Australia is considering a significant shift in how cyberattacks on essential services are reported to the public. Home Affairs is consulting on proposed changes to critical infrastructure laws that would allow temporary delays in disclosing serious breaches affecting electricity grids, water systems, telecommunications networks and other vital assets.
The tension underlying the proposal is genuine. Companies listed on the Australian Securities Exchange face continuous disclosure obligations that require them to immediately notify investors of material events. Yet when a cyberattack on critical infrastructure is still unfolding, immediate public disclosure could expose vulnerabilities, hamper response efforts, or create systemic economic risks. Under current rules, critical infrastructure operators must report incidents to the Australian Cyber Security Centre within 12 hours, but this does not address the separate question of public transparency.
According to the consultation paper released by the Department of Home Affairs, a delay mechanism would be "temporary" in nature, with a hypothetical window in the region of 30 days for entities to contain an incident, patch systems, and coordinate with government agencies before the breach becomes public knowledge. The government's reasoning emphasises that disclosure rules designed to protect markets can inadvertently harm national security. As the department argues, immediate disclosure "in rare, high-risk cyber incidents may inadvertently undermine coordinated responses, reveal vulnerabilities, or heighten systemic risks."
The rationale deserves serious consideration. A coordinated cyber response requires time. Attackers often maintain access to compromised systems long after initial detection, and disclosing vulnerabilities before they are patched gives threat actors additional opportunity to expand their foothold. In critical infrastructure, cascading failures across interconnected systems pose economic and safety hazards that demand careful, methodical remediation.
However, the tension between transparency and security cannot be resolved by simply privileging one over the other. Markets function on information, and investors in critical infrastructure rely on material risk disclosure. A 30-day silence on a serious breach affecting water supplies or power networks could itself create moral hazard, as operators face reduced incentive to invest in preventative security if breaches can be temporarily hidden from shareholder scrutiny. The government's assurance that the intent is not to "shield entities from commercial impacts" requires regulatory teeth to be credible.
The second major proposal addresses an equally practical problem. The government currently blocks particular vendors only on a company-by-company basis, using the Protective Security Policy Framework. This approach proved cumbersome during Australia's 2025 ban on Kaspersky Lab products across federal agencies, with the Department of Home Affairs noting that government entities face "unacceptable security risks from threats of foreign interference, espionage and sabotage" associated with the software.
Where a single vendor or technology poses a systemic risk across multiple operators or entire sectors, case-by-case restrictions become unwieldy. The government is proposing a new "vendor-risk direction power" that would allow coordinated action across an asset class. This would address supply chain vulnerabilities more efficiently, ensuring all operators of electricity networks, for example, receive the same instruction to cease using a compromised product simultaneously.
This proposal has clearer merit. Supply chain risks are explicitly identified in Australia's critical infrastructure risk management framework, and the current patchwork approach creates its own security gaps; some operators might comply while others delay, creating a window where attackers can exploit inconsistent defences across the sector.
The balance between security and transparency remains unresolved, and the government's consultation process offers an opportunity for industry and civil society to air these concerns. The key measure of success will be whether any disclosure delay mechanism includes hard safeguards: automatic expiry dates, exemptions for life-safety incidents, and clear triggers for public notification based on how fast remediation proceeds. A temporary embargo on news is defensible only if the word "temporary" has meaning.