Russell Buzby

The 2026 National Defence Strategy roughly doubles REDSPICE investment. Spending on Australia’s offensive and intelligence-led cyber programme rises from A$6.4–8.4 billion to A$10–15 billion across the decade. The total cyber envelope (defensive plus offensive, including REDSPICE) sits at A$15–21 billion. Add the parallel allocations for space and electronic warfare and the combined envelope reaches A$27–38 billion (Department of Defence, 2026; Government of Australia, 2026). The dollar figures are large. The more interesting story is what they are being spent on, and what the spending implies about how Defence now thinks about cyber.

Gatra Priyandita’s ASPI Strategist piece on 12 May 2026 made the point cleanly. The NDS treats cyber as integral to operational readiness across the five domains of denial, and pulls it out of the network security adjunct it has historically occupied (Priyandita, 2026). Cyber moves out of the protective function and into the warfighting force itself, a fifth operational domain rather than a support service. The framing is doctrinal, with consequences that travel well past the cyber budget line. The NDS pivot reaches into the workforce, the agencies, and the consulting market that serves both.

Australia is not the first to make this move. The United Kingdom confirmed its National Cyber Force in November 2020, a joint Ministry of Defence and GCHQ unit dedicated to offensive cyber operations and to integrating cyber as a warfighting capability within UK Strategic Command. The United States went earlier and harder: US Cyber Command was elevated from a sub-unified command to a unified combatant command on 4 May 2018, a structural change that gave it the same standing as Central Command or Indo-Pacific Command. Australia’s 2026 reframing is the same direction of travel, six years behind the UK and eight behind the US. The lateness is not the interesting part. The interesting part is that the workforce machinery built for the older posture is still in place, and now has to deliver a different output.

That workforce problem is the bottleneck most consultants underestimate. Defence has, for years, recruited and trained for cyber defenders: network security analysts, incident responders, hardening specialists. The pipelines feeding those roles (UNSW Canberra cyber programs, ADFA, lateral entry from industry) are calibrated for defence-of-network work. Cyber operators are a different occupation, with different skill profiles, different selection criteria, and different career arcs. The clearance bottleneck compounds the problem. The Australian Government Security Vetting Agency has been carrying a backlog for years (Australian National Audit Office, 2023), and operator-grade clearances sit at the top of the queue. If cyber is now operational, the throughput problem is not an administrative inconvenience. It is a force-generation constraint.

The reservist piece is the other half of the workforce design question. The Defence Force Reserves model assumes a citizen who deploys forward and returns to a civilian job. A cyber operator reservist may never leave a console, may need persistent access to operational systems, and may be doing the same work in uniform and out. The current reserve framework was written for a different shape of soldier. Article 18 in this series traced the broader doctrinal shift from rules-based language to balance-of-power language across the NDS; the cyber-as-operational move is one specific consequence of that shift, and the workforce frame is where the rhetoric meets the establishment file.

Then there is the ASD question. The Australian Signals Directorate carries a dual remit: offensive cyber capability for Defence, and through the Australian Cyber Security Centre, defensive support for critical infrastructure and the whole economy. If offensive cyber sits squarely inside the warfighting force, the dual remit becomes harder to manage at the seams. ACSC’s customer base, the banks, telcos, hospitals, water utilities, energy networks, expects ASD to behave like a defensive partner. The operational force expects it to behave like a combatant capability. Both are real; the tension is now structural rather than accidental.

Critical infrastructure protection is the other downstream pressure. The 2022 amendments to the Security of Critical Infrastructure Act brought a wider set of registered entities into regulatory scope (Department of Home Affairs, 2022). Those entities are accustomed to a regulator-operator relationship calibrated to network resilience and incident reporting. If Defence now treats cyber as an operational domain, the regulator’s benchmark shifts from resilience toward operational readiness. Article 24 in this series argued that the whole-of-society dimension of the NDS reaches well beyond Defence; cyber-as-operational-domain is the cleanest example, because the standard that applies to a Defence network increasingly applies, by inference, to anything Defence relies on.

For consultants, the advisory market this opens up is wider than the cyber capability category alone. Capability definition work, workforce design across the operator pipeline, procurement reform to accelerate cyber tool acquisition cycles, industry engagement to grow the Australian operator base. The work sits between three current providers: the Big Four for workforce and governance, specialist cyber firms for the technical layer, and the Defence primes for capability development. None of them currently own operational cyber advisory at scale. Most consulting capability statements have not yet caught up with what the strategy actually says. The firms that translate the cyber-as-operational pivot into workforce and governance models earliest will set the language the rest of the market then uses.

The dollar figures will not be the thing the next five years are judged on. The judgement will rest on whether the cyber operator workforce can be stood up at scale, whether the agencies can hold their dual remits together under cyber operational pressure, and whether the supply chain can deliver cyber tools at the tempo a warfighting domain demands. The cyber doctrine is the easy part. The establishment file is where the cyber strategy lives or dies.

References

Australian National Audit Office. (2023). Administration of the Australian Government Security Vetting Agency. Commonwealth of Australia. https://www.anao.gov.au

Department of Defence. (2026). 2026 National Defence Strategy. Commonwealth of Australia. https://www.defence.gov.au

Department of Home Affairs. (2022). Security of Critical Infrastructure Act 2018 (as amended 2022). Commonwealth of Australia. https://www.homeaffairs.gov.au

Government of Australia. (2026). 2026 Integrated Investment Program. Commonwealth of Australia. https://www.defence.gov.au

Jeffrey, H. (2026, May 11). NDS 2026 – More resourcing for a complex cyber threat environment. The Strategist, Australian Strategic Policy Institute. https://www.aspistrategist.org.au