The government has announced it will spend $233.1 million over 4 years as part of its new Cyber Security Strategy.[1] About $190 million was new money, with the remaining funds being previously allocated as part of the Innovation and Science Agenda. [2] This previous allocation included the funding for the Cyber Security Growth Centre, plus $7.5 million for Data61 (part of CSIRO). So, where is the rest of the money going?

The government has announced it will spend $233.1 million over 4 years as part of its new Cyber Security Strategy.[1]  About $190 million was new money, with the remaining funds being previously allocated as part of the Innovation and Science Agenda. [2] This previous allocation included the funding for the Cyber Security Growth Centre, plus $7.5 million for Data61 (part of CSIRO). 

So, where is the rest of the money going?

 

The government is the biggest winner in the new Australian Cyber Security Strategy 2016.

 

 

The strategy is built on ‘five pillars’ or goals and lists a total of 33 actions in support of the achieving those goals.[3]  The following table itemises the number of actions per ‘pillar’, the number of actions that are funded and the amount of funding identified for each funded action, based on the government’s published Cyber Security Strategy Funding resource.[4] From this it is clear that not all of 33 actions are funded. 

5 Pillars of Australia’s Cyber Security Strategy

Actions included in Strategy

Actions funded

Total funding

($ million)

1.      A national cyber partnership

4

1

$38.8m

2.      Strong cyber defences

17

9

$136.1m

3.      Global responsibility and influence

5

1

$6.7m

4.      Growth and Innovation

4

2

$38m*

5.      A cyber smart nation

3

2

$13.5m

TOTAL

33

15

$233.1m

 

* Previously announced funding.

As most of the actions (17 in total) come under the second pillar of establishing strong cyber defences, it is not surprising that the bulk of the $190 million of new money, a total of over $136 million, will go towards actions supporting this outcome. 

The Australian Cyber Security Centre (ACSC) seems to be the biggest winner, nabbing over half the new money.  In addition to $38.8 million to go towards the ACSC moving from its current location in the ASIO building to new facilities, a total of $70.2 million goes towards increasing the capabilities of the ASD, CERT Australia, the Australian Crime Commission and the AFP (all of which are part of the ACSC).

It is disappointing that a strategy called ‘enabling innovation, growth and prosperity’ and which talks about promoting an improved institutional cyber culture and supporting home-grown cyber security capabilities[5] allocates relatively small amounts to achieving those outcomes.  $13.5 million over 4 years is dedicated to achieving a cyber smart nation, with $3.5 million going to new academic centres of cyber security excellence, and increasing numbers of cyber security professionals in Australia.  It is not clear how much of the $3.5m is meant to cover additional sub-activities listed in this part of the strategy such as improving the cyber skills of technical college students, increasing the number of school children studying subjects that will equip them for cyber security careers and encouraging more women and people with a diverse background to take up or change to a career in cyber security.[6] Given the expressed concern about the worsening position in regard to the availability of cyber security skills in Australia,[7] one might have expected a larger piece of the pie to be directed towards solving that issue and more generally meeting the aspirations of the 5th pillar of the strategy that Australia be a cyber smart nation. 

It is possible that $15 million allocated to small business grants for improved cyber security as part of the ‘strong cyber defences’ initiative may be an opportunity to leverage innovative cyber security solutions for small businesses in Australia. It seems more likely however that that funding will be used to support small businesses to have their cyber security tested by CREST ANZ accredited providers, which is the more specific action included in the strategy.[8]

Other actions from the strategy that do not seem to be funded include:

  • Sponsoring research to better understand the cost of malicious cyber activity to the Australian economy;[9]
  • Co-designing voluntary cyber security health checks for ASX100 listed businesses;[10]
  • Supporting CREST ANZ to expand its range of cyber security services (although this may occur as a natural outcome of the $15m possibly allocated to CREST testing of SMEs);[11] and
  • Promoting Australian cyber security products and services for development and export (though this could be covered within the remit of the Cyber Security Growth Centre).[12]

Of course, strengthening our cyber defences is linked to innovation, growth and prosperity. As Lynwen Connick, first assistant secretary, cyber policy and intelligence, at the Department of Prime Minister and Cabinet has said ‘Trust and confidence in the security of our systems will help grow our economy by enabling all business to access new markets and by fostering new business models including through adopting disruptive technologies enabled by trust in cyber space.’[13] So, ensuring that government systems are well protected and that the government agencies responsible for cyber security initiatives are funded is important.

