Thugs, Thieves & Other Threats: How what we need to worry about in cyberspace is changing
Published by Ciaran Martin, CyberCX UK Chair and Global Advisory Board member on 16 September 2025
Australian Financial Review Cyber Summit 2025 keynote
It is terrific to be back once again in Australia, and especially in Sydney.
I’ve been back and forth to this part of the world for more than twenty years. In the early years of the century, when most of my young adult friends were coming here to get bar jobs at Bondi Beach to go surfing, I was the junior bag carrier to a Treasury delegation who came to Canberra to study how you to do tax administration. Most Australians I know laugh incredulously when I tell them we came here to copy your tax system.
Maybe grass is always greener on the other side.
More seriously: suspend your disbelief: modern Britain admires a great deal what Australia does and how you do it. Even tax.
As I later moved into security work, I continued to visit Canberra and various other outposts, most notably the huge and brilliant Five Eyes facility at Pine Gap near Alice Springs.
So until I joined CyberCX, when I’d meet the many Australians who live in London they’d often ask me if I’d been to their great country. I’d say yes: to Canberra, and Alice Springs. Don’t get me wrong – I loved those trips. But many of my Aussie interlocutors would look at me quizzically.
It wasn’t until I joined CyberCX as a global adviser and UK chair, courtesy of John Paitaridis and my old friend and opposite number Alastair MacGibbon, that I was finally allowed to enjoy the jewels that are Australia’s major cities, including, of course, the magnificence of Sydney.
But when I first came to Australia on behalf of CyberCX in November 2022, I didn’t have much time to enjoy the marvels of Sydney.
That’s because I landed in the middle of the biggest cyber crisis in Australian history.
Now there was, to the best of my knowledge, no causality between my arrival and the biggest ever cyber crisis in Australia’s history.
But it was certainly an instructive time to be in Australia as a cyber security specialist.
Shortly before I took off, I had been discussing with my colleagues how to talk about a clear and present threat to Australians, given the country had yet to experience the sort of cyber disasters many similar wealthy market democracies had endured.
I even had a narrative – maybe the lucky country was lucky in cyberspace too.
But the problem with luck is that it tend to run out. So by the time I landed the Optus and Medibank breaches had happened in quick succession – with nearly ten million records in each breach.
Australia was experiencing what Alastair Macgibbon memorably called “Australia’s cyber reckoning”. Medibank in particular, with its extensive, terrifying trove of personal medical records, and the targeted release of the most sensitive files, was one of the most traumatic episodes of data loss I’ve ever seen anywhere in the world.
Indeed, I think Australia collectively – company, media, government, society – deserve immense credit for holding your nerve during one of the most morally abhorrent cyber incidents of all time.
You did not reward the criminals. You did not pay.
That holding of nerve had global resonance: incidents of payments of ransom for data extortion continue to fall.
Photo supplied by AFR. Credit: Oscar Colman
That’s enough optimism for now I’m afraid: because I’ve just left a country facing its own cyber reckoning of a different kind.
The lessons from Britain’s experience over the past fifteen months about the changing nature of harm in cyberspace are stark.
Last June, cyber criminals attacked a supplier to some of London’s major hospitals, causing huge disruption to medical treatment. As a result, researchers in King’s College London have made the first proven link between a cyber attack and the death of a human being in the United Kingdom.
Four months ago, attacks on Marks and Spencer and the Coop saw empty shelves in these iconic supermarkets. For rural communities in parts of the Scottish Highlands, where quite literally the Coop is the only shop in town, this was a disaster. For M&S, who couldn’t sell anything on line for two months, the initial estimated cost of the fiasco has been put at £300 million.
And as I speak Jaguar Land Rover, the world famous car maker, is haemorrhaging tens of millions, unable to open fully its four factories in England and others in Slovakia, Brazil, India and China. Media leaks talk of government bailouts. Small suppliers are collapsing.
In the last two years, similar disruptive cyber attacks have hit the west hard: a Belgian brewer, a US steelmaking giant, a French electronics company, and many others.
