Espionage has become one of the most significant national security threats to Australia, impacting government, businesses and the university sector. The highly secretive nature of espionage makes it extremely difficult to measure. In this study we estimated, for the first time, the actual and prevented costs of espionage. Building on the Australian Institute of Criminology’s method for measuring the costs of serious and organised crime, we estimated the mitigation and response costs and the direct costs of espionage impacting Australia. We also estimated the preventable costs associated with a number of possible scenarios. The numbers are conservative and an underestimate of the true cost, given the challenges in identifying and measuring espionage activity and its consequences.
In 2023–24, espionage cost Australia at least $12.5 billion. This includes the direct costs of the consequences of known or probable espionage activity – primarily losses due to state or state-sponsored cyber attacks, insider threats and intellectual property theft – as well as the public and private sector response, remediation and mitigation costs. There are also tens of billions in additional costs that Australia may have prevented by countering potential espionage. For example, in just one week, a single incident of espionage-enabled sabotage from a large-scale cyber attack could cost the Australian economy nearly $6 billion. These prevented costs are significant, and highlight the importance and benefit of investing in efforts to reduce the threat of espionage and minimise the harm in high-risk settings.
The report states
The threat of espionage – the state or state-sponsored theft of Australian information or capabilities – is now at extreme levels, posing an enormous risk to Australia’s national security. This threat is expected to worsen in future. Understanding the real and potential harm from espionage to the government, private and university sectors, and to the wider community is an important step in ensuring that appropriate action is taken to build our resilience to the threat posed by state and state-sponsored actors. We relied on a review of known cases, published and unpublished research, and data on espionage and espionage-related harms, along with input from subject matter experts, to estimate the mitigation and response costs, direct costs of espionage, and the prevented costs of espionage. We limited our analysis of direct, mitigation and response costs to the 2023–24 financial year. Some calculations of espionage-related expenditure were based on sensitive and classified data, and therefore these costings are not itemised in this report.
It is important to note at the outset that these numbers, while significant, underestimate the true cost of espionage in Australia. Espionage, by definition, is difficult to detect, and many of its most serious impacts cannot be assigned a dollar value. We have chosen to be conservative in our calculations.
This is an important first attempt to measure the range of costs from known and suspected incidents of espionage, using a methodology that has been applied to other areas of national security. While this report highlights the importance of taking action to prevent espionage to protect Australia’s national interests, it also draws attention to the need for further work to help us better understand the impact that espionage has on government, businesses, universities and the wider community.
Actual costs from espionage Our estimate of the actual costs from espionage includes both the direct costs of known or suspected espionage activity, and the mitigation and response costs to government, businesses and universities.
Direct costs of known or suspected espionage activity
We estimated the actual cost of state or state-sponsored cyber espionage, insider threats and intellectual property (IP) theft through a range of methods including:
„ Cyber security incidents impacting Australian medium and large businesses were estimated to cost up to $1,193.8 million.
„ Cyber security incidents impacting Australian public universities were estimated to cost up to $14.5 million.
„ Insider threats involving state or state-sponsored actors impacting Australian businesses were estimated to cost up to $324.8 million.
„ Cyber security incidents involving state or state-sponsored actors impacting federal government agencies (not itemised here).
„ Insider threats involving state or state-sponsored actors impacting Australian public universities were estimated to cost up to $25.0 million.
„ Cyber-enabled theft of IP and trade secrets from businesses was estimated to cost up to $1,901.0 million.
„ IP theft from government, the not-for-profit sector and universities was estimated to cost up to $628.0 million in 2023–24.
These costs were incurred in a single financial year (2023–24). These represent a significant underestimate of the true cost of espionage, given the challenges in identifying, quantifying and valuing some of the consequences.
