Procurement power and cybersecurity capability

Denham Sadler
National Affairs Editor

The federal government should use its significant procurement powers to improve cybersecurity across the economy and stimulate innovation, according to a new report from the Australian Strategic Policy Institute.

The report, penned by Australian Strategic Policy Institute (ASPI) fellow Rajiv Shah, found that the Commonwealth could better harness its large spending to improve its own cybersecurity and that of the wider economy. He says the government should look to establish a single set of expectations for suppliers, incentives for bidders and establish a sovereign capability framework.

Federal ICT procurement rose from $5.9 billion in 2012-13 to almost $10 billion currently, and this power should be used to facilitate and uplift in cybersecurity in companies across industries to address the current issue where suppliers aren’t incentivised to provide strong security.

cybersecurity electronics
Buying power: Using procurement to build Australian capability and security

“Its position as a major buyer potentially provides significant market power that could be used to address some of these challenges. In an environment in which resources for cybersecurity are very limited, this could have the advantage of leveraging other existing budgets for ICT procurement,” Mr Shah said in the report.

“With the right approach, there’s a real opportunity to stimulate innovation and new developments. If government can define the security outcomes required, that can encourage suppliers to compete to develop the most effective and value-for-money approaches to delivery.

“The most innovative approaches can then provide a market differentiator for the supplier that helps them to build business in the private sector, the export market, or both.”

The current procurement approach is fragmented and does not adequately emphasise sovereign capability or innovation, the report found.

“Government has limited human and financial resources and so needs to use them as effectively as possible. The significant overall ICT procurement spend by government represents an opportunity to do so but is currently hampered by a fragmented approach, differing standards and regulations, and procurement approaches that don’t facilitate value being attached to innovation security approaches and sovereign capability,” it said.

Procurement was only mentioned once in the federal government’s recently released 2020 Cyber Security Strategy, which signalled the creation of new supply chain principles for decision-makers and suppliers which would “encourage security-by-design, transparency, and autonomy and integrity in investment, procurement and security”.

The report made a number of recommendations to government, including the introduction of a single set of standards to assess the cybersecurity of suppliers to be used across government procurement.

It said this needs to be more than just a tick-box exercise and should not be a pass or fail grade but include a number of graduated levels. There also needs to be an independent test to determine whether a supplier is compliant, and an evaluation facility.

The government should also make it mandatory for suppliers to have cybersecurity insurance, Mr Shah said.

“For all government procurements of IT products and services, suppliers should be mandated to have appropriate cybersecurity insurance cover, thereby ensuring that there’s a price signal for risk,” he said.

The government should also look to establish a sovereign capability framework, the report found, which would identify which technologies are strategically important to develop locally and use that to guide its procurement and investments.

This would ensure there are market opportunities for local companies of all sizes, and for local capability to be established in sensitive sectors, the report said.

A secure cloud-based environment should also be launched for contractors working on government jobs, the report said.

“This would allow companies to process, use and generate data using suitable technologies to assure separation from the host systems of the supplier,” it said.

“This approach should not only provide better assurance of data privacy and integrity, but, by reducing the overheads of individual businesses implementing their own controls, should reduce the costs effectively charged by suppliers to government for compliance.”

Do you know more? Contact James Riley via Email.

Leave a Comment

Related stories