So today I want to draw out some lessons from these and other recent experiences in cyber security from around the world.
The title of my talk today is “Thugs, Thieves and Other Threats – Why what we need to worry about in cyberspace is changing”.
You’ll notice that in the three of these horrible cases I’ve mentioned from the UK, I haven’t said anything at all about data breaches. .
And that’s because the most important point I hope you might remember from this talk is that although we’re programmed to think first and foremost about data breaches, we need to worry more and more about disruptive attacks – hacks that literally stop us from being able to operate at all.
We need to worry about the thugs even more than we’re currently worrying about the thieves.
Let me put this in terms of a simple analogy: that of everyday human physical security.
Here are two horrible scenarios.
In the first one, you come home and you discover your padlocked filing cabinet with all your sensitive hard copy personal information is open.
The files are still there.
Your medical records, mortgage details, birth certificates, and all that.
But someone you don’t know has broken in, and seems to have copied them.
That’s going to be deeply unsettling. You’ll brace yourself for a higher risk of fraud, for leaks of sensitive information, or other badness.
You might need to call those close to you, whose records you also hold, to warn them, and apologise for the breach of confidentiality.
You will be shaken, and scared.
But physically, you’ll be fine.
You can go about your business more or less as normal, vigilant for what someone will do with the stolen information.
This is what a data breach looks and feels like. That’s cyber thievery.
In the second scenario, and I am sorry to put it so brutally, someone attacks you, punches you repeatedly in the face and breaks one each of your arms and legs, rendering you in severe pain and discomfort and unable to work fully for several months.
You are absolutely not physically fine at all, and you can’t go on as normal.
That, in essence, is what happens in a disruptive attack. It is what a thug does in cyberspace.
No one in this room wants either of these things to happen to them. And I am not asking you to choose.
But my point is that both these things can and do happen, and they are very different in how they affect you, the victim.
Protecting yourself from both thugs and thieves might have some features in common, but also some differences.
How you plan to recover from them will be entirely different.
Unhelpfully, however, when it comes to corporate technological security, we call the equivalent of these two very different crimes the same thing: cyber attacks.
My worry is that we have built so much of our cyber defence framework – our defences, our policies, our legal and governance frameworks, our media discourse – around data breaches and data breaches alone.
Jaguar Land Rover is a case in point. If the British media is to be believed, it is in deep operational trouble.
Yet look at the initial coverage of the incident. It’s all about: “has JLR lost data”?
JLR is not Medibank. Medibank, as Australians know, holds very sensitive medical records.
All JLR’s personal datasets tell you is who has bought their cars. It’s a glorified subsection of what those of us of a certain age used to call to the telephone directory, plus an email address.
Disruption is the story.
Disruption is often uglier than data breaches. Thugs are often much worse than thieves.
And they are becoming ever more prevalent.
Disruptive cyber attacks are killing human beings through messing with hospital systems.
Disruptive cyber attacks are emptying shelves of food.
Disruptive cyber attacks are causing fuel shortages.
Disruptive cyber attacks are closing factories and forcing companies out of business.
Ask any CEO who has experienced both a disruptive cyber attack and a data breach which is worse to experience. I will place a small wager a significant majority will say it was the disruption, even if it was losing data that got them into legal trouble.
Why this matters to a company, its CEO, senior executives, boards and shareholders and so on, is obvious.
But I think it is also increasingly a matter of national security.
The attacks I’ve mentioned so far have all been criminal. But last month Norway’s intelligence services very publicly accused the Russian state of causing physical damage to a water processing facility in the country via cyber attack. If they’re right, this is the first what experts would call ‘cyber-kinetic’ Russian state operation outside of Ukraine.
Russia’s pioneering of cyber disruption of ordinary private sector companies is almost two decades old, having been debuted in Estonia as far back as 2007. What if President Putin decided to coopt his ransomware thugs, who operate under his protection, to deter Europeans and other allies from more fully supporting Ukraine in whatever follows the current conflict?
