Replacing vulnerable but nationally critical information-technology systems takes too long. Australia should follow the United States and subsidise their replacement.
While old systems of national significance (SoNS) remain in place, they’re magnets for foreign powers that want to cause damage. US experience has shown that policy, funding, deadlines and reporting can overcome the reluctance to replace systems that need replacing, but that still technically work and are expensive and risky to change.
SoNS sit in parts of the economy we cannot afford to lose: government, telecommunications, energy, ports, transport, health, banking and the data services that connect them. Operators need to keep services running and costs down. Major refreshes are disruptive and expensive.
That is why legacy technology survives well past its use-by date. It may be out of vendor support, full of known flaws or held together by specialist knowledge that is about to retire. Yet it stays because replacement competes with every other operational priority.
Foreign intelligence services do not need a single perfect vulnerability. They look for weak links that persist for years, then chain them into an attack path. The risk is not one flaw, but rather a toxic combination.
Two recent attacks show what this looks like. In 2023, the China-linked Storm-0558 campaign accessed emails at several organisations, including government agencies, by forging cloud authentication tokens. This was a result of a combination of identity and control-plane failures, not a single compromised server. In late 2025, Shai-Hulud malware attacks on supply chains showed how stolen developer credentials and poisoned packages could propagate on a global scale. These were different incidents, but they resulted in the same lesson: small trust failures compound into high-impact outcomes.
Legacy systems make these chains easier to execute. Older components are harder to monitor and patch, increasing dwell time and detection lag as well as worsening the economic effect when something goes wrong.
In Australia, the weakest links often sit in plain sight. In SoNS sectors—particularly government, health and environments involving operational technology—end-of-support servers, ageing network appliances and brittle vendor platforms remain common because replacement is expensive and risky. They don’t explain every breach, but they widen the window for adversaries to hide and pivot into higher-value identity, cloud and supply-chain pathways.
Shifting to cloud doesn’t automatically reduce systemic risk; it often reshapes it. Australia’s cloud-first push has spread critical functions across more services, identities and suppliers. Done fast, it can leave old and new technology side by side, connected by a maze of dependencies. Australia’s November 2025 warning about China-linked probing of telecommunications and critical infrastructure reminds us that serious actors are looking for seams.
The Australian Cyber Security Centre’s modern defensible architecture approach is a sensible answer to this reality. It has three core pillars: layered architecture clearly linked to business objectives; zero-trust principles, which encourage organisations to assume breaches and verify explicitly; and secure-by-design procurement and development. These aim to make complex environments defensible, but they are hardest to implement where risk is highest: on top of brittle, out-of-support components.
The US Federal Communications Commission (FCC) faced a similar trap in telecommunications. Smaller carriers had equipment by Chinese companies Huawei and ZTE embedded in their networks. Replacing it was expensive and operationally difficult, but in the geopolitical context, reducing dependence on high-risk vendors was in the national interest. So Congress directed the FCC to run a reimbursement program, including completion timeframes and periodic progress reporting, to help eligible providers remove and replace high-risk telecom and networking equipment and services.
Australia’s proposal would be broader than the FCC’s telecom-focused approach, so it should be tightly targeted and time-limited. As a ballpark, it could be less than A$10 billion over a decade for priority-driven upgrades. This is small compared with the cascading cost of a major SoNS disruption.
To limit cost and reduce freeriding, subsidies should look like co-investments, not blank cheques. They should involve eligibility gates, data comparisons for verification, and reimbursement only after verified milestones are reached. Priority should go to end-of-support or unsupported components; products with repeated high-severity vulnerability trends; and systems embedded in high-impact pathways such as remote access, identity and management networks. Funding should come with assurance checks and deadlines, so uplift happens rather than being endlessly planned.
This won’t fix everything. It won’t remove the need for better cloud governance or stronger security engineering. But it would shrink the pool of weak links that foreign powers can exploit, and it would make modern defensible architecture easier to implement in practice. When hostile states are probing critical systems, persisting with the oldest and weakest technology isn’t inertia; it’s policy. Australia can make a different choice.