It is a national security transformation that reaches from shipyards and advanced engineering firms to small local suppliers, legal practices, cloud providers and the cyber controls that underpin them.
The scale of that transformation is especially evident as the trilateral AUKUS relationship matures, visits like that of HMS Anson to HMAS Stirling are highly visible milestones, but the harder work securing the industrial base that supports those vessels over decades unfolds well away from parades and handshakes.
Yet Australia’s journey towards operating and sustaining a fleet of nuclear-powered submarines is often told through images of shipyards, steel hulls and visiting allied vessels.
The reality unfolding behind the scenes is far more complex. Beneath the surface of the submarine program sits a vast ecosystem of workers, companies, data systems and security frameworks that must be built, secured and integrated not only within Australia but across the trilateral partnership of AUKUS. The scale of that transformation becomes clear when listening to the practitioners working at the coalface of the defence industrial base.
Among them is James Rabey, principal consultant at Macquarie Government, whose work places him directly at the intersection of national security policy, industrial capability and cyber defence.
From Rabey’s vantage point, the challenge is not merely technological – it is structural, human and systemic.
A supply chain far larger than expected
When people think about defence industry, they typically imagine major primes, advanced weapons systems and highly specialised engineers. Yet the reality of the submarine industrial base is far broader.
As Rabey explains: “I work with a lot of government agencies and some of the supply chain as well on helping them actually meet the cyber security standards for classified data … ensuring the integrity and the safety of the data that the government or the Commonwealth handles on behalf of citizens.”
That supply chain extends far beyond the obvious defence contractors. The industrial ecosystem behind the submarine program includes engineering consultancies, construction firms, professional services companies and a wide array of small and medium enterprises that may not have previously considered themselves part of the defence sector at all.
“What we’re seeing is not necessarily really exciting quantum and your other sort of buzzword bingo, but more of the prosaic stuff,” Rabey says. “If you think about our defence forces and what they consume, there’s a massive supply chain out there.”
This reality creates both an opportunity and a challenge.
On one hand, AUKUS is opening the door for thousands of Australian businesses to enter the defence ecosystem. On the other, many of those businesses are encountering national-security requirements they have never previously faced.
“What they’re realising fairly quickly is that there’s this DISP entry criteria and a lot of them don’t know where to start, let alone how to actually get there,” Rabey says.
In other words, the industrial base supporting Australia’s submarine capability includes everything from highly specialised engineering firms to everyday service providers.
Uniform suppliers, technology vendors, infrastructure contractors and professional advisers all form part of the broader network required to sustain defence operations.
The security gateway to the defence supply chain
The principal mechanism governing entry into Australia’s defence industrial ecosystem is the Defence Industry Security Program, or DISP.
DISP establishes security standards across three major areas: personnel, facilities and cyber security.
According to Rabey, many organisations entering the defence sector are encountering these requirements for the first time.
“There’s three main components that you need to bring up to speed,” he says. “First of all, personnel … at a minimum, you need to have two people go through government security clearance and have specific roles in the oversight or the operations of their cyber security.”
The second element concerns physical infrastructure.
“You need to actually get those physical facilities, offices, storerooms, warehouses and the like up to a certain level as well.”
The third pillar and the area where Rabey spends much of his time, is cyber security.
For companies that have never handled classified information before, these requirements represent a significant step change in capability and mindset.
Many organisations, he says, initially encounter the DISP requirements and simply ask: “Where do we begin?”
“They’ll look at that and go, ‘OK, this is a lot. Where do I start?’”
The weakest link
The reason these standards exist is straightforward. Defence supply chains are only as secure as their weakest participant.
“If you think about the security that is required to maintain the safety and the integrity of the data that defence has … you need to have consistent level of security across the entire supply chain,” Rabey says.
If you think about the security that is required to maintain the safety and the integrity of the data that defence has … you need to have consistent level of security across the entire supply chain.”
– James Rabey
“Think of it as a chain. When we talk about supply chain, you don’t want to be the weak link in the chain.”
That concept is especially important in an era of persistent cyber intrusion attempts from both criminal groups and nation-state actors.
The adversaries targeting defence systems are rarely seeking the most heavily defended networks first. Instead, they look for vulnerabilities in smaller organisations connected to the broader ecosystem.
Often, that vulnerability lies not in the technology itself, but in human behaviour.
The human element: Wetware
Cyber security professionals often talk about hardware and software as the primary components of digital systems. But Rabey points to a third, often overlooked factor.
“You can patch hardware, you can patch software, but sometimes wetware, human beings are the difficult, the more complex one to maintain.”
Human error has historically been responsible for some of the most serious information breaches in defence and government systems.
In such cases, cyber defences are designed not just to stop sophisticated hackers but to prevent ordinary mistakes from becoming catastrophic.
