation already under way should remove any doubt about the stakes. The Major Digital Projects Report 2026 shows $1.3 billion across 14 active projects in the government sector, $2.2 billion across 16 projects in health care and aged care, and $1.8 billion across 12 projects focused on the safety of Australians.

These programs are modernising legacy systems, improving identity protection, reducing fraud and expanding digital access to essential services. That is precisely why the Budget must elevate cyber resilience now. The more Australia relies on APIs, cloud platforms, real-time data and automated workflows, the more damaging application abuse, bot attacks, DDoS events and service degradation become. Resilience has to sit alongside innovation from the beginning, not get bolted on after the next incident.

This is not an abstract policy debate: it is what modern defenders are dealing with every day. Security teams are being asked to protect sprawling estates of applications, APIs and microservices while keeping digital experiences fast, safe, engaging. Traditional perimeter thinking is no longer enough. Security has to operate where the modern internet operates: at the edge, in real time, close to the user and before malicious traffic reaches the origin infrastructure. Resilience today depends on securing the application layer with the same seriousness governments once reserved for networks and endpoints.

This is also why the budget conversation should move beyond generic digital transformation and focus on resilient digital transformation. The Tech Council of Australia’s 2026 survey found that 49% of leaders want tech adoption or investment incentives and 90% believe Australia is not doing enough on productivity. Industry is not asking Canberra to spend blindly. It is asking the government to invest where technology produces durable economic value. That means funding and procurement settings that reward secure-by-design architectures, strong API visibility, bot and DDoS protections, modern application security, and deployment models that reduce recovery times when incidents occur. It also means recognising that resilience extends beyond departments to suppliers, SMEs and the broader ecosystem that public services depend on.

The call to action for the next federal Budget is straightforward. Australia should make cyber resilience a core investment priority across AI deployment, digital government, critical service delivery and public procurement. Specifically, the Budget should expand support for modern app and API protection, strengthen cyber uplift for essential digital services and supply chains, embed resilience requirements into funded transformation programs, and back practical measures that reduce attacker advantage at scale. If Canberra wants a technology agenda that lifts productivity, protects trust and keeps services running under pressure, resilience cannot be the afterthought. It must be the architecture. That is the opportunity in this Budget: not simply to build more digital capability, but to build a digital Australia that can withstand what is coming next.

Image credit: iStock.com/BlackJack3D