In late 2023 and into January 2024 several high profile intrusions exposed a blunt truth: sensitive government and defence-related intelligence is increasingly stored and moved outside the hardened perimeter of single agencies. The hack of the Australian law firm HWL Ebsworth in April 2023 resulted in millions of stolen documents and ultimately placed data from dozens of Commonwealth agencies at risk, with the government confirming a broad list of affected entities that included the Defence portfolio and other national security bodies.

That incident is not an isolated example of downstream compromise. In December 2023 a ransomware intrusion against Austal USA, a shipbuilder that services US and allied defence programs, demonstrated how a supplier in the defence industrial base can be targeted and used as an intelligence vector—even when the attacker’s stated motivation is financial.

The Australian Government’s response to other large breaches in 2022 and 2023, including sanctions tied to the Medibank compromise, underlines how criminal and state‑linked actors exploit commercial and service relationships to access sensitive records and to exert pressure on victims and their partners. Those responses also highlight a strategic reality: attribution and penalty are important but slow, whereas a single supplier compromise can immediately erode trust across multiple agencies and partners.

Why these events matter for defence intelligence sharing

Modern intelligence sharing depends on a distributed ecosystem: external counsel, specialised consultancies, managed service providers, industrial contractors, cloud and SaaS vendors, and multinational partners. Each node that legitimately handles or touches intelligence creates a potential pathway for exfiltration or manipulation. A single successful compromise of a law firm, systems integrator, or shipbuilder can expose legal advice, technical plans, personnel data, or operational details that were never intended to be widely disseminated. The HWL Ebsworth case and the Austal incident both illustrate different faces of the same supply chain risk: data concentration at third parties and privileged access by vendors multiply the blast radius of any breach.

Common vectors and systemic weaknesses

  • Privileged credential compromise and phishing remain primary initial access methods. Where a supplier retains long lived credentials or broad privileges across client environments, those credentials become a single point of failure.
  • Overreliance on standard commercial collaboration tools and email for circulating sensitive or legally privileged material increases risk. Many organisations lack strict controls on where sensitive files may be uploaded and who can download them.
  • Insufficient third‑party risk management. Surveys and regulatory reviews in Australia have repeatedly shown that a large share of organisations do not adequately manage vendor risk or require security standards in procurement.
  • Complex multi‑tier supply chains make it difficult to know where sensitive data actually resides, or which sub‑suppliers have access to it. Attackers exploit that opacity.

Practical mitigation steps for immediate implementation

1) Treat any external organisation that handles government or defence information as part of your attack surface. Apply the same baseline controls to supplier accounts and systems as you do to internal ones: multi‑factor authentication, privileged access management, and endpoint detection and response. Segregate supplier networks and limit the scope of vendor credentials.

2) Apply strong data minimisation and handling rules. Classify and label defence and intelligence documents. Restrict distribution to need‑to‑know, and prohibit the use of unmanaged email or consumer cloud storage for any sensitive material. Move privileged collaboration to vetted, enterprise solutions that support strong encryption and audit trails.

3) Contractual and procurement hardening. Require security baselines in contracts: incident notification timelines, right to audit, secure configuration standards, and supply chain transparency. Tie a portion of supplier evaluation to demonstrable security posture and recent third‑party assessments. Regulators and auditors can reinforce these expectations through procurement standards.

4) Network and access segmentation for shared projects. Where suppliers need access to classified or sensitive environments, use strong segmentation, ephemeral credentials, just‑in‑time privilege elevation, and short lived certificates. Log and monitor all supplier actions centrally and integrate vendor telemetry into agency SOCs for continuous oversight.

5) Exercise and integrate incident response across the ecosystem. Run tabletop exercises that include law firms, integrators, and contractors. Define clear escalation paths so that a supplier compromise triggers coordinated containment, forensic, and notification actions across affected agencies and partners. Establish trusted channels for rapid intelligence sharing about indicators of compromise.

6) Reduce single points of concentration. Avoid storing bulk, long‑term copies of sensitive exhibits, privileged legal material, or design blueprints on third‑party servers unless absolutely necessary. Where storage is unavoidable, enforce encryption at rest with supplier‑managed keys only under strict conditions and prefer architectures where keys remain under client control.

Policy and strategic measures

Technical controls are necessary but not sufficient. Government must update procurement policy, accreditation, and oversight to reflect the reality of modern supply chains. That includes: mandatory third‑party risk assessment for vendors handling classified or sensitive information; minimum security standards for firms that contract with multiple agencies; clear liability and reporting expectations; and incentives for vendors to adopt strong cyber hygiene. Regulators and procurement authorities should consider security maturity as a gating factor in awarding contracts that touch defence or intelligence material. Evidence from recent breaches suggests that the status quo for vetting and oversight is inadequate.

What allies and intelligence partners should expect

Intelligence sharing is built on trust. When that trust is eroded by avoidable supply chain failures, it creates operational friction and strategic risk. Allies will increasingly demand demonstrable supply chain assurance from partners and contractors before sharing high value material. Agencies must therefore be ready to show not just internal protections but the end‑to‑end controls that govern how their external partners handle shared intelligence. These expectations will become part of bilateral and multilateral arrangements and should be negotiated proactively.

A cautionary closing

The technical fixes exist. What often stalls is implementation: procurement that rewards price over security, legacy contracts that grant broad access, and the cultural tendency to prioritise rapid sharing over rigorous controls. The stolen Australian government documents uncovered through supply chain compromises are a clear warning. Defence and intelligence organisations must treat their supply chains as an integral part of their defensive posture. If they do not, the next compromise will be measured not only in lost data but in damaged partnerships and reduced operational freedom. The time to act is now.