Despite the hoopla of the Government’s Cyber Security strategy announced in May for the next four years, the Government has expressed little interest in resourcing it effectively. ADM's Cyber Summit looked at some of the issues facing this sector.
John Hilvert | Canberra
The Strategy was unveiled in early May under five ambitious themes for action over the next four years to 2020:
- A national cyber partnership (annual cyber security meetings with Government and business leaders)
- Strong cyber defences (Operate Cyber Threat Sharing Centres and establish a portal)
- Global responsibility and influence (Globally champion open free and secure cyberspace)
- Growth and innovation (Promote cyber security businesses and research)
- A cyber smart nation (Capacity building in cyber security skills and national awareness programs)
But without adequate resourcing, the strategy is little more than a series of disparate initiatives with little coherence or appreciation that adversaries state or criminal have been strengthening their own resources with increasingly sophisticated and effective attacks.
"Budget papers reveal over $122 million of the $230 million plan will come out of existing Defence coffers."
These sentiments echoing a lack of direction and resolve were highlighted at ADM’s Cyber Security Summit by two representatives from the Australian Centre for Cyber Security at ADFA (UNSW) which criticised the Government’s poor grasp of the Strategy’s requirements.
Professor Greg Austin said looking toward the year 2030 and beyond, Australia Government should plan for cyber-enabled attacks on its sector, ranging from Darwin to Adelaide to Hobart to Brisbane to Toowoomba, RAAF Amberley and RAAF Richmond bases.
“It will not always succeed against every possible vector, … a cyber enabled war will not be sequential but be an avalanche,” he said.
Prof Austin identified defending critical infrastructure as the major gap in Government’s policy on cyber security.
“We are not far behind the Brits. We are long way behind the Americans. The US research community has a highly developed approach to the challenges of protecting its critical infrastructure in cyber space.”
He said it was tough enough to defend infrastructure in peace time.
“What would happen under more war-like environments?” he asked.
His colleague Professor Jill Slay pointed to the continued vagueness of how the strategy will be implemented and its lack of investment in academic centres of excellence.
“There are at least two agendas at play when academics and industry and policy makers come together and consider the issue of cyber security,” she said.
“One is driven by the needs of academics to publish, win grants and maintain their hold on niche research areas; the other is driven by our need for cyber warriors in industry and Defence.”
The educational policy vacuum of cyber security was apparent since 2001, she said.
Yet, there was no progress being made to develop Centres of Academic Excellence (developed in US 20 years ago) or Academic Centres of Excellence developed more recently in UK.
There had been several failed attempts to establish a CRC on Cyber Security, she added. These had failed largely because there was no common view on the scope and extent of the issues to be researched.
The resourcing issue was also raised by Australian Information Industry Association (AIIA) CEO Rob Fitzpatrick when he challenged First Assistant Secretary, Cyber Policy and Intelligence Division’s Lynwen Connick about its unusually meagre budget earmarked of $233.1 million over the next four years.
In comparison with Australia’s partner’s overseas initiatives, Fitzpatrick observed some $5 billion was spent by the US and the 1.9 billion pounds by the UK is spending.
“Is there a sense that the scale we are investing right now could be stepped up either further?” Fitzpatrick asked.
Connick responded the $233.1 million was complemented by the Defence White Paper’s $400 million over 10 years to improve Defence’s cyber capabilities.
“It is building on a very strong base,” she said. “We invested early in cyber security capability in Australia. We have world class capability already.”
In fact, a re-reading of the Budget indicates that the sum of $233 million was in fact based on Defence’s footing at least half of the bill by reallocating funds out of the Department of Defence's budget.
Budget papers reveal over $122 million of the $230 million plan will come out of existing Defence coffers. The funding reallocation is rationalised as complementing the initiatives of the 2016 Defence white paper to enhance Australia's cyber capabilities and increase the cyber workforce.
Of the strategy's remaining $233 million-odd price tag, $38 million had already been committed out of the government's national innovation and science agenda. The rest will the paid for variously by the nine portfolios with a role to play in its implementation.
Some $82.3 million of former Defence funding will be handed over to the Attorney-General's Department to pay for the establishment of joint cyber threat centres, the expansion of the Computer Emergency Response Team (CERT), a cyber security awareness campaign, and the development of best practice cyber security guidance.
Defence is also expected to absorb $51.1 million which comprises the cost of: relocating the Australian Cyber Security Centre; conducting ‘cyber security assessments for Commonwealth entities’; and identifying ‘cyber vulnerabilities in the Commonwealth systems.
There is no new cyber security funding for the Department of the Prime Minister and Cabinet, the Department of Communications and the Arts, or the Department of Foreign Affairs and Trade (DFAT) – for example, the cost of creating the Cyber Ambassador role will be absorbed by DFAT’s existing budget.
The consequences of inadequate funding for cyber security programs are that the strategy is effectively symbolic and unlikely to accomplish its worthy objectives.
Government's departmental systems are not as well protected as they should be, and we can anticipate resources will be wasted as each agency independently devises measures to protect itself once the so-called ASD top 4 initiatives are complied with.
Moreover industry and academics will draw their own conclusions on the priority the strategy is being given in funding terms.