The government’s $1.7 billion cybersecurity strategy’s lack of focus on the local industry is “frustrating” and a “wasted opportunity”, according to CyRise chief executive Scott Handsaker.
The strategy was finally launched late last week with a focus on protecting the nation’s essential infrastructure from cyber-attacks, handing additional powers to police to fight crime on the “dark web” and efforts to improve the cyber resilience of small businesses.
The vast majority of funding for the strategy had already been announced and is re-appropriated from the Defence budget. The funding is spread across the next decade.
The strategy received a lukewarm reaction from the cybersecurity industry, with concerns over a lack of detail and set timeframes and deliverables.
The strategy does not provide any attention to growing the local cybersecurity sector and does not include any efforts or incentives for startups and tech companies.
This is frustrating and discouraging for the local sector, Mr Handsaker said.
“There is very little focus on the importance of startups or innovation in this document. This must be discouraging to all those homegrown founders working hard to grow new businesses and who have the hunger and ambition to compete globally,” Mr Handsaker told InnovationAus.
“The government does at least recognise that cybersecurity is critical to the economic future of Australia. But either they don’t think that a local ecosystem of companies is critical, or they don’t think it is necessary for the government to assist. I couldn’t disagree with them more.”
While the 2020 strategy focuses on Australia’s offensive and defensive cyber posturing, the previous iteration from 2016 looked more at how to nurture the local sector. Mr Handsaker said the cybersecurity industry has a lot of potential but needs support from the government.
“Our local founders are at the very beginning of building what will hopefully turn into a sizable and important sector for the country, providing high-paying jobs for tens of thousands of Australians for years to come. But we cannot do it alone, and we cannot do it with policy that ignores how important sovereign capability is to the success of a nation,” he said.
“The government is missing the opportunity for us to be smart and agile, to better use and support local innovation to grow our sovereign capabilities. This is not an approach that will date. Sooner or later they’ll need to adopt it, so their hesitancy to bring it into focus is to the detriment of the strategy as a whole.”
There are a range of areas and a number of potential policies the government should be looking at to encourage the growth of the local cybersecurity sector, he said.
“They could have pulled any number of government levers on procurement, investment, grants, tax breaks, or incentives in order to help grow the entrepreneurial ecosystem for cyber security founders in Australia. That they chose to do almost nothing is a wasted opportunity,” Mr Handsaker said.
“If Australia really wants to fulfil its ambition to be a global player in the cybersecurity space, then the industry deserves better. We need to do more than defend and protect. We should also have the confidence to innovate and lead.”
Labor has also raised concerns that the strategy doesn’t include any policies or blueprint for growing the local cybersecurity sector, with shadow assistant minister for cybersecurity Tim Watts saying it’s a surprising omission that shows a “lack of vision”.
The funding provided in the strategy is not enough to protect Australians from the growing threat of cyber-attacks, especially in light of the COVID-19 pandemic, according to the Australian Information Security Association chair Damien Manuel.
“Four years ago one in four Australians were impacted by cyber-attacks, in the last 12 months prior to COVID-19 it was one in three. Considering the gravity of the situation the funding commitment isn’t enough to adequately protect Australians,” Mr Manuel told InnovationAus.
“I do understand the cash poor environment due to COVID-19, but under the current conditions we can expect far more attacks on Australians and Australian businesses. The recently released Interpol report highlights a significant increase in attacks. Online scams and phishing has increased, disruptive malware, data harvesting and misinformation have all dramatically increased.”
To help guide the implementation of the strategy, the industry advisory committee will be made permanent. The members of this panel are yet to be selected, and Mr Manuel said it’s important that it actually reflect the local cybersecurity industry.
“The committee needs to be diverse and focused on the greater good of protecting Australians and Australian businesses rather than selling or implementing new technology solutions,” he said.
“My concern is that the same group of people will continue to guide the strategy, thereby missing the diversity needed from various sectors. I also don’t want to see vendors on the advisory committee.”
The strategy also flags that there will be “clear professional standards for practitioners”, and Mr Manuel said this risks becoming a money-making scheme.
“Cyber professionals, regardless of background, work experience, education or industry accreditation or certifications, will need to be accredited under some type of framework in Australia. Will this be done at cost to ensure it doesn’t become a money-making exercise and to ensure the integrity of the accreditation program,” Mr Manuel said.