Shared Risks, Shared Advantage: Collaborating for Collective Cyber Resilience

In this environment, every network is a potential vector, and every dependency a potential vulnerability. A disruption in one node, even when it isn’t of your own making, now ripples across, sectors and even nations.

This means resilience cannot be built in isolation. It needs to be co-produced.

It also means resilience is not a fixed state but an iterative and persistent endeavor, one that needs to evolve as fast as the threats that challenge it.

I suggest our shared task is—to borrow from American cyber expert Jason Healey’s framing in a slightly broader way than Healey might have intended—to ‘shift advantage from offence to defense’. It is to do this not by fighting each incident, but by designing a systems approach focused on interdependencies and scaling resilience.

From Compliance to Collective Resilience
This means resilience cannot be reduced to compliance checklists. Compliance frameworks provide structure, but they often measure preparedness against static standards rather than dynamic threats.

Instead, resilience demands adaptive capacity.

Why? Because corporate risk management has in many ways become a national security function. The director-general of security, Mike Burgess, captured this dynamic in his Sydney Town Hall lecture last week when he said, ‘Your business might not be in national security but that doesn’t mean national security is not your business.’

Resilience is more and more dependent on the private sector’s ability to anticipate, absorb and recover from disruption.

This requires us to move toward concepts of ‘extended assurance’ grounded in continuous, collaborative and cross-sector engagement—working with partners and third-party suppliers across supply chains, across boards and across borders in ways nations now work with allies and partners.

This becomes less about self-protection and more about systems stewardship.

In this context, leaders need to understand and stress-test interdependencies, validate assumptions and ensure that automation is backed by credible manual fallbacks.

This recognises that resilience is not achieved by the strength of individual defenses but instead by the adaptability of an ecosystem or set of ecosystems.

When Collins Aerospace systems went down, airports reverted to paper boarding passes and handwritten baggage tags. While not sophisticated, this kept operations running.

When disruptions occur, the goal needs to be graceful degradation, not collapse. That requires leaders to ask not just ‘are we compliant?’ but ‘are we collectively resilient?’

Government as Architect and Convenor
Governance frameworks like the Security of Critical Infrastructure Act provide essential guardrails. But, as ASPI’s analysis of the Qantas hack reminded us, there are limits to what government can and should do.

With data breaches increasingly a new normal, the scale of the threats that confront means we need to reconsider where government’s focus is best directed.

This forces us to question the necessity of a triaged model, one that concentrates state effort on the threats that matter most and the consequences that cut deepest, while paving the way for sectors and individuals to strengthen their own defenses for what remains.

This reconsideration is urgent because at the same time such data breaches are the new normal, sophisticated actors such as China and North Korea are intensifying their digital infiltration of critical infrastructure—communications, energy and transport networks—as part of broader strategies to apply pressure and constrain freedom of action.

Put simply, governments can’t be in all places all at once. But if the state reserves direct intervention for systemic or high-impact incidents, then how do we address the rest? This is where the private sector comes into play.

Ownership and operation of most of Australia’s digital infrastructure by industry means industry is uniquely positioned to lead in safeguarding the infrastructure, bringing the agility, innovation and operational expertise that embodies the private sector to strengthen national resilience.

This approach conceives of the government’s role as more the architect and convenor of a resilient ecosystem—one that empowers, coordinates and catalyzes. Think of it—again, to borrow from Jason Healey—as Enable, Engage, Enforce:

—Enable those who want to act but lack capacity, by sharing intelligence, funding uplift programs and developing toolkits;

—Engage those with capability but limited will, through incentives, partnerships and co-funded exercises; and

—Enforce where neither capacity nor will exists, using regulation sparingly but decisively when systemic risk threatens national resilience.

This is what fellow US cyber policy expert Robert Knake separately calls the Home Depot approach to cybersecurity: you can do it; we can help.

Clarifying government’s role—from central defender to ecosystem enabler—is necessary. It builds trust, sets realistic expectations and ensures resilience is co-produced, not commanded.

When we extend this model to the Indo-Pacific, the same logic still holds.

The Australian government’s role—both at home and abroad—should be seen as creating the architecture, setting the standards and catalyzing cooperation, not fighting every battle.

By enabling those willing to act; engaging those able but hesitant; and enforcing where necessary, we shift advantage from offence to defence by distributing resilience more evenly.

Collaboration as Shared Advantage
As recently as this year, Jaguar Land Rover was crippled by a devastating cyberattack that cascaded through its supply chain.

This forced production shutdowns and prompted a £1.5 billion emergency loan from the British government to keep operations afloat.

It was a stark reminder that even the most advanced manufacturers remain exposed.

