The Australian Security Intelligence Organisation (ASIO) has given a dramatic warning that sophisticated hackers backed by foreign governments are increasingly targeting Australian infrastructure such as telecommunications and airports.

ASIO chief Mike Burgess warned we are now at “the threshold for high-impact sabotage”.

He said authoritarian regimes are more willing to disrupt or destroy critical infrastructure to damage the economy, undermine Australia’s war-fighting capability, and sow social discord:

Imagine the implications if a nation state took down all the [telecommunications] networks? Or turned off the power during a heatwave? Or polluted our drinking water? Or crippled our financial system? I assure you; these are not hypotheticals – foreign governments have elite teams investigating these possibilities right now.

Burgess also said foreign spies are increasingly targeting the private sector to steal trade secrets to give foreign companies a commercial advantage.

So what exactly is the nature of this serious threat? And what can Australian companies, businesses and their leaders do to protect from the threat?

State-backed hackers targeting companies

Burgess has previously warned of the “unprecedented” threat of espionage and foreign interference.

At a conference on Wednesday, he ramped up that warning. He said although foreign spies usually target government information, they are now increasingly targeting the private sector, including customer data.

In one example given by the spy boss, nation-state hackers compromised the computer network of a major Australian exporter and stole commercially sensitive information. This gave the foreign country a significant advantage in contract negotiations.

In another case, they stole the blueprints of an Australian innovation and mass-produced cheap knock-offs that nearly bankrupted the innovator.

Foreign companies connected to intelligence services have also sought to buy access to sensitive personal data sets and collaborate with university researchers developing sensitive technologies.

These threats are significant – an estimated A$2 billion of trade secrets and intellectual property are stolen from Australian companies by cyber spies each year.

The risks of high-impact sabotage

Burgess said authoritarian regimes are now willing to go even further and act dangerously by engaging in “high harm” activities, such as sabotage.

Advances in technology are making it easier for foreign countries to obtain what they need to conduct sabotage. Sabotage, and particularly cyber-enabled sabotage, is low-cost and deniable, but potentially high-impact.

Burgess revealed authoritarian states are attempting to penetrate Australia’s critical infrastructure, including water, transport, telecommunications and energy networks. The attempts are “highly sophisticated” and testing for vulnerabilities in networks.

Once they have penetrated networks, they are “actively and aggressively” mapping systems, seeking to maintain undetected access that enables them to conduct sabotage at any time.

Burgess provided a very real example involving Chinese hackers known as Salt Typhoon and Volt Typhoon. While Salt Typhoon penetrated the telecommunications system in the United States, Volt Typhoon compromised US critical infrastructure to “pre-position” for potential sabotage.

“And yes, we have seen Chinese hackers probing our critical infrastructure, as well,” he said.

To understand how devastating such an attack would be here, Burgess pointed to the recent Optus outage that lasted less than a day and affected calls to Triple Zero.

The Australian Institute of Criminology has estimated cyber-enabled sabotage of critical infrastructure would cost the economy A$1.1 billion per incident.

On Thursday, a Chinese Foreign Ministry spokesman said China had lodged a protest with the Australian government about the ASIO chief’s comments.

What does the law say?

Espionage, foreign interference and sabotage are all crimes in Australia. While our laws are broad enough to capture the kinds of conduct described by Burgess, we cannot rely on criminal prosecutions to address this problem.

This is because of the practicalities of enforcing laws against offenders who may not be identifiable or may be located overseas.

Instead of relying on the criminal law, we all need to be aware of the risks and take a proactive approach to security.

So what should you do?

According to Burgess, Australian companies, businesses and their leaders can do several things to protect their networks from espionage and sabotage:

• understand what is valuable and what is vulnerable
• consider what data, systems, services and people are important to your business and your customers
• consider what data, systems, services and people are at risk
• think about where things are stored, who has access and how well are they protected.

He advises the threats are constantly changing, and responses need to keep up and keep changing, too.

Burgess encouraged leaders and boards to ask:

If these threats are foreseeable, and our vulnerabilities are knowable, what are we doing to manage this risk – both at the operational and governance level?

Are you taking reasonable steps to manage the risk effectively and to prepare for, prevent and respond to a disruption?