However, with the bulk of the new funds either supporting the ACSC or improving the government’s own cyber security capabilities and the security of its own systems, there is not a lot for private enterprise interested in innovation, new products and markets and developing world class cyber security skills to get excited about. 

Hopefully this will come with the rolling out of the new Industry led Cyber Security Growth Centre, and the $38 million pledged in support of that initiative.  We will continue to watch with interest.

 

 

The following table set out all the funding announced in support of the new cyber security strategy:[14]

A national cyber partnership

 

New home for the Australian Cyber Security Centre that gives better access to the private sector[15]

$38.8 million

Strong cyber defences

 

Threat sharing centres and online threat sharing portal[16]

$47.3 million

Increasing capabilities of CERT Australia[17]

$21.5 million

Increasing investigation and intelligence capabilities of Australian Federal Police

$20.4 million

Increasing investigation and intelligence capabilities of the Australian Crime Commission[18]

$16 million

ASD – boosting ability to uncover security vulnerabilities in government systems

$11 million

ASD – assessing government agency cyber security

$1.3 million

Expand government exercising program to non-government partners[19]

$2 million

Creating national voluntary standards[20] (which funding seems to be allocated to CERT Australia)

$1.6 million

Small business grants for improved cyber security

$15 million

Global responsibility and influence

 

Strengthen international advocacy and increase Australia’s cyber security capacity building efforts in Indo-Pacific

$6.7 million

Growth and innovation

 

Industry led Cyber Security Growth Centre[21]

$30.5 million

Boost Data61’s cyber security program

$7.5 million

A cyber smart nation

 

Establishing academic centres of cyber security excellence and programs to increase numbers of cyber security professionals in Australia

$3.5 million

 

[1] http://www.computerworld.com.au/article/598428/government-prepares-unveil-231-1m-cyber-security-strategy/; https://www.dpmc.gov.au/pmc/about-pmc/core-priorities/national-security-and-international-policy/cyber-security-strategy.

[2] http://www.innovation.gov.au/

[3] Cyber Security Strategy Action Plan. Downloadable at https://cybersecuritystrategy.dpmc.gov.au/resources/index.html

[4] Cyber Security Strategy Funding. Downloadable at https://cybersecuritystrategy.dpmc.gov.au/resources/index.html

[5] Prime Minister’s Forward, ‘Australia’s Cyber Security Strategy: Enabling innovation, growth and prosperity’, 2 – 3.

[6] Cyber Security Strategy, 65.

[7] Cyber Security Strategy, 53.

[8] Cyber Security Strategy, 62.

[9] Cyber Security Strategy, 58.

[10] Cyber Security Strategy, 61.

[11] Cyber Security Strategy, 61.

[12] Cyber Security Strategy, 64.

[13] http://www.computerworld.com.au/article/597985/cyber-security-enormous-opportunities-australian-business/

[14] Cybersecurity Strategy Funding Fact Sheet https://cybersecuritystrategy.dpmc.gov.au/resources/index.html

[15] http://mobile.abc.net.au/news/2016-04-21/australia-admits-it-can-launch-cyber-attacks-turnbull/7343620

[16] http://mobile.abc.net.au/news/2016-04-21/australia-admits-it-can-launch-cyber-attacks-turnbull/7343620

[17] http://www.computerworld.com.au/article/598428/government-prepares-unveil-231-1m-cyber-security-strategy/

[18] http://mobile.abc.net.au/news/2016-04-21/australia-admits-it-can-launch-cyber-attacks-turnbull/7343620

[19] http://www.computerworld.com.au/article/598428/government-prepares-unveil-231-1m-cyber-security-strategy/

[20] http://www.computerworld.com.au/article/598428/government-prepares-unveil-231-1m-cyber-security-strategy/

[21] http://mobile.abc.net.au/news/2016-04-21/australia-admits-it-can-launch-cyber-attacks-turnbull/7343620