Mitigation and response costs
Significant resources are invested in the public and private sectors to mitigate and respond to espionage. These include the cost to federal government agencies entities related to the identification, investigation, disruption and prosecution of espionage incidents in Australia, as well as the development and enactment of policy and legislation regarding espionage in Australia. Other costs of mitigation include those associated with implementing and maintaining security measures, community outreach, and education and awareness raising. Many of these mitigation measures (particularly legislation) have been introduced in response to previous incidents of espionage or foreign interference, and thus can be considered long-term costs of espionage in Australia. We used a combination of top-down and bottom-up approaches to estimate these costs, relying on data on the operating expenditure of each agency and expert input from senior representatives from these agencies and other stakeholders.
We also estimated the cost of cyber security to state, territory and local government agencies, businesses and universities. We determined the operating expenditure of each sector and relied on industry estimates of the proportion of total expenditure that is spent on information and communications technology (ICT) and, of that, the proportion spent on cyber security. We then estimated the proportion of these cyber security costs associated with espionage. There are also costs to businesses associated with personnel security and vetting, as well as the costs associated with applying for commercial foreign investments to the Foreign Investment Review Board (which assesses, among other things, risks to national security).
Critical infrastructure is a major target for foreign actors seeking to undermine Australia’s national security and, in addition to the costs to the Australian Government, there have been costs to industry associated with several major reforms to the regulation of critical infrastructure to reduce the risk of espionage. Universities also incur costs associated with due diligence activity, including vetting of international students and assessing the risks associated with partnerships with foreign institutions. We used a range of methods and data sources to estimate these costs. These mitigation and response costs have not been itemised, and the full detail regarding our costing methodology has not been provided because it relies on sensitive and classified data. The mitigation and response costs are included in the total cost estimate. Several additional costs are incurred as a consequence of the action taken by government, businesses and the university sector to mitigate the risk of espionage.
Among these are:
„ the costs of having to use more expensive technology, or technology that is less than optimal, rather than technology that may be available from a foreign adversary
„ the costs incurred by government suppliers in certain high-risk sectors in order to meet security requirements
„ declines in potential foreign investment due to our current national security posture „ missed opportunities for international research collaborations with leading academics and organisations.
Although these costs are likely to be significant, they have not been estimated in the current research due to a lack of sufficient data.
Prevented costs from espionage
We estimate the counter-espionage efforts of governments, businesses and universities may have prevented tens of billions of dollars of additional costs to the Australian economy. While there have been many examples of espionage impacting Australia and our international partners, other harms have been avoided.
We modelled a range of scenarios to estimate the potential costs that may have – to the best of our knowledge – been prevented, but which would be incurred in the future if efforts to prevent espionage were not successful.
„ Sabotage of critical infrastructure enabled by espionage could cost up to $1,161.2 million per incident.
„ An economy-wide, week-long disruption to digital technology-intensive industries, enabled by sabotage, could cost the Australian economy $5,930.4 million.
„ Theft of trade secrets from a large, publicly listed Australian company could result in share market losses of up to $887.2 million per incident.
„ Cyber espionage attacks targeting a large, publicly listed Australian company could result in share market losses of up to $439.6 million per incident.
„ Diminishing trust in government security due to espionage activity could result in an annual decrease in foreign direct investment inflows of up to $10,291.2 million.
„ The potential annual losses from a decline in international student revenue because of a need to tighten controls following major espionage activity could be up to $890.7 million.
„ A 10% decrease in annual US funding for research following espionage activity impacting Australian and US relationships could lead to potential same-year economic losses of up to $376.7 million.
Many of these costs relate to, or would result from, single incidents of espionage. The cost from multiple repeated attacks targeting government, businesses and university sectors would be significantly higher. As such, the total prevented costs depend on the nature and scale of future espionage activity impacting Australia but are estimated to be tens of billions of dollars.
Total actual and prevented costs from espionage
When we combine the mitigation and response costs and the direct costs of espionage that could be measured, the total known cost to government, businesses, universities and the broader community in 2023–24 is estimated to be at least $12.5 billion. We estimate that tens of billions further in espionage costs may have been prevented through effective mitigation and counter-espionage activity. These costs are preventable – but only if appropriate action is taken to address the threat from those who seek to harm Australia’s national interests.
Total actual costs: $12.5B Direct costs of known or suspected espionage Public and private sector mitigation and response costs
Prevented costs: Tens of billions of dollars
