News
AI SHIFT:

Australia tells agencies to fix security basics before buying into frontier AI

Newsroom brief

The Department of Home Affairs has warned agencies that frontier AI could shrink cyber attack timelines from days to hours. A mandatory PSPF advisory says entities do not need the most advanced AI models to stay protected. Agencies are being directed first to Essential Eight and Information Security Manual controls before wider AI use in cyber defence.

Verified against source materialEdited by SendTech Times Cybersecurity Desk
Australia tells agencies to fix security basics before buying into frontier AI
Image source: itnews.com.au

The federal government has told agencies to prioritise long-neglected cyber security fundamentals before turning to frontier artificial intelligence for defence against faster attacks.

The direction is set out in the Department of Home Affairs' Protective Security Policy Framework advisory 001-2026, which warns of an expected "vulnerability storm" as AI is used by adversaries and security researchers to find flaws at machine speed.

Fundamentals before frontier models

The PSPF advisory says frontier AI could compress the time between vulnerability discovery and active exploitation from days to hours, increasing pressure on patching and response teams.

But the advisory also states that buying access to the most advanced models, including Anthropic Claude Mythos, is not required for effective protection.

"Australian government entities do not need access to the most advanced frontier AI models to stay protected," the PSPF advisory said.

Instead, agencies are being pointed to the Australian Signals Directorate's Essential Eight framework and Information Security Manual.

The PSPF requires government entities to reach Essential Eight Maturity Level Two for user application hardening and patching of user applications.

The Australian National Audit Office has previously faulted agencies on those areas in reviews.

The advisory is mandatory for government entities and defines frontier AI technologies as the most cutting edge in the field.

It describes frontier AI as an expected step change in capability, with more powerful automation, reasoning and decision-making than earlier generations of AI.

AI use is not ruled out

The compliance obligations do not amount to an official blanket ban on using advanced AI for cyber defence.

Companion guidance from ASD's Australian Cyber Security Centre says AI can help reduce manual workloads, improve threat prioritisation, and accelerate detection and response.

However, the official advice places AI adoption on a medium-term horizon, after short-term controls are in place.

A six-step maturity model attached to the advisory describes a future state where "artificial intelligence is used for cyber defence and is secure, controllable, human-supervised and used in an ethical and accountable manner".

Legacy debt remains a blocker

That future stage would come only after agencies have locked down configuration baselines, reduced attack surfaces, and addressed legacy system debt.

The ACSC also warns that poorly implemented AI could add security risk rather than reduce it.

The PSPF's central message is that agencies facing faster AI-driven exploitation should first improve patching, hardening and core control maturity before relying on frontier tools.

Share this article
inXf

Related articles

More
ABS runs six-month IT hardening program before 2026 Census
Cloud & Data Centers

ABS runs six-month IT hardening program before 2026 Census

The Australian Bureau of Statistics has brought in outside cyber security support to harden its wider ICT environment ahead of the 2026 Census. An audit found the work is being delivered in three consecutive two-month tranches after risks were identified beyond census-specific systems. The census main event is scheduled for August 11 and will run on AWS cloud services.

UAE Sets a Social Media Age Gate. Enforcement Is the Hard Part.
Cybersecurity

UAE Sets a Social Media Age Gate. Enforcement Is the Hard Part.

The UAE Cabinet has barred children under 15 from social media accounts and full platform features. The rule puts age verification, child privacy, parental controls and platform compliance on a 12-month operating clock.

IPA Translation Turns CISA Security Goals Into A Japan Infrastructure Baseline
Cybersecurity

IPA Translation Turns CISA Security Goals Into A Japan Infrastructure Baseline

Japan’s Information-technology Promotion Agency published a Japanese translation of CISA’s Cross-Sector Cybersecurity Performance Goals Version 2.0 for domestic critical infrastructure operators. The guidance covers IT and operational technology, maps goals to NIST CSF 2.0, and frames the controls as minimum practices rather than a full cybersecurity program. The practical question is whether asset owners use the worksheet to rank gaps by cost, complexity and impact, then review progress after 12 months.

UAE Crypto Discovery Tool Turns Post-Quantum Security Into an Inventory Test
Cybersecurity

UAE Crypto Discovery Tool Turns Post-Quantum Security Into an Inventory Test

The UAE launched a national Crypto Discovery Tool to help organisations identify and manage cryptographic systems before post-quantum migration. The platform was developed by the UAE Cyber Security Council and Abu Dhabi-based QuantumGate as part of the National Post-Quantum Migration Programme. The practical question is whether public- and private-sector organisations use the tool to build a reliable inventory of cryptographic exposure.

NFSP Ransomware Attack Turns Supplier Email Pause Into a Security-Control Test
Cybersecurity

NFSP Ransomware Attack Turns Supplier Email Pause Into a Security-Control Test

The National Federation of Subpostmasters was hit by ransomware after a cPanel-related hosting software bug was exploited. The NFSP was targeted on 30 April, and the Post Office paused some email interactions with the federation while saying branch operations were not affected. The immediate test is whether trusted communications can resume without pushing subpostmasters toward insecure workaround channels.

CISA Android and Linux Warnings Put Patch Timing Back on the Security Agenda
Cybersecurity

CISA Android and Linux Warnings Put Patch Timing Back on the Security Agenda

CISA added exploited Android and Linux vulnerabilities to its Known Exploited Vulnerabilities catalog. The Android flaw affects Android 14 through 16, while the Linux issue centers on older kernel branches and cgroups v1 container environments. The immediate test is whether agencies and infrastructure operators apply vendor updates or mitigations by CISA's June 5 deadline.

