lolloj - Fotolia

Australia must take cyber security opportunity

Australia may never be able to create an IT industry like that in the US, but it can lead in cyber security

This article can also be found in the Premium Editorial Download: CW ANZ: CW ANZ: Using gamification to build cyber security skills

Australia has a once-in-a-generation opportunity to develop a strong and internationally competitive cyber security sector.

Speaking at the inaugural SINET61 Summit in Sydney – which brought together industry, academics, policy makers and corporate users – Alastair MacGibbon, special advisor to the prime minister on cyber security, acknowledged that Australia can't create a Silicon Valley, so should instead focus on creating “boomerang businesses” which go offshore to build scale and experience, but with solid local foundations to ensure that they return.

To that end Data61, which is the combination of the National ICT Australia body and the ICT arm of the Commonwealth Scientific and Industrial Research Organisation (CSIRO), is spearheading the Cyber Security Industry Growth Centre. Funded to the tune of AUD30m through to 2019-20, the Cyber Growth Centre is intended to bring together researchers, the government and industry to build businesses able to tap into the international cyber security market, which it estimates is worth $71bn a year and growing 8% annually.

Adrian Turner, CEO of Data61 and joint chair of the Cyber Growth Centre, told delegates at SINET61 that the organisation had completed industry consultation and submitted its business plan to the government. He expects to formally kick off operations in the next few weeks, with the intent to become the peak industry-led body for cyber security in the country.

Turner said that the intent of the centre was to help keep Australia “cyber-safe” while creating a vibrant domestic – but globally competitive – industry. “Cyber is a tech issue but it's a business continuity issue first, as every part of economy becomes data driven,” he said.

SINET61 is the Australian chapter of the emerging global SINET community which receives support from the US Department of Homeland Security. The community, which is also active in Europe, is intended to spur innovation and support global collaboration between both public and private sectors to defeat cyber security threats.

Risk-averse culture

The organisation’s founder and chairman, Robert Rodriguez, travelled to Australia for the summit in Sydney and a related cyber security investment conference in Melbourne. While optimistic about Australia’s progress with cyber security, he warned that to his eyes Australia “seems to be a very risk-averse culture, and that will suffocate innovation”.

Rodriguez said that in the US, government policy had made a major contribution to innovation over many years and that initiatives such as a reduction in capital gains tax and relaxation of rules surrounding pension fund investments had been instrumental in creating the Silicon Valley innovation environment.

Read more about cyber security in Australia

Developing a strong local cyber security sector is nevertheless the first of the 33 initiatives detailed in the Federal Government’s AUD230m cyber security strategy unveiled earlier tin 2016. The strategy is intended to deal with what MacGibbon described as “complex threats and complex challenges”.

He has, however, been sidelined for the past month as part of the team investigating the failure of the online Census system. MacGibbon confirmed there had been a number of small distributed denial-of-service (DDoS) attacks launched against the Census site, which had triggered the decision to shut down the system to protect data.

He noted that the “impact in terms of trust and confidence will last a significant period”, and that the “comparatively small DDoS will have lasting impact on government and shows there is a lot to learn for the business community”.

Under attack like never before

If the business community isn’t already aware of the cyber challenges ahead, it was forcefully reminded by Dawn Meyerriecks, deputy director of the CIA’s Directorate of Science and Technology. She warned delegates at the conference that “the things we hold dear are under attack today in a way like never before”, adding that “this is an existential threat we must deal with collectively”.

Meyerriecks said that earlier approaches of security through hardened perimeters was no longer possible as globalisation challenged the very basis for thinking isolationism could still be a successful strategy. She encouraged organisations to focus increasingly on resilience than slavishly seeking protection, ensuring that even if attacked they could respond and regroup quickly.

Other speakers also outlined the need for continuous assurance testing – to make sure an organisation’s infrastructure was as well protected as possible, that it had trained people and optimised processes, and maintained a practiced response plan.

Meyerriecks said the world’s major datacentres and cloud computing providers protected themselves by changing their configuration every 20 days or so to alter the attack surface, but she acknowledged that was possibly beyond the capabilities of most enterprise IT organisations.

Knowledge gaps remain

While the importance of cyber security is better understood by corporate Australia than in the past, there are still knowledge gaps, according to Australian Security and Investments Commission (Asic) commissioner Cathie Armour. She said: “I would encourage board members to lift their basic capabilities – we don't expect everyone on the board to be at an audit standard, but there is a level of education incumbent on directors.”

Armour added that Asic would increasingly test the companies it regulated, and had already probed the cyber resilience of both the Australia Securities Exchange (ASX) and Chi-X markets.

Amanda Harkness, group general counsel and company secretary of the ASX (which passed the resilience test), said that the organisation trained both directors and staff on cyber risks, had implemented the Australian Signals Directory’s top ranking security recommendations, and also tracked response times to real security incidents.

Westpac group chief information security officer (Ciso) Richard Johnson also stressed the importance of greater collaboration regarding cyber security. “The key principle is that against a common enemy a co-ordinated response is the only sensible approach. It has got to be national, international and an ecosystem that needs to work together.”

While this had happened at a relationship level with bank Cisos sharing operational threat intelligence, for example, he said that such was the pace of attack there was now a need to institutionalise cyber information sharing using automated tools such as Stix (Structured Threat Information eXpression) and Taxii (Trusted Automated eXchange of Indicator Information).

Speakers at the summit also called on the government and industry to work together to support more specialist cyber skills development. Estimates were that at least four times the number of cyber skills would be needed over the next three years.

It was said by Johnson that an exciting career as cyber specialists could guarantee they would never be bored. “White-knuckle scared, but never bored,” he quipped.

Read more on Hackers and cybercrime prevention