Australian Government Cyber Security Review
At the request of the Department of Prime Minister and Cabinet, on 1 May 2015 the NSC hosted the second and final workshop for the Australian Government’s Cyber Security Review. Entitled ‘Research and Development in Cyber Security: Academia, Innovation and Policy’, the consultation brought together academics from multiple disciplines, as well as professionals from industry and policymakers from government, to discuss the challenges to Australian research and development in cyber security.
In March 2015 the NSC held a roundtable to discuss cyber security policy issues. Read the roundtable’s discussion paper here.
NSC Workshop Discussion Paper
Research and Development in Cyber Security: Academia, Innovation and Policy
In this paper we set out the topics and themes to be examined at the workshop. We hope these themes provoke discussion on policy recommendations that split across the roles and responsibilities of government, industry and academe. The three main topics are:
- Australia’s role in cyber research and development.
- Skills, education and knowledge.
- Fostering Australian innovation.
More generally, the questions that this workshop seeks to answer are:
- Could Australia’s research and development efforts for cyber security be better coordinated? Are there gaps in the current arrangement and what role does the Australian Government have in addressing them?
- How can the Australian Government better support thought leadership on cybersecurity to drive innovation? What are the linkages between innovation in cyberspace and the Australian economy?
Through these topics, themes and questions, we hope to encourage participants to consider the future challenges facing cybersecurity. The Review will examine potential cyber security policies for the next five years. In light of this, effective cybersecurity policy needs to be formulated today to address tomorrow’s complex problems before they emerge.
Cybersecurity is a top-tier national security priority. It poses both a risk and opportunity to business, government and the community in Australia. Online fraud is estimated to costs Australians $52.2 million a year (1). The global cyber security market is currently valued at between $75.4 and $100 billion; however we do not know the true value of the local cyber security market, but it must be large, given our post-modern services oriented economy (2).
For Australia to achieve the economic benefits of cyberspace, we need to reduce the costs of online crime. However, these threats are continually evolving. Online crime changes to try and overcome our current capabilities and take advantage of new technologies. To stay ahead, Australia and its international partners must support cyber security skills, education and knowledge in our broader workforce. Australia must also nurture a spirit of indigenous innovation, to broaden economic benefits of cyberspace.
FUTURE DEVELOPMENTS IN CYBERSPACE
Technological change is continually presenting opportunities and challenges that Australia must consider. Developments such as the Internet of Things (IoT), advances in computing power and distributed energy generation can either be disruptive events or enhance our collective prosperity and national security. While it is difficult to accurately predict where technology will go ten years from now there are several developments that are on the cusp of commercialisation that may serve as a guide to future opportunities and challenges.
We are racing towards a global interconnectedness through the Internet of Things (IoT). By creating a networked connection between and among people, processes, data and things, we will integrate our lives with technology in profoundly new ways. Internet-enabled devices can be embedded into everyday items like watches, bags, shoes and jackets, but it is the potential connections between our cars, thermostats, 3D printers and house-batteries that could revolutionise the way we produce and consume.
In 2013, it was estimated that by 2030 there will be more than 100 trillion sensors connecting the human and natural environment in a globally distributed intelligent network (3). Moreover, it has been suggested that IoT could generate $4.6 trillion in cost savings and revenue for the public sector and $14.4 trillion for the private sector between 2014 and 2024 (4). It has been noted that the upsides include enhancements to health, convenience, productivity, safety and vast amounts of useful information for people and organisations (5). Yet, some of the downsides include challenges to personal privacy, over-hyped expectations and technological complexity.
Perhaps the largest implication from the perspective of national security is the broadening risk surface of insecure IoT systems as these systems age. In order for Australians to feel the economic benefits of IoT, cybersecurity policy needs to evaluate how best to support education to drive innovation, research and development for internet-enabled devices.
There is a compelling argument to be made about the nexus between the growth of IoT, advances in renewable energy, and the distributed manufacturing of goods. These three features — communication, energy, and the transportation of goods have been described as “The Third Industrial Revolution”. Global society is now at a tipping point and about to shift to a new industrial era (6).
The precursor to the Third Industrial Revolution is the sharing economy that has allowed a generation of digital natives to produce and share music, videos, pictures, blog posts, free e-books and other virtual goods at near-zero marginal cost. Smart apps like AirBnB, Lyft, and EatWith allow participants in the sharing economy to carpool, or rent out their apartment, or cook an extra meal at dinnertime (with a small and nonnegotiable “suggested donation” of course) with almost limited marginal cost to the producer. Participation in the sharing economy blurs the traditional distinction between producers and consumers because:
- social capital is as important as financial capital
- access is as important as ownership
- sustainability supersedes consumerism, and
- cooperation is as crucial as competition.
The transition from the Second to the Third Industrial Revolution may be a gradual process that will take place over 30 to 40 years, but others think it may peak by 2035. Although it is a long time horizon, we need start planning now for the changes ahead.
Technological innovation has the propensity to feed off itself, compelling further change, which prompts the question: how do we, as Australians, manage the aftershocks of disruptive technologies? And what policy responses, in government, industry and the academy will best harness these historical processes of ‘creative destruction’? These questions frame the discussion around Australian research, innovation and education in cybersecurity.
