Outdated computer networks across federal departments leave Australia's essential public services open to a rapidly accelerating wave of next-generation hacker threats.
This structural weakness triggered urgent warnings from leading cyber security experts. They warned although replacing these legacy systems was entirely possible, the transition required immediate attention and funding.
Australian Information Security Association (AISA) board member Scarlett McDermott used a simple analogy to describe the huge technology gap facing these systems.
"Trying to perform modern security processes on a legacy system is kind of like trying to plug your 1992 Volvo into an electric car charger, sometimes they're just not compatible," Mrs McDermott said.
Old networks became so tangled up in daily office tasks over the years that replacing them required a significant shift in how the government operates every day, she said.
The 2025 Commonwealth Cyber Security Posture showed 59 per cent of agencies attributed the stalled rollout of essential security defences to their reliance on outdated technology, which lacked funding for a viable replacement.
A joint Mandala and Microsoft report found retiring the federal government's outdated technology could save Australia about $1.4 billion annually.
The technological upkeep made up to 40 per cent of their tech budgets to keep the systems alive, ignoring modern alternatives that cost about a quarter less to run.
AISA director Dr Rajiv Shah said the vulnerability of government agencies to future high-tech disruptions stemmed from unmaintained, homemade software.
Many departments ran programs that changed hands so many times over the years that "almost no one really knows how they work", he said.
Dr Shah, a quantum physics expert, said the original developers and designers of these systems "probably retired 10 years ago", leaving behind poor instructions and very limited internal understanding of how the systems actually ran.
Leaving these crumbling systems unaddressed created a major baseline danger regardless of any future technology shifts, he said.
This fragile set-up must now face the future threat of quantum computing.
Dr Shah said a quantum computer was a fundamentally different type of machine from standard computers, comparing the technology to giving a caveman a speedboat.
Although a speedboat would not help a caveman hunt or forage on land, it completely changed what was possible when they needed to cross a deep river to reach a brand-new island, he said.
He said quantum computing was not a magic wand that would make everything faster, but a specialised tool that would be powerful for certain types of problems that were very hard or effectively impossible for today's machines.
In a cyber security context, Dr Shah said the most important risk was that quantum computers could potentially break some of the encryption now used to protect web traffic and sensitive data.
A powerful, mature quantum computer could undermine some of the cryptographic protections that online banking, data transfers and government systems rely on today, he said.
To get ahead of the danger, the Australian Cyber Security Centre (ACSC) required government agencies to draw up a plan to find their weakest links by the end of 2026.
Under the security centre's guidelines, departments also had to calculate the total lifetime costs of any new technology, including budgeting for the skilled staff and security controls needed as the systems aged.
The Digital Transformation Agency's (DTA) Cloud Policy taking effect on July 1, 2026, established a unified framework to shift departments off these crumbling set-ups.
DTA deputy chief executive Lucy Poole said that the policy ensured agencies had the "direction, guardrails and technical foundations needed to move off legacy systems".
Dr Shah said he felt confident this deadline was entirely doable in a few weeks or months of focused work, as long as senior executives in those agencies actively supported the necessary staff and funding.
Even though agencies faced severe staff shortages, Dr Shah said they should hire specialists temporarily to train their own workers rather than completely handing over their security to consultants or external contractors.
Despite the scale of the challenge, Dr Shah warned against apocalyptic narratives about quantum computing.
It would not melt down the world, but Australia needed to start planning now so its infrastructure was ready for a quantum future, Dr Shah said.
In the meantime, immediate digital threats are growing just as fast.
ACSC head Stephanie Crowe said artificial intelligence tools completely changed and sped up the world of online attacks.
"The threat environment is changing in terms of the rate, scale and speed with which AI will enable malicious cyber adversaries to conduct activities against our networks and systems," Ms Crowe said.
Ms Crowe said that the best defences to protect government systems still came down to basic digital hygiene.
Using the government's basic security rules, like updating software quickly to fix known flaws, separating network systems and using a zero-trust set-up, remained the single most effective way to keep hackers out, she said.
To fight these double threats, Mrs McDermott said the federal government had to wield its significant financial power to force tech companies to build secure software from the ground up.
"The government spends over $20 billion in technology contracts on an annual basis, that's a huge amount of marketplace power," she said.