It was also a stark reminder that collaboration needs to be not rhetorical but practical and continuous. This means:

—First, moving beyond coordination to co-creation, not just sharing information but building shared capabilities and shared accountabilities; and

—Second, shifting from individual afterthought to shared foresight, looking not just at what should already be happening, but also at what adaptations should come next.

How do we give effect to this in practice? I’d suggest the following, which builds on the robust cyber security foundations we already have.

—First, real-time threat intelligence, not retrospective reporting.

Building federated, cross-sector platforms where anonymized telemetry and compromise indicators are exchanged at machine speed.

This helps ensure detection in one network instantly strengthens another.

—Second, continuous joint exercises, not occasional simulations.

Moving from annual red-team events to persistent live-fire ranges— a safe, isolated environments where real attacks and defenses are practiced on realistic systems—that link government, industry and academia.

This allows for dynamic stress-testing of supply chains, and validation of response plans under realistic pressure.

—Third, crafting response architectures, not ad hoc playbooks.

Establishing interoperable national and regional crisis frameworks that integrate sovereign authorities, critical-infrastructure operators, insurers and vendors.

This helps ensure command clarity, pre-negotiated data-sharing protocols, and decision authority before—not after—a breach.

—Fourth, hard governance, not soft awareness.

Treat cyber negligence as a fiduciary breach.

This embeds minimum resilience standards into corporate law, procurement rules and director duties.

And so it makes boards accountable for measurable cyber performance in the same way they are for financial solvency.

—And finally, shared innovation pipelines.

Co-fund open-source security tools, joint R&D for supply-chain assurance, and sovereign testbeds for high-risk technologies

This helps ensure resilience becomes a competitive export, not just a defensive posture.

The Japanese automotive sector provides a compelling example of how to achieve such a structural shift.

After a wave of cyber incidents that disrupted production at Nissan, Honda and Toyota, and exposed vulnerabilities across the supply chain, Japan’s leading manufacturers realized that piecemeal efforts were no longer enough.

In response, the Japan Automobile Manufacturers Association (JAMA) established a Cybersecurity Working Group under its Electronic Information Exchange Committee in 2019.

It brought together representatives from industry, government and the expert community to coordinate threat intelligence, establish shared standards, and strengthen collaboration across Japan’s automotive ecosystem.

The driving motivation was not charity: as vehicles became more connected, as supply chains became more digital, and as the industry moved toward autonomous and software-defined vehicles, cybersecurity had become not just a technical concern but an existential business issue.

The working group developed national cybersecurity guidelines, improved supplier maturity across thousands of SMEs and created a trusted channel between manufacturers and government for incident reporting and coordinated response.

In effect, Japan’s automotive giants learned what many sectors are now discovering: collaboration is not a substitute for leadership; it is leadership.

Shared stewardship transforms cybersecurity from a cost center into a competitive advantage. It protects intellectual property, strengthens brand trust, reduces downtime and ensures continuity in an industry that underpins national prosperity.

It’s an investment in operational continuity, reputational capital and strategic influence.

Adaptive Collaboration
Ultimately, collaboration needs to evolve as fast as the threats that challenge it.

Static resilience is always going to fail in a dynamic threat environment.

The pace of technological change, from AI-enabled attacks to the growing weaponization of data, means resilience built today can quickly be obsolete tomorrow. Added, given malign actors are sophisticated and learning, we should assume that the next crisis won’t look like the last one.

And so, our challenge is to measure our maturity not by whether we prevent disruption entirely, but by how effectively we adapt, recover and strengthen in the aftermath.

This challenges us to conceive and commit to collaboration that is adaptive by design. This can mean a range of things, but at its core I’d suggest it means:

—Embedding joint cyber exercises—both anticipated and unanticipated—into operational planning;

—Integrating resilience metrics into procurement, governance and performance frameworks, and building a maturing pathway that supports and rewards improvement over time;

—Treating capacity building as a standing investment, not an emergency response triggered by crisis; and

—Maintaining agile, transparent partnerships across sectors and borders to sustain shared awareness and coordinated action.

Shared Responsibility, Shared Strength
With interdependence set to deepen, not diminish, effective resilience can no longer be treated as a solo effort—it’s a collective discipline, built and sustained together.

We are increasingly being challenged to see Australia’s strength—or for that matter, the strength of any individual commercial enterprise or the Indo-Pacific region more broadly—not in isolation.

If we align around a shared purpose—across government, industry and our regional partners—to counter threats together, to build shared capacity responsibly, and to adapt persistently—then we give ourselves the best change to shift the balance of advantage in our collective favor.

In the days ahead I’d suggest leadership on cyber resilience will mean shaping, securing and stewarding the ecosystems that connect us all—not just the ones we control.

James Corera is director of ASPI’s Cyber, Technology and Security program. This article is published courtesy of the Australian Strategic Policy Institute (ASPI).