September 22, 2025 3 Minute Read

• AI is accelerating the pace of attacks. Hackers now use artificial intelligence to automate phishing campaigns, find system vulnerabilities faster, and evade detection with unprecedented speed.
• Outdated laws and technology create vulnerabilities. Fragmented regulations and legacy systems create critical weak points, signaling to attackers that parts of the government are "soft targets".
• The public is losing trust. Delayed breach disclosures and a lack of consistent reporting erode public confidence in the government's ability to protect sensitive data.

Public sector organizations face unprecedented cybersecurity challenges as artificial intelligence reshapes how adversaries launch attacks.

Threat actors now use AI to execute large-scale, highly personalized phishing campaigns, automate the discovery of vulnerabilities, and evade detection faster than traditional defenses can respond.

These developments demand an equally rapid evolution in government cybersecurity strategies, particularly as critical infrastructure and sensitive citizen data remain prime targets.

Cyberattack Rates Continue to Climb

Australian government agencies continue to report an alarming volume of cyber incidents, with malicious activity now the primary driver of breaches.

Businesses and government agencies reported 1,113 data breaches to the Office of the Australian Information Commissioner in 2024, a 25 percent increase from 2023 and the highest annual total since mandatory reporting began in 2018.

However, these figures do not reflect the full scope of the threat, as key public sector entities, including federal political parties and members of parliament, remain exempt from reporting obligations.

This uneven application of standards across jurisdictions creates critical blind spots in government security postures that are increasingly exploited by state-sponsored actors and ransomware groups.

This regulatory fragmentation undermines national cyber resilience commitments and signals to attackers that some parts of government remain soft targets.

Slow Detection Rates

Data from the OAIC in 2024 showed that 87 percent of the public sector had breaches with a Mean Time to Detection (MTTD) of 30 days, and 78 percent were reported late. These delays in detection and disclosure heighten the risk of prolonged damage and erode public trust in the government’s ability to secure personal data.

Governments must shift to proactive cyber readiness.

Downstream impacts can include compromised services, weakened incident response, and long-term reputational damage when major breaches go unreported or are significantly delayed in their disclosure.

An Unfair Balance in Compliance

The lack of a level playing field continues to create confusion and inconsistency in breach management, with some agencies facing financial penalties for non-compliance while others are exempt altogether.

The absence of cohesive rules sends the wrong message to both attackers and the public. For adversaries, it highlights vulnerabilities within the system where oversight is limited.

For citizens, it raises questions about which breaches are disclosed, how quickly, and what accountability mechanisms are in place. Public confidence in data governance remains fragile without a consistent national framework, and opportunities to learn from cyber incidents are lost.

AI Cyber Defenses Must Not Lag Behind

Government defenses must evolve alongside attackers, especially when AI is being used to identify and exploit technical vulnerabilities at speed. AI facilitates increasingly sophisticated forms of intrusion, from manipulating cloud configurations to mimicking legitimate users.

These risks are exacerbated by the persistence of legacy systems across agencies, which offer minimal resistance to modern attack methods and expose entire networks to avoidable compromise.

AI’s role in accelerating and refining attack vectors means that even minor weaknesses in infrastructure or process can be rapidly scaled into major breaches. Public sector systems built on outdated software or lacking in basic identity verification controls are especially vulnerable. Threat actors no longer need weeks or months to gain entry and escalate privileges; they can now do so in near real-time, using AI to bypass traditional safeguards with ease.

State-sponsored attackers and ransomware operators are adapting their playbooks accordingly. These groups have moved beyond simple disruption or data theft and are now leveraging AI to increase the accuracy, impact, and frequency of their campaigns. Probing for inconsistencies in government defenses and jurisdictional loopholes lets attackers exploit the very fragmentation that hampers Australia’s coordinated response.

The gap between attacker capability and public sector defense will only widen.

Understanding AI Attack Vectors

Governments must shift from reactive, compliance-based approaches to proactive cyber readiness as threats evolve. This requires government agencies to assess existing defenses through the lens of AI-enhanced threat capabilities.

Legacy infrastructure must be modernized, identity verification strengthened, and incident response frameworks re-engineered to accommodate faster, more adaptive attack timelines. Crucially, the public sector must invest in threat intelligence that factors in AI’s role in shaping attack vectors.

Consistent breach reporting is another foundational step. A unified national framework that establishes consistent consequences for non-compliance would address the current jurisdictional inconsistencies that hinder transparency and responsiveness. Attackers will continue to exploit regulatory gaps without this, and accountability will remain elusive when data is lost or compromised.

The impact of data breaches goes beyond operational disruption; it damages public confidence in government institutions. Citizens expect their data to be handled responsibly and securely, and it erodes trust when breaches occur, and reporting is delayed or inconsistent.

Taking Security Beyond Bits and Bytes

Cybersecurity is no longer just a technical challenge. It must become a core component of public sector service delivery, and the public sector should treat cyber readiness with the same rigor as any CI investment. It is possible for governments to shift the advantage back in their favor by anticipating how AI may be used offensively and building systems resilient to its speed and scale.

The gap between attacker capability and public sector defense will only widen without immediate, coordinated action. AI is rewriting the rules of engagement in cyber warfare, and governments must rewrite the rules of accountability, coordination, and capability development before the next breach becomes a national crisis to keep pace.

A version of this article originally appeared in Government News.