Everyone agrees that government and industry collaboration is key for effective cybersecurity, but deciding exactly what this looks like, how it is to be achieved and when it will happen has taken a while to take shape.
In 2016 the Commonwealth issued a new cyber security strategy paper, which committed the government to enabling innovation, growth and prosperity for all Australians through strong cyber security.
One of the five key themes established as a result was “a national cyber partnership of governments, businesses and the research community.” Whilst arguably long overdue, the strategy was broadly welcomed by industry, especially as the words were backed up by significant funding of $230 million over five years, in addition to cyber defence funding of $400 million already included in the earlier Defence White Paper that same year.
To make best use of these resources, industry and government will work together in complementary ways and minimise overlap, but initially there was slow progress in defining how this would work. In the early days after the strategy was published many of the initial spending announcements seemed to focus on increasing headcount in the public service. Given the well-understood skills shortages in the cyber security industry, it was clear that approach would not be sustainable.
The last year or so has seen a welcome change in the right direction. This has been helped by organisational change – following the 2017 Independent Intelligence Review the role of the Australian Signals Directorate (ASD) has been elevated to a separate statutory agency, the Australian Cyber Security Centre (ASCS) is now part of ASD, and both ASD and ACSC have strong leadership teams in place.
ACSC has made approaches to market for capabilities such as threat intelligence sharing platforms and secure DNS implementation. These are good examples of areas where there are mature commercial capabilities, and it is refreshing to see government looking to find the best solution available from industry rather than trying to build a bespoke capability of its own.
To build a truly effective engagement model, the next step is to set out a technical capability strategy to define the different engagement models depending on complexity and sensitivity of the capability. For example, there will always be some capabilities that are the “crown jewels” of an agency such as ASD, which they will want to ensure are developed and controlled in house. At the other extreme, there are capabilities with a broad range of commercial off-the-shelf solutions for which government just needs to be an intelligent purchaser.
But what about the various grey areas in between? These need to be categorised and different industry government engagement models defined accordingly. In parallel with the above developments in cyber security policy, the government has also been progressing its Defence Industry policy, including last year identifying sovereign industrial capability priorities (including cyber). Plans are now being developed for these priority areas and may provide a route to set out this type of framework.
For more on this topic, see the May edition of ADM.
Note: Rajiv Shah is the Australian Country Director at Net Consulting.