Keep Reading

More Stories

Latest
New York Blocks New 50 MW Data Centre Permits For Up To A YearCloud & Data CentersJul 14, 2026New York Blocks New 50 MW Data Centre Permits For Up To A YearThe Verge reported that New York Governor Kathy Hochul signed an order blocking new environmental permits for hyperscale data centres over 50 megawatts for up to a year. The outlet said a separate 20 megawatt bill still awaits her signature, and affected proposals were not identified.UMC Starts Singapore Silicon Photonics Production For AI NetworksChips & SemiconductorsJul 14, 2026UMC Starts Singapore Silicon Photonics Production For AI NetworksCNBC reported that United Microelectronics Corporation has started mass production of silicon photonics wafers in Singapore with SILITH Technology after an 18-month development push. The company plans a 12-inch platform for customer product development by 2027, while the report did not name first customers or supply commitments.Swiss Regulator Opens Google Android Choice-Screen ProbeCapital & PolicyJul 14, 2026Swiss Regulator Opens Google Android Choice-Screen ProbeTNW reported that Switzerland’s Competition Commission opened a preliminary investigation after Google removed the Android search-engine choice screen from Swiss phones while keeping it in the European Economic Area. COMCO said the change could affect rival search and digital-service providers, while Google has not published a rationale for the Swiss withdrawal.Anthropic Tokenizer Can Add Up To 73 Percent More Claude TokensAIJul 14, 2026Anthropic Tokenizer Can Add Up To 73 Percent More Claude TokensThe Register reported that Playcode found Anthropic's newer Claude tokenizer can emit up to 73 percent more tokens than OpenAI's GPT-5.x family on a TypeScript file. The same report said Anthropic's introductory Sonnet pricing runs through August 31, 2026, while independent customer-bill and task-completion evidence remains absent.NestAI Joins Finland-Estonia Defence AI Framework Without Budget CommitmentAIJul 14, 2026NestAI Joins Finland-Estonia Defence AI Framework Without Budget CommitmentTNW reported that Finland’s Ministry of Defence, the Estonian Defence Forces and Helsinki-based NestAI signed an artificial intelligence cooperation letter with no financial commitment. The framework covers joint development, training and technical cooperation, but it does not name procurement contracts, budgets or deployment dates.Meta Says Hyperion AI Campus Will Reach 5 GW In LouisianaCloud & Data CentersJul 14, 2026Meta Says Hyperion AI Campus Will Reach 5 GW In LouisianaData Center Knowledge reported that Meta's Hyperion AI campus in Louisiana is being expanded to 5 GW and more than $50 billion of investment, with Entergy filings listing 1,500 MW of new solar and hybrid resources and customer-funded transmission for the expansion.Cloudflare Precursor Scores Browser Sessions As Bot Traffic Hits 57 PercentCybersecurityJul 14, 2026Cloudflare Precursor Scores Browser Sessions As Bot Traffic Hits 57 PercentCloudflare made Precursor generally available to score visitor behaviour across full browser sessions rather than one arrival check. The public record still lacks pricing, customer adoption figures and customer false-positive rates for the session-scoring product.Apple Complaint Alleges OpenAI Coached Staff Around Exit ChecksCapital & PolicyJul 14, 2026Apple Complaint Alleges OpenAI Coached Staff Around Exit ChecksApple’s 41-page trade-secret complaint alleges OpenAI coordinated recruitment of Apple employees and coached candidates around exit procedures, TechCrunch reported. OpenAI’s cited statement said it has no interest in other companies’ trade secrets, and the court record cited by the outlet does not include a ruling on Apple’s claims.Intel Lists Starfire Space AI Chip At 75 TOPS As Radiation Data Stays PendingChips & SemiconductorsJul 14, 2026Intel Lists Starfire Space AI Chip At 75 TOPS As Radiation Data Stays PendingTom's Hardware reported that Intel has listed Starfire, a space-grade system-on-chip for the U.S. government, with up to 75 TOPS and Intel 18A CPU and NPU tiles. The sell sheet says samples are planned for Q3 2026, while radiation qualification data and final specifications remain pending.PixVerse Raises $439 Million As Video AI Valuation Tops $2 BillionAIJul 14, 2026PixVerse Raises $439 Million As Video AI Valuation Tops $2 BillionSingapore-based PixVerse has raised $439 million across a Series C extension and earlier funding, pushing its valuation above $2 billion, according to TechCrunch. The video-generation startup lists more than 150 million registered users and 15 million monthly active users, while paying-user totals, enterprise revenue and independent benchmark results remain outside the public record.Intel Commits 5 Billion Euros To Irish Fab 34 ExpansionChips & SemiconductorsJul 14, 2026Intel Commits 5 Billion Euros To Irish Fab 34 ExpansionA 5 billion euro Leixlip investment puts Fab 34 back at the centre of Intel's European manufacturing plan for AI and high-performance computing processors. Most of the spending is due by the end of 2027, while a large external foundry customer for the Irish capacity remains unnamed, according to TNW.Nadella Warns Enterprises Pay Twice For Proprietary AI ModelsAIJul 14, 2026Nadella Warns Enterprises Pay Twice For Proprietary AI ModelsMicrosoft CEO Satya Nadella warned companies using proprietary AI models may pay with both tokens and internal knowledge, according to TechCrunch. Solo.io, Vercel and OpenRouter supplied evidence of interest in on-premise and open models, while customer-level cost savings and security outcomes remain undisclosed.