Australia not spending enough on cyber security

The Australian government's new cyber security strategy does not go far enough in either scope or spending to address the "pace and scale" of emerging threats to the country, according to two University of NSW cyber security professors.

Professors Greg Austin and Jill Slay today published a discussion paper outlining a proposed policy agenda for the next federal government in dealing with cyber security, in response to the new national strategy released in late April.

The paper argues that Australian allies like the US and UK consider cyber security to be among their highest national priorities, but Australia does not.

The UNSW professors categorised Australia's cyber posture as "lagging" in terms of policies to counter cyber crime, protect critical infrastructure, and provide world-class research and education.

"Immediate" action is needed to better protect Australians from cyber criminals, Austin and Slay wrote.

They criticised Prime Minister Malcolm Turnbull's preface to the cyber security strategy as "lacking contours and baselines".

In the preface, Turnbull labels the scale and reach of malicious cyber activity as "unprecedented" and notes increasing and evolving threats, warning Australians to be prepared for an undisclosed "significant cyber event".

"The strategy’s commitment, one of five major undertakings, to ensure 'Australia’s networks and systems are hard to compromise and resilient to cyber attacks' is one that will not be achievable for a decade at least because of the threat trends and the low level of global preparedness attested by leading international authorities and Australia’s own ASIO, various Defence Department reports and independent assessments of them," Austin and Slay wrote.

While the strategy is "ambitous" and "mature and nuanced", the professors wrote, it is not matched by adequate spending to deal with the issues detailed in the document.

The government has allocated $230 million to the strategy, with more than $122 million shifted out from the Department of Defence.

Conversely, US President Barack Obama has proposed a US$5 billion (A$6.62 billion) hike in cyber security funding for the fiscal 2017 budget to US$19 billion, while the UK government last year announced plans for a £1.9 billion (A$3.5 billion) investment in cyber security.

The UNSW professors, however, applauded the government for measures like joint threat-sharing centres, the creation of high-level cyber positions within the government and public sector, and commitments to expand the resources of the Australian Signals Directorate.

But many of the strategy's commitments are "fairly generalised and lack granularity", the professors wrote, such as vague promises to increase the number of cyber security graduates and women in the industry.

"The strategy gives no strong sense of when we might expect to see impacts from the measures announced on the security in cyber space of Australian citizens and enterprises," Austin and Slay wrote.

They said the strategy could not be considered mature until the government openly discusses the threat scenarios the country currently faces and has developed responses to such situations, or until it establishes a civil defence strategy to respond to an "extreme cyber emergency". 

The professors made seven recommendations for the government to improve Australia's cyber security posture.

It should develop a cyber defence league similar to that seen in Estonia to address awareness and capability deficiencies; Australia should either join NATO's cyber centre of excellence or build its own version in APAC; and the states and Commonwealth should honour a 2010 commitment to provide comprehensive statistics on cyber crime investigations and prosecutions.

A national cyber crime fighting unit should be created and funded with at least $20 million per year to help capture and convict more cyber criminals, Austin and Slay said.

And a cyber advisory board should be established to communicate future threats and advise on responses; a private-public working group should be set up to create a strategy for handling critical infrastructure; and a national cyber security college should be established to deal with cyber skills issues, they wrote.