Now consider the warnings about China.
Over the past two years the Five Eyes intelligence partnership – that cornerstone of western security that includes our two great countries along with the US, New Zealand and Canada – have warned of a news cyber campaign by the Chinese military.
Unfortunately, this cyber campaign has been given the appallingly inaccessible and confusing codename of Volt Typhoon.
So let me translate Volt Typhoon into reality, and its connection to today’s discussion of thugs and thieves in cyberspace.
For nearly three decades, the Chinese state has been the Internet’s most capable and prolific thief. It has stolen state secrets and intellectual property at a scale hitherto unknown in human history. But it’s never been a thug: it has no history of disruptive cyber operations.
Volt Typhoon upends that understanding. It is, in the words of Admiral Mike Rogers, the former head of the US’s National Security Agency and the other half of Cyber CX’s Global Advisory Board, a set of digital booby traps underneath America’s critical infrastructure, and that of its allies.
It’s not for use today.
But it is for use in the event of a major escalation of tensions between China and the West.
The way to think of Volt Typhoon is to think about all the big disruptive cyber attacks I’ve already spoken about. Retailers. Manufacturers. Educational institutions. Government payment systems. Tech companies. Ports – remember the chaos in Australia when DP Ports was forced to take itself offline due to a major cyber attack to prevent further damage.
Now think of them happening all at the same time. Now imagine dozens, even hundreds more, all at the same time.
That’s what Volt Typhoon would feel like.
And think of it happening in a country like Australia, well known for market concentration in key sectors of the economy with two major retailers, four major airlines, four major media outlets, and so on.
How many companies would a determined attacker have to take out to cause national level serious disruption to this wonderful country?
None of the attacks need be particularly sophisticated. They wouldn’t likely be lethal. But collectively, they’d gum up our economies and strain our public services with the aim of draining our will to stand up to them.
The criminal thugs are already a serious enough problem for us to worry about the thugs just as much, if not more, than the thieves.
But worse, the thugs have shown Russia, China and others what can be done against western economies.
That’s why thuggery in cyberspace is not just a matter of corporate security, but national security too.
This is the pre-eminent cyber security risk of our time. So how do we fight back?
Many of the different aspects of our vital fightback feature later in today’s superb conference.
So I am not going to talk about skills, or governance, or some of the latest approaches to cyber defence.
Instead, I am going to talk briefly about two critically important aspects of our defence which don’t feature so much in today’s agenda: supplier security, and innovation.
First, supplier security.
Although details of the major recent cases in Britain are still emerging, each one appears to have a supplier or third party partner of some sort at the heart of the story.
And not one of those partners is what we now call, somewhat euphemistically, a ‘high risk vendor’.
Now that I’m out of government, I can translate the governmental language of ‘high risk vendor’ into English. It means, more often than not, a Chinese company.
To illustrate the point, here’s a story from the United States. And, confusingly, it involves another typhoon.
Salt Typhoon is the codename for most effective espionage campaign against the West we’ve ever seen. It has, by Washington’s own admission, seen the Chinese intelligence services comprehensively penetrate the communications of millions of Americans, including some top decision takers.
Understandably, there has been deep disquiet in Washington over this and a bipartisan law was passed, accelerating funding of some $363 billion US to remove the remaining Chinese infrastructure from American networks.
There’s only one problem with this – the hackers behind Salt Typhoon hacked entirely Western kit.
Had this Congressional package been implemented before the hack, it would have made no difference at all.
This speaks to a crucial point: for much of the past decade or so, the supply chain discussion has been dominated by where something is coming from, be that a piece of hardware or a service provider.
Don’t get me wrong: that matters.
If a piece of kit is coming from China, for example, there are no real assurances you can properly give about its security: the best you can do is limit what it does so it can’t do any real harm. So Western Governments have either excluded or limited Chinese kit.
The problem has been that in too many cases that’s where policy has stopped.