“One of the reasons you have these cyber security controls in place … is to mitigate against those understandable mistakes,” he says.
Even simple behaviours such as storing sensitive information incorrectly or falling for phishing emails can create vulnerabilities within otherwise secure systems.
And adversaries understand this.
“They’ll often go for the human first,” Rabey says.
Understanding the scale of the cyber threat
The scale of the digital threat environment facing defence industry is difficult to comprehend without real numbers.
Rabey provides a glimpse of that scale through the work his organisation performs monitoring and defending networks.
“On average for our customers, we block about a million attacks a day.”
Behind that figure lies an enormous volume of data and activity.
“We collect about 20 billion [security events] a day,” he says.
Many of those attempts are unsophisticated automated scans looking for open ports or outdated systems. But others are far more subtle.
Increasingly, adversaries operate slowly and quietly inside networks, sometimes remaining undetected for extended periods.
“What we’re seeing now is very low, slow attacks, longer dwell time, very sophisticated,” Rabey says.
Rather than launching obvious disruptive attacks, sophisticated actors may simply position themselves inside systems and wait.
“They’re not just in there for a quick buck anymore … they’re either state sponsored or they are part of the state apparatus.”
For a defence ecosystem handling sensitive technology and operational information, this reality underscores the importance of rigorous security practices across the entire industrial base.
Hard decisions for business
For companies entering the defence sector, meeting these standards involves strategic decisions that can reshape their entire organisation.
One of the most difficult questions businesses must answer is whether to transform their entire enterprise to defence-grade security standards or isolate a smaller portion of their operations.
“Am I doing this for my whole business … or am I doing it for part of my business?” Rabey says.
For firms where defence work represents only a small share of revenue, upgrading their entire organisation may be prohibitively expensive.
Instead, many companies choose to create secure “enclaves” within their business.
These enclaves isolate the part of the organisation handling defence work from the rest of the company’s operations.
“While creating the enclave is probably the simplest and therefore cheapest … starting it isn’t necessarily that simple,” Rabey says.
But even this solution involves significant investment, training and compliance requirements.
Security upgrades must not only be implemented – they must also be maintained indefinitely.
“There’s a cost to get there and it’s a cost to sustain.”
A workforce bottleneck
As with every aspect of the AUKUS program, Australia faces a complex and often overlapping ecosystem of workforce challenges.
Beyond technology and infrastructure lies another critical challenge: people.
Australia’s submarine enterprise will require a large workforce with specialised skills and security clearances.
Yet obtaining those clearances is itself a complex process.
“The clearance process is quite strenuous,” Rabey says.
Even preparing the documentation required for basic vetting can be time-consuming.
“Even prepping for baseline … being able to get your marriage certificate if you’ve been married for decades … tracking that down … takes time.”
As the defence workforce expands, this process may become a bottleneck.
“There is going to be a need, an increasing need for cleared personnel.”
For businesses seeking to participate in the defence supply chain, Rabey offers simple advice.
“Work out who those people are and get them to start to prep for that clearance process.”
Security as capability, not merely compliance
Perhaps the most important insight Rabey offers is that cyber security should not be viewed simply as a regulatory burden.
“Don’t look at those cyber security controls like Essential Eight as compliance,” he says.
“They are real practical controls to mitigate not only the risk against the Commonwealth, but the risk against your own business from cyber security threats.”
In fact, businesses that adopt strong cyber practices often see immediate commercial benefits.
According to Rabey, some organisations that implemented higher cyber security standards saw dramatic reductions in insurance costs.
“Reaching maturity level two of Essential Eight has reduced their cyber insurance by six figures.”
Security therefore becomes both a national obligation and a commercial advantage.
A national capability challenge
Ultimately, the development of Australia’s nuclear submarine enterprise is not simply a defence procurement project. It is a national capability challenge.
The submarines themselves may be the most visible element, but the success of the program depends on something far larger: a secure, resilient industrial base supported by skilled people and trusted systems.
From construction yards and engineering firms to technology providers and professional services companies, thousands of organisations will become part of the ecosystem that sustains Australia’s future submarine fleet.
Each must operate at security standards that match the sensitivity of the mission.
And each forms part of a chain where the strength of the whole depends on the resilience of every individual link. In this environment, the true significance of AUKUS becomes clear. It is not merely about acquiring submarines. It is about transforming Australia’s industrial and technological foundations so they can support a new era of strategic capability.
As Rabey notes, the journey may be demanding, but it is necessary.
“If you’re going to take part in the defence of Australia, you need to actually uplift your cyber security and your other security as well to meet that.”
In other words, the submarines may sail beneath the waves, but the real work of securing them begins on land, across an industrial ecosystem that must be as resilient and secure as the vessels themselves.
