The process of developing a national cybersecurity capability requires a complete overhaul of technology and R&D processes that will take 10 to 20 years to complete, according to a government-security academic who warns that it will be “problematic” if Australia fails to retain a leadership role in the fast-evolving transformation.
Australia has always been “a little bit backward” in general ICT posture and military planning around cybersecurity, Dr Greg Austin, a visiting professor at the UNSW-ADFA joint venture Australian Centre for Cyber Security (ACCS), told CSO Australia in the wake of a recent conference exploring forward requirements for Australia's cybersecurity capability.
Improving that capability would require the kind of candid public discussions that the government had historically shied away from in the name of security, Austin said, noting “reluctance in the highest levels to embrace these ideals publicly.”
Growing concern over cybersecurity – and an ever-growing hit list of successfully hacked organisations – had increasingly led to demand for “a clear public strategy from the government”, Austin said, so that the academic and research community “can do all that we have to in terms of public research, mobilising the industry, and mobilising the population in terms of having people knowing what we're doing and training up for it.”
Investments in skills and R&D would have a direct impact on the ability of Australia's military complex to adapt to the rapidly evolving cybersecurity theatre – where the development of new methods of cyberwarfare was a high priority that “is as big a change for most militaries as was the introduction of the air force,” Austin said.
“It's a whole new way of fighting and thinking, and a whole new set of technologies. It's a process that will take 10 to 20 years to put in place – and if Australia is not a technology leader in that it will be even more problematic.”
The ACCS and UNSW this week opened enrolment to a Master in Cyber Security, Strategy and Diplomacy course that will begin in February and complements the existing Master in Cyber Security and Master in Cyber Security Operations degrees .
Australia's academic community would need to bring sets of skills to the government's military mission, Austin warned, with students enticed to embark on cybersecurity-related careers and government recruitment and training policies key to bolstering what he said is a quite sub-standard R&D community at present.
“The bad news for Australia and the ICT sector is that we're performing quite badly” in cybersecurity research,” he warned. “It's one of the few research fields where Australia is below the world average in terms of citations for research.”
“There is a high degree of disaffection with the way we teach IT,” he said. “We're such a dumbed-down country when it comes to innovation and we've been falling behind. Giving a much higher priority to innovation across the country, and innovation for defence in the ICT sector, would help enliven that educational experience for people.”
Systemic inadequacies in cybersecurity training have long been a sticking point across the security industry, with skilled professionals in such demand that even an academic centre of excellence like ACCS has struggled to get all the skilled staff it wants. Security-industry organisations have been vocal on the issue, with the likes of Cisco Systems, Earthwave, and Securus Global warning of the need for change and recent surveys showing that cybersecurity is not attracting the necessary salary premiums and that it has serious brand-recogition problem amongst young Australians.
Cybersecurity skills development policy needed to not only focus on attracting students when they are young, Austin said, but also to focus on building bridges between public and private-sector organisations so that the government can call on private-sector skills when they are needed urgently.
This meant that Defence and other departments faced a decision “about what parts we can import and what parts we need to produce ourselves,” he said. “There are a lot of Australians working overseas for these high powered companies.”
“If only we knew where they were, we could call on them at times of crisis – but we don't have a clue where they are. We're contributing to the global stock of knowledge in areas of interest, but we don't have any mechanisms for calling on them if we get into a conflict.”
Building those pipelines would take time and cultural change, Austin said, but in the short term government agencies needed to accept the need for “fresh thinking” around Australia's cybersecurity policy – and to be prepared to stump up the funding it requires to execute on this planning.
“It is a matter of urgency,” he said. “There's arguably a premium you have to pay for readiness that you don't normally have to pay in respect of preparing conventional armed forces, but if we're prepared to spend $1b on a submarine maybe it's time we consider the same for cyber defence. Hopefully, as we move forward in the cyber defence and cybersecurity sector, we'll play a part in what will hopefully be a rethink of Australian innovation.”
Security ALERT!Need help making the right choice for you business? Need to update your system but don't know where to start? CSO can help, check out our security hub today.
Gigamon Transform Security Zone