ARN

Government's $156M cybersecurity pledge a 'drop in the bucket': White hat hacker

Cyber resilience and workforce package isn't adequate
Michael Connory

Michael Connory

The Morrison government's election promise to spend $156 million to bolster Australia's cyber defences is a start but more like a “drop in a bucket," says Security in Depth's Michael Connory.

The “cyber resilience and workforce package” will include $50 million to hire more staff under a workforce expansion program; $40 million for a 'countering foreign cyber criminals' capacity within the existing Australian Cyber Security Centre (ACSC); and $26 million for ACSC to expand its assistance to the community.

Michael Connory, security advisor at Security in Depth told CIO Australia the fund is “nowhere near adequate” to help deal with the cyber threats facing Australian businesses and citizens.

“It’s significantly better than the other political parties are pledging, but it’s still not close to enough,” he said.

“$40 million focused on placing 230+ new cyber experienced staff for military cyber operations – while this is absolutely necessary, the figure probably needs to be doubled.”

Connory said at this time Australia "immediately" needs an additional 2,300 individuals to manage the $500 million cost of cybercrime that Australians lost last year.

“Also take into account the Australian Cyber Security Centre states that we as a country are losing an additional $400 million in lost revenue and wages [so] $50 million isn’t going to scratch the surface.

“If you then realise that by 2026 we will need an additional 18,000 cyber experts in Australia, we will in fact fall behind the rest of the world in how we protect our personal information as well as businesses protecting their assets – this could be anything from customer information, business IP, money,” he said.

Connory said that cybercrime is now considered one of the most significant global threats, according to a 2019 World Economic Forum report.

“This will start the process but it’s only a drop in the bucket. The government is putting away $40 million to hire 230 staff – that number of jobs is only 1.3 per cent of jobs needed," he said.

Connory said 18,000 cybersecurity staff at a cost of $2,778 per individual is not nearly enough. This works out to be about $40 million for 1.3 per cent and $50 million for the other 98.7 per cent (although government isn’t expected to pay wages for everyone), he said.

“The funding for training is exceptional, the funding to increase the capabilities of the ACSC is also needed -- again $40 million to increase capabilities of ACSC which will employ hundreds of staff and $50 million to help create 18,000 highly trained and experienced cyber professionals – is not enough,” Connory said.

“The money also isn’t addressing other serious requirements such as money to support Australian cybersecurity firms, more money for cyber security research, essentially improve the cyber security ecosystem.” 

Daniel Lai, chief executive officer at Canberra-based cybersecurity organisation, archTIS agrees that the government's latest monetary pledge isn't enough. Lai said it does little to directly improve the protection of government agencies from the growing risk of cyber attacks and breaches.

"This announcement does little to directly improve the protection of government agencies, industry or small business from the real and present danger that exists from malicious cyber actors. There is no preventative aspect to the announcement to deal with the threat today," said Lai.

"While it is needed, it is another ‘finger in the dike’ fix. Until there is a proper strategy to appropriately fund and address the enormity of the problem and introduce preventive measures for Government, industry and small business we will continue to see Australian national secrets and intellectual property stolen."

Australian Computer Society president Yohan Ramasundara told CIO the program shouldn’t be a standalone. 

"The Government should have a well rounded approach and be an enabler in stimulating and encouraging the development of cyber capabilities working in collaboration with other key stakeholders," he said.

He said Australia’s has a critical shortage of cyber security professionals and the government should be addressing this as an issue of priority. 

"According to ACS’ Australia’s Digital Pulse, Australia will need an additional 11,000 technical cyber security workers over the next decade," he said. "We need to develop a sustainable pipeline of cyber-related skills to facilitate future growth as a matter of course, not as something dependent on the result of an election."

Ramasundara said more investment in this critical area is needed now from increasing school students’ participation and performance in STEM subjects as well as earlier development of logic and critical-thinking skills -- through to offering and improving courses in cyber security in the tertiary and vocational education sectors and also attracting non-traditional tech professionals to undertake studies in cyber security.