Cyber agency sets business deadline to prepare for post-quantum world hacks — Capital Brief

The news: Australia’s cyber intelligence agency warns quantum computing could render existing cyber defences redundant within years, setting businesses a 2030 deadline to prepare for the threat.

The Australian Signals Directorate’s (ASD) annual cyber threat report has warned that malicious actors — including state actors — are increasingly targeting Australia’s critical infrastructure.

The context: The report revealed two “extensive compromises” of either federal government, government shared devices, or critical infrastructure in 2024-25, compared to one such incident the year before. Details of the incidents have not been publicly released.

ASD director-general Abigail Bradshaw warned that geopolitical tensions are playing out in cyberspace, with “malicious actors leveraging cyber to conduct espionage and target the networks of Australian government critical infrastructure and business to disrupt and degrade”.

The report laid bare an increased overall number in reports of malicious cyber activity, with businesses paying more after every breach.

While artificial intelligence is turbocharging hackers’ ability to break cyber defences, the imminent arrival of quantum computing is causing particular concern.

Experts fear cryptographically relevant quantum computers, powerful enough to break existing public-key encryption systems, would render existing protections obsolete.

While the full ability of the technology remains unknown, it is likely to include the ability to break into stolen data which is currently encrypted.

The ASD’s report urges businesses to prepare for a “post-quantum world”, which the agency warned last month could begin within years.

That includes shifting away from existing algorithms to ASD-approved algorithms which can mitigate the emerging threat of quantum.

“This planning must start now,” the report warned.

Many private sector businesses have already begun the transition, particularly in high-risk sectors like banking and payment transfer.

And while businesses will incur costs, there is a belief that can be mitigated by staggering the transition over the next few years.

The numbers: The report revealed that the ASD responded to over 1200 cyber security incidents in 2024-25 (an increase of 11%), while its ReportCyber online portal received 84,700 cyber crime reports — roughly the same as the year prior.

The report highlighted an 111% increase in malicious cyber activity impacting critical infrastructure networks over the past year. That is at least partly driven by new mandatory reporting laws and additional funding for the ASD to counter the issue.

Incidents of potentially malicious cyber activity jumped by 83% compared to 2023-34. The average self-reported cost of cybercrime per report for a medium business was $97,200 this year (up 55%) and $202,700 for a large business (up 219%).

What they said: “The report makes clear that malicious actors have been working unseen to steal data and demand ransom payments from Australian victims, or to target our most critical networks for disruptive attacks,” Defence Minister Richard Marles said.

“ASD’s annual assessment again shows the urgency of industry and government working collaboratively to raise our collective cyber defences and protect the digital arteries so essential to the nation and our economy.”

The source: ASD cyber threat report 2024-25