Australia could see the formation of a cyber security alumni network that would bring the country’s best and brightest digital security brains into play to combat a national cyber emergency.
The idea of a cyber alumni network was floated by Sandra Ragg, the Assistant Secretary Cyber Policy at the Department of the Prime Minister and Cabinet. Ms Ragg was speaking at the Cyber Security Leadership Imperative 2017 event in Sydney this week
“What we are interested in how do you bring skills that exist across Australia to national level problems,” said Ms Ragg.
“This is a capacity to potentially access a ‘surge capability’ in the event of a major cyber security incident and tackle significant threats to the nation. It would also give us the capacity to crowd source new ideas for us as a community in a trusted network.”
While Australia has cyber information sharing and response mechanisms in place such as CERT Australia and other organisations, there was a need for a more over-arching structure that could draw on a wide range of expertise to handle major national threats.
“None of these things really scale for us,” Ms Ragg said.
“We are thinking about a concept like cyber alumni as a way we can scale that transfer of skills between the public and private sector and build the capability and trust between organisations.”
There already cyber reserve units established in other countries, usually under military command, and such forces have been talked about here.
But Ms Ragg believes we need a more encompassing structure. “Our view is it should be broader than a defence concept. What we are looking at is something that works for us as a national capability.
“It’s about allowing government and employers staying connected with former employees and their expertise. We could create a flow of experts to operate between different sectors.”
The cyber alumni network idea was part of a wider challenge in ratcheting up the country’s cyber security skills.
“Our capacity to address the skills challenge is the key to our success as a nation,” said Ms Ragg.
“We need people who can adapt to a fast-paced environment expert developers, testers, incident responders, product innovators. People who understand how technology intersects with business investment and business risk. That’s the really critical piece.
“We also need to have the capacity to think about cyber risk in a range of different roles such as mine as a policy expert, legal advisors, our diplomats, business risk advisors, trade negotiators – the list goes on.”
Ms Ragg said the Federal Government’s new $47 million Joint Cyber Security Centres program would help the intersection of industry, government and law enforcement in tackling cyber security problems. The first centre opened in Brisbane in February as a pilot, with others to follow in Sydney, Melbourne, Adelaide and Perth.
The cyber alumni idea would help accelerate the flow of information through the Joint Cyber Security Centres.
Craig Davies, one time head of security for Atlassian and now CEO of the Australian Cybersecurity Growth Network told the Cyber Security Leadership Imperative 2017 event that Australian boards needed to sharpen their cyber game.
“In Australia over the last 12 months we have started the movement of the conversation around cyber from it should be done by the guy in the corner wearing a hoodie to a conversation in the boardroom,” said Mr Davies.
He said cyber risk complacency was a problem for Australian organisations.
“We still live in a culture here which says it should be OK I’ll just go and buy a cyber something. There’s always someone who wants to sell you one, usually in a range of colours and then six months later the company is still no stronger than it was and opportunities have been lost.”
Part of the problem here is that while board level understanding of traditional risk areas is solid, boards have yet to properly grapple with cyber security issues.
“To really take advantage of those opportunities we need to make sure the conversations around cyber are in the board room and treated in the same degree of importance as the ones we are having around finance, law, HR and occupational health and safety.”
Mr Davies’ baby, the ACGN, is part of the answer, he maintains.
“The Growth Network was created with really one clear mission – to create a vibrant cyber industry in Australia.”
“We are not just about startups, we are about finding those pearlers of companies that are around and looking for the opportunities to grow a native capability that is aligned to the needs of our nation.”
There is a new legislative stick prodding boards into action and that is the mandatory data breach legislation which passed through parliament in February and becomes active in February 2018.
Under the legislation, organisations and Commonwealth Government agencies must notify the Australian Privacy Commissioner as well as affected individuals at risk from a breach.
Civil penalties for not complying range up to $360,000 for individuals and $1.8 million for bodies corporate.
The advent of the legislation has already caused a major uptick in cyber risk insurance which has become the fastest growing commercial segment of the Australian market according to the Insurance Council of Australia.