To put it crudely, ‘Ban China’ has been the alpha and omega of a fair amount of recent western cyber policy.
‘Ban China’ may be necessary. But what we’ve learned is that it’s not sufficient. Whether it’s our contracted out helpdesks being deceived (the purported cause of the Marks and Spencer’s fiasco) or out of date telephonic hardware, we have to pay far more attention to our own supplies wherever they come from.
Part of the real problem here is one of market incentives.
Too often a hack happens at the top of the tech stack and thousands of innocent organisations that rely on those major companies suffer as a result.
To give just one of many examples: the huge data breach in 2023, affecting over one thousand major companies – the BBC, Boots and British Airways in the UK; major mining companies here in Australia – because they all used the same company to move datasets around the Internet.
So in the short term, we must push for better understanding and security practices at those companies on whom we depend, whether large or small, or based here, or abroad.
But in the longer term we must keep up the push for technology that is more secure by design. I endorse the efforts of both the UK and Australian governments in this area.
We must bring about the same transformation in technological security that was achieved in automobile safety half a century ago, when societies stopped just accepting huge collateral harm and started making the cars we drive safer.
And that’s where innovation comes in, particularly as we march ahead into the age of AI.
Famously, or infamously, the Internet was built without security in mind.
That has caused us all sorts of problems, many of which we are discussing today.
But somehow, we have managed to keep ourselves in some sort of uneasy equilibrium. We’ve suffered all sorts of digital harm.
But, thankfully, we have not suffered a cyber apocalypse.
I think there are three reasons for this uneasy equilibrium.
The first is that – quite sensibly – we’ve not entrusted our physical safety entirely to computers. When I get my flight back to London, if the computer fails, I may end up late or in the wrong place. But I’ll be fine, because of the way the multiple alternate ways of landing a plane work. That’s what happened when the British national air traffic control system comprehensively failed in August 2023.
The second reason is that, until now, to be very menacing in cyberspace takes a lot of time, money, skill and organisation. That means only a small number of actors can be very, very threatening. So lots of people can harm us. But only a few can do really serious harm.
Finally, there is an arms race between good and bad in cyberspace.
What we call cyber attacks are ultimately just code: maths and engineering.
Code has no morals.
What can be used for bad can be used for good.
And despite all the concern about adversarial capability, the baddies have never completely outpaced the goodies.
Does this equilibrium hold in the future, as we move into the age of AI? Let’s look at each of its aspects in turn.
The first part of the equilibrium should hold. We would be mad fully to subcontract our safety to machines.
It’s a choice and we should make the right choices. The care we are taking over, for example, the safety model for driverless cars is, to my mind, a good sign.
I worry about the second part of the equilibrium. AI makes it cheaper and easier to do more harm in cyberspace. So proliferation is a worry.
That’s why it’s more important than ever that the third part of the equilibrium holds: that the techniques we have for cyber defence are better than those the baddies, the adversaries, the hackers, have at their disposal.
And this is about innovation.
My first visit to Australia in this role was amidst the horrors of the Optus and Medibank breaches.
But on a later visit I was dazzled by the simplicity of the Optus and Westpac SafeCaller initiative – a counter-scam capability that verifies a call from the financial institution as genuine, making it far less likely an innocent customer will fall victim to identity abuse. I know other financial institutions like Commonwealth Bank are doing great work with authenticating accounts.
More of this please.
More use of automated defence capabilities to detect rogue presences on the networks or hijacked accounts doing weird things at weird times in our infrastructure.
More using large scale analytics to secure our code and our foundational technology.
We can do this.
Countries like Australia and the UK can lead the way. We can thwart the thieves, and defeat the thugs.
And I finish by repeating my plea to step up protection against those disruptive thugs who have shown themselves willing to wreck our critical services.
Australia has seen what happens to peer countries.
Let’s protect our communities by inoculating our critical services from the sort of major disruption seen elsewhere.
And let’s do it before it’s too late.
Thank you.
