Introduction
Geopolitical instability is reshaping cyber risk. As the global order fragments, geopolitical tensions increasingly determine where data resides, how systems are accessed, and which organisations become targets. This is no longer abstract context; it is a reality boards must account for when making cyber security decisions. This has made threat actors more persistent and more willing to target organisations that were once seen as peripheral. As global power realigns, so too does the list of organisations exposed to these consequences.
Why Nations Target Private Organisations
Recent incidents demonstrate the spectrum of nation‑state motives. The 2025 compromise of F5 Networks’ source code, attributed to a Chinese-backed actor, illustrated how targeting a private vendor can grant access to government systems that are dependent on it. Similar incidents show a threat landscape where private organisations are not incidental targets but deliberate ones.
Nation-states increasingly target private companies abroad to gain competitive advantage in innovation, pathways into government networks, and economic or strategic leverage.
Where The Exposure Sits
Organisations should ask what makes them relevant to foreign state interests. Organisations developing advanced technologies and software or operating in specific areas like the Australian ports are obvious candidates. Here, relevance is often defined less by industry label and more by the data, influence, or access an organisation holds.
Cyber risk is thus evolving from a purely technological risk to a strategic risk. Mapping the relevance of your organisation to the nation-state threat helps identify which assets are worthy of protection. This requires moving beyond technical inventories and instead identifying Crown Jewels by asking questions like: What information, if leaked, would hurt us most?
When these risks are visible, they can be managed sufficiently to conduct business safely and in Australia’s interests. Put simply, we can define three primary areas where this exposure sits.
1. Jurisdiction
Offshore hosting creates a gap between where data resides and where Australian law can protect it. Data stored in foreign jurisdictions is subject to local laws, such as the US CLOUD Act or GDPR, meaning hosting decisions now carry legal and geopolitical consequences beyond cost or efficiency. US authorities can lawfully compel US‑based cloud providers to provide access to data stored offshore, including in Australia. China’s Multi-Level Protection Scheme (MLPS) 2.0 has similar policy controls in place that enable the State to use technology providers to their strategic advantage.
2. Supply Chain
Supply chains create asymmetric risk because hidden dependencies in software, infrastructure, and contractors are deliberately exploited by threat actors. The SolarWinds compromise demonstrated nation‑state espionage, where a foreign intelligence service infiltrated a private vendor to gain covert access to government networks. By contrast, the MOVEit incident showed how opportunistic actors can exploit a trusted third‑party service to extract sensitive data at scGeopale. Together, these cases illustrate how reliance on shared vendors creates exposure largely outside an organisation’s direct control.
3. Trust Boundaries
Trust boundaries are an often overlooked source of exposure. Extending access to cloud providers, managed service partners, and contractors—particularly outside Australian jurisdiction—reduces an organisation’s ability to assert control. A 2026 Queensland Audit Office report found third‑party accounts could bypass controls and access data beyond their authorised scope. Similar patterns were evident in the MOVEit incident, where broad third‑party access enabled large‑scale data extraction through legitimate access paths.
What Good Governance Looks Like
Governance is the answer to a geopolitical threat landscape, but it means something specific. It is not having a CISO, running an annual penetration test, or staying current with Essential Eight and SOCI compliance. Governance means the board has defined its risk appetite for cyber exposure, understands the geopolitical context shaping that exposure, and holds structured accountability for the decisions that follow.
The pace of geopolitical change means organisations can no longer afford to be reactive. Resilience requires anticipating disruption, not responding to it — and that depends on giving the right people the authority and resources to act before an incident forces the issue.
For asset owners and operators, this also means understanding the role the Australian government plays in this space and engaging with relevant agencies as a matter of course rather than crisis. This means considering diversification across cloud and on-premises environments, zero trust approaches, proactive planning, and closer collaboration with relevant agencies to support national safety.
Questions Every Board Should Be Asking
As geopolitical conditions shape the cyber threat landscape, the following questions provide a good starting point for boards and executive oversight:
- Have we identified our critical assets in terms of operational and strategic impact, not just IT classification?
- Do we have visibility into geopolitical exposure within our supply chain, including foreign-government influence on third-party vendors?
- Do we have a documented cyber risk appetite, and does it reflect the current threat landscape?
The right answers will differ for each organisation, but the process is the same. Cyber concerns should be governed, not delegated.
Where To Start?
Division 5 runs a half-day session with boards and executive teams to map geopolitical cyber risk against operational reality — identifying critical assets, jurisdictional exposure, and supply-chain dependencies that warrant board-level attention.
If that’s a conversation worth having at your next board meeting, get in touch.