Local cyber industry stakeholders have welcomed the focus on sovereign capability in the federal government’s 2023-2030 Cybersecurity Strategy, but there are differing views on the how effective the government’s new plan and relatively low funding will be.
The government will attempt to build sovereign capability through a Cyber Challenge through the Department of Industry, Science, and Resources-run Business Research and Innovation Initiative (BRII), as part of a sovereign capability ‘shield’ in the national cyber strategy released Wednesday.
The established BRII program awards competitive grants to startups and small to medium sized businesses for the development of innovative prototype designed to tackle a challenge proposed by government. Following completion of the program, the government has the option to procure the solution.
Tech Council of Australia chief executive Kate Pounder said the program provides an opportunity for businesses developing novel capabilities “to trial them in partnership with agencies”, which conventional procurement programs that target of “well-established products” under set milestones do not provide.
The BRII program will also support early-stage cybersecurity companies by helping them find their first customer in government, which Ms Pounder said is an ongoing gap in other procurement and grants program landscape.
“I think the Industry Growth Program doesn’t give them a customer, it gives them a grant,” Ms Pounder said. Then the National Reconstruction Fund is really designed, obviously, for more established businesses with a proven product,” Ms Pounder said.
“[The BRII Cyber Challenge] is a really nice idea to provide an avenue for an Aussie business with a great idea who’s just looking for that first customer to come and trial it with [government agencies].”
Sydney-based cyber governance platform provider Averto’s chief executive Ian Yip said he was “pleasantly surprised” to see the new cyber challenge included in the strategy, which puts a bit more attention on “our ability to solve problems through innovative solutions”.
However, he criticised the government’s approach to industry development policy, arguing that “it seems the only way the Australian Government knows how to dish out money is via grants”. He also said he is concerned that the BRII could devolve “into a way for professional services firms to build bespoke solutions for agencies that cannot scale beyond that organisation”.
Tesserent chief executive Kurt Hansen said it is a good start that the BRII is “embedded in the strategy” but the commitment to its sovereign capability ‘shield’ of $8.6 million over four years “seems a little low”.
“There will probably be more funding available over time. The government has launched a strategy from now to 2030 so it’s not like everything has to occur in the next one year,” Mr Hansen said.
CyberCX industry director for health and former Australian Capital Territory minister for Health Meegan Fitzharris said supporting sovereign cybersecurity capability is a “tide that lifts all boats”.
She also welcomed the commitment to implementing mandatory standards for consumer grade internet-of-things devices along with a voluntary labelling scheme. However, she noted that “a lot of industries have industrial operating technology”, which was not explicitly addressed in the strategy.
“In the health sector, the next frontier is around medical devices…it’s critical that we take a really good hard look at medical device technology and ensuring security around the operations and the data that is processed through these medical devices,” Ms Fitzharris said.
She also welcomed the commitment to launch a pilot threat sharing platform for the health industry. Stephen Beaumont, the chair of not-for-profit intelligence sharing platform Critical Infrastructure Information Sharing and Analysis Centre (CI-ISAC), said there is “little need for pilots”, noting that they have existed in the United States since the early 1990s.
“The two founders of CI-ISAC had been intimately involved in the operations of the US-based, Financial Services ISAC before establishing CI-ISAC, with one of them involved in the original design of the ASD-led CTIS program. We know how ISACs work in theory and practice,” Mr Beaumont said.
Mr Beaumont also cautioned against “the idea of having multiple, single-sector information sharing and analysis centres (ISAC)”.
“While single sector ISACs work in the US and globally due to scale, the relatively small size of Australia’s industry sectors will make single-sector ISACs less impactful…Having multiple, small, single-sector ISACs will mean duplication of functions, workforce and costs and, ultimately, reduced intelligence sharing,” Mr Beaumont said.
Australian National University Tech Policy Design Centre head Professor Johanna Weaver said Cybersecurity minister Clare O’Neil and the Albanese government should be commended for developing such a comprehensive national cyber strategy that covers all levels of the economy as well as acknowledging the “government needing to get its own house in order”.
“I think it’s really positive stuff. Of course, the biggest challenge with a strategy that is as broad as this is going to be its implementation,” Professor Weaver said.
“I’d normally say the devil was in the detail. In this case I think the devil is definitely going to be in implementation.”
She reiterated her Centre’s call for greater coordination across ministerial portfolios and across regulators. She also noted that several initiatives highlighted in the strategy are already ongoing as a part of the privacy review, digital identity reforms, and digital verification reforms.
“At all three of those levels, it remains to be seen whether [coordination] is happening in practice and implementation. I guess the proof will be in the pudding when we see how these are being led,” Professor Weaver added.
Financial Data and Technology Association interim regional council chair for Australia and New Zealand Mathew Mytka also noted that the strategy is “impressive with its breadth and depth, reflecting a commendable proactive stance by the Government”.
However, he said that it missed the opportunity to call for the decentralisation of data storage. Mr Mytka argues this “enhances security by dispersing data points [and] reducing attack surfaces”.
He also highlighted that the strategy did not consider the environmental impact of cybersecurity and argued that it could “greatly benefit from incorporating principles of sustainable technology use…to lessen the environmental footprint of our digital infrastructure”.