EDUCATION, SKILLS AND KNOWLEDGE
An educated, skilled and knowledgeable Australian workforce is vital to supporting cutting edge research and development. Even modest amounts of training in cyber literacy can mitigate 85% of cybersecurity threats (7). There are a number of existing issues in cyber education, skills and knowledge. The challenges in the cyber skills workforce are broad enough that tackling them in two parts – domestic and international – is warranted.
We should consider the issues concerning the Australian domestic skills and education market:
- Consider how Australia could engage its schools, universities and research-intensive institutions to educate people on how to be secure in cyberspace.
- What does Australian need to do to meet the growing need for cybersecurity professional now and into the future, given that cybersecurity has political, economic, and strategic issues that place it outside of the traditional realms of IT and computer science?
- Ask how to leverage industry in the effort to support education and a highly skilled workforce, including support for cybersecurity competitions, conferences and hackathons.
Following this, we need to consider how Australia can compete in the international market for skills and education:
- Education providers supply highly skilled individuals to the Australian market, yet such individuals are in high demand abroad where lucrative positions draw them offshore.
- We need to test the assumptions that make this a supply- or demand-side problem. What policy levers are available to stymie the flight of Australia’s top talent?
CYBER RESEARCH AND DEVELOPMENT: Australia’s strategic advantage
A technically skilled workforce, supported by cutting-edge research and development, is fundamental to Australia’s ability to innovatively respond to emerging cyber security challenges. However there are impediments to creating a world-class cyber workforce. The cybersecurity workforce operates in a global market and in this market Australia has been traditionally a ‘price taker’ not a ‘price setter’. This high global price for skilled labour may act as a disincentive to domestic organisations investing in a broad cyber security research and development capability.
In the Australia context, we need a robust appraisal of our local cybersecurity research and development. Australia’s geography means that it can ‘follow the sun’ with partners in the Americas and Europe. This kind of thinking leverages Australia collaborative nature to build a continual research capability. However, it places Australia in direct competition with other countries in the region that have similar education and research capabilities. What actions can government, industry and academia do to maintain our comparative and absolute advantage in this space?
Some of the key questions for any appraisal therefore need to include:
- How does Australian research and development lead to technological advantage against competitors in cyberspace? What are the top investment priorities for cybersecurity to enhance Australia’s national interest?
- How can Australia better measure, count and quantify the economic potential of the cybersecurity sector? How can we capture a short-term market snapshot whilst considering the medium- to long-term issues of growth, encouraging investment and attracting the right people?
- What are some strategies for encouraging business leaders in Australia — especially entrepreneurs and venture capitalists — to grow a culture of accepting risk and failure, which is so vital to innovation? How can this domestic drive for innovation compete against international partners who have greater capital to invest in new ideas?
FOSTERING AUSTRALIAN INNOVATION
Labelling Australia an ‘innovation nation’ or ‘clever country’ might be a stretch, although innovation in Australia has an intermittent history of success. From the design of polymer banknotes to the research and development of WiFi, Australians have designed innovative solutions to real-world problems. Despite a patchy history of innovation, there should be no reason that Australia cannot shape the environment of cyberspace to its strategic priorities. We need to examine the barriers to investment in the next generation of innovation in cybersecurity and the thought leaders that create them.
To this end, the most pressing questions are:
- How can the Australian Government encourage businesses to innovate and take advantage of emerging technologies? What mechanisms mitigate the negative effects of ‘creative destruction’ and support investment in new technologies?
- Investment in research and development often represents an opportunity cost to organisations. How can we shift the perception of innovation so it is viewed as a driver of efficiencies, a finder of new markets and giving a tangible return on investment?
- What does cybersecurity innovation in Australia look like? Is it widespread and best served through a system of business incubators and start-up accelerators located throughout Australia?
- With the most recent National Security Science and Innovation Strategy delivered in 2009, how can Australia effectively allocate resources towards national security objectives and priorities?
We invite participants to express their recommendations throughout the workshop and highlight any areas that might not have been directly covered in general discussion time. Participants are welcome to offer at least one direct recommendation to the Review at the conclusion of the workshop.
2. ASDReports, “Cyber Security Market 2015-2025,” February 2015, https://www.asdreports.com/market-research-report-184370/cyber-security-market.; ZeroDayLab, “The Value of the Global Cyber Security Market by 2017” (ZeroDayLab Limited, United Kingdom, n.d.), http://www.zerodaylab.com/pdf/Value%20of%20Global%20Cyber%20Security.pdf.
3. TSensors Summit, Need For Trillion Sensor Roadmap (San Francisco: Stanford University, 2013), http://www.tsensorssummit.org/Resources/TSensors%20Roadmap%20v1.pdf.
4. Bradley Joseph et al., “Internet of Everything: A $4.6 Trillion Public-Sector Opportunity” (Cisco Systems, 2013), http://internetofeverything.cisco.com/sites/default/files/docs/en/ioe_public_sector_vas_white%20paper_121913final.pdf.
5. Janna Anderson and Lee Rainie, “The Internet of Things Will Thrive by 2025” (Pew Research Center, 2014), http://www.pewinternet.org/files/2014/05/PIP_Internet-of-things_0514142.pdf.
6. Jeremy Rifkin, The Third Industrial Revolution: How Lateral Power Is Transforming Energy, the Economy, and the World (Macmillan, 2011).
7. Australian Signals Directorate, “Strategies to Mitigate Targeted Cyber Intrusions: Australian Signals Directorate (ASD),” n.d., http://www.asd.gov.au/infosec/mitigationstrategies.htm.