Oz infosec boffins call for mature threat debate
The University of NSW / Australian Defence Force Academy-run Australian Centre for Cybersecurity reckons the government needs to tip AU$1 billion annually into cyber-security.
The centre reckons the AU$230 million the government intends to spend isn’t enough.
The reasoning is that our allies, such as the US and the UK, are more willing to pour money into the infosec-industrial complex. The paper states America’s spending (US$19 billion) is 400 times Australia’s (although US GDP is ten times Australia’s), while the UK spends £1.9 billion, ten times Australia’s cybersecurity spend out of a GDP 60 per cent larger than Australia.
The paper (PDF), authored by professors Greg Austin and Jill Slay, also asserts Australia’s threat assessment is inadequate. For example, “the scale of threat as perceived in the United States is equally demonstrated by the declaration of a national emergency in cyber space two years running in April 2015 and 2016”.
Australia’s stance, as put forward by the Australian Cyber Security Centre (the ACSC) is far too sanguine, apparently: “The ACSC seems to be saying that since Australia has not been attacked, the country can be confident that it is secure in cyber space … Australia has probably been attacked and does not know it and it is no more secure, probably less so, than the United States from imminent and longer term future threats.”
So there’s a likely spat on the horizon between groups of infosec bods: those who think the budget is sufficient, and those who don’t.
+Comment: Vulture South can’t help but endorse the recommendation that the government has “an open and candid conversation in public with key stakeholders about the sort of threat scenarios we face, from military operations to privacy, from cyber crime to extreme cyber emergencies”.
At the moment, the maturity in the debate can be seen in the government’s cyber-security strategy, released early this year, which gives the possible damage to Australia from cyber-threats as being between $1 billion and $17 billion (page 15 of this PDF).
Error bars like that are nothing more than hand-waving.
The authors of the new paper also lament the state of cyber-security education, with nothing available in the TAFE sector. It recommends a National Cyber Security College be created to create 10,000 new professionals over “the next few years”, covering both TAFE and university-level training.