Billion-dollar cyber boost: A cash cow for defence SMEs?

Following on from months of review, the Commonwealth has finally handed down its grand strategy for "creating a more secure online world for Australians". While some would argue the report – which replaces a 2016 iteration – is long overdue, others have argued it articulates a timely, robust response to mounting external pressures.

"We work to actively prevent cyber attacks, minimise damage, and respond to malicious cyber activity directed against our national interests. We deny and deter, while balancing the risk of escalation," the strategy states in its opening paragraph.

"Our actions are lawful and aligned with the values we seek to uphold, and will therefore be proportionate, always contextual, and collaborative.”

The paper sets itself the lofty goal of evaluating:

• Action by governments to strengthen the protection of Australians, businesses and critical infrastructure from the most sophisticated threats;
• Action by businesses to secure their products and services and protect their customers from known cyber vulnerabilities; and
• Action by the community to practice secure online behaviours and make informed purchasing decisions.

The full package will see $1.67 billion directed towards shoring up cyber resilience over the next 10 years, representing a marked increase on the $230 million laid out in the 2016 paper. Yet compared with the previous paper, the 2020 Strategy was remarkably clear about where this funding is being directed – and in large part, that’s towards defence.

Scaling up

As laid out yesterday, Canberra looks to ramp up funding towards intelligence cyber capabilities in the years to come. This comes, naturally, on the back of a rapidly shifting geostrategic environment – including, perhaps most ostensibly, a high-profile state-sponsored attack on the national infrastructure.

With a view to bolster offensive, as well as defensive, capability, just under one-third of the funding has been earmarked for the Australian Signals Directorate; $470 million will be used to create some 500-odd jobs within the agency, as well as a further $62.3 million spent on a "classified national situational awareness capability" to help ASD respond to threats.

VIEW ALL

As well as being handed a host of new cyber tools and legislative powers, the Australian Federal Police (AFP) is set to receive an additional $88 million in funding – though no specifics were given regarding any additional roles added to the agency.

Cyber security training and employment has been high on the priority list for some time. AustCyber has previously estimated that the nation will need 17,000 extra cyber security professionals by 2026. It’s clear that, words aside, the strategy update is likely to create a surge in cyber security employment on the government side, as well as academia. But what of private business?

A role to play for SMEs

While a groundswell in support for government cyber security agencies is likely to lead to flow-on effects through the public-private supply chain, this year’s strategy also injects funding and opportunity directly into the private side of the equation.

One key aspect of the report, which seems to have been skimmed over by most commentators so far, is undoubtedly the $50 million investment into the industry, referred to as the Cyber Security National Workforce Growth Program.

Split into four tranches, the blueprint for growth is designed to maximise SME involvement in both supply chains and critical government research initiatives – which, as we’ll discuss, is critical for protecting the contribution of SMEs as a whole.

There’s the $26.5 million Cyber Skills Partnerships Innovation Fund, which seeks to bring businesses and academia together to partner on innovative skills projects that directly meet employers’ skills needs.

Whether it’s scholarships, apprenticeships, specialist cyber security courses for working professionals, or retraining initiatives (key in the current climate), this component of the strategy shouldn’t be overlooked for decreasing entry barriers for those looking to get into the profession.

Similarly, smaller packages dished out to specific institutions – like the Australian Cyber Security Centre ($6.3 million) and Canberra’s Questacon ($14.9 million) might not seem like much initially; but they represent a significant improvement on previous rounds of funding.

Training, mentoring and coaching programs are all important for bringing talent into the fold, but $2.5 million has even been allocated towards data collection targeted at evaluating why there’s a cyber security skills shortage in the first place.

A self-protection mechanism?

Writing in ASPI’s The Strategist, Ian Bloomfield, Alison Howe and Max Heinrich make the case that small businesses are on the frontline of the nation’s battle with its cyber security woes. If correct, the Cyber Security National Workforce Growth Program could provide the perfect mixture of opportunity and incentive to stimulate defence SME involvement in the cyber sector over the next decade.

Drawing on years of experience in the field, the authors argue that taking cyber resilience more seriously improves the experience of small businesses and SMEs, and sets them up to succeed. Citing a survey of small and medium businesses conducted by the Australian Cyber Security Centre in 2019, they note that the sector is highly vulnerable to malicious cyber activity.

Now, while it’s far from often that Australia hits the headlines worldwide for cyber innovation, recent years have shown that we certainly have the talent to do so – and that much of it exists outside of government agencies and public research institutions.

Earlier in the year, Adelaide-based SME CyberOps proved it doesn’t shy away from complex, large-scale contracts – after the company took on a $299,000 contract to develop a security framework to support the nano-satellite development programs and operating systems in partnership with the Department of Defence.

And in February, Canberra-based Penten scored funding under a contract with AustCyber, the Australian Cyber Security Growth Network, to provide secure network access to a pilot group of regional SMEs and academia.

At the time, company CEO Matthew Wilson put it particularly succinctly. "SMEs are the future growth and innovation engine of the Australian cyber economy,” he said. “These businesses provide invaluable opportunities for Defence to gain advantage. Without them, we are missing out. Australia is missing out."

What other avenues should Australia pursue to foster long-term involvement in the cyber security sector from SMEs? Is the strategy update a step in the right direction in this respect, or does it miss the mark? Let us know your thoughts in the comments section below, or get in touch with [email protected] or at [email protected].