Morrison's $1.3 billion for more 'cyber spies' is an incremental response to a radical problem

The federal government has announced it will spend more than a billion dollars over the next ten years to boost Australia’s cyber defences.

This comes barely a week after Prime Minister Scott Morrison warned the country was in the grip of a “sophisticated” cyber attack by a “state-based” actor, widely reported to be China.

Read more: Morrison announces repurposing of defence money to fight increasing cyber threats

The announcement can be seen as a mix of the right stuff and political window dressing - deflecting attention away from Australia’s underlying weaknesses when it comes to cyber security.

What is the funding for?

Morrison’s cyber announcement includes a package of measures totalling $1.35 billion over ten years.

This includes funding to disrupt offshore cyber crime, intelligence sharing between government and industry, new research labs and more than 500 “cyber spy” jobs.

As Morrison explained

This … will mean that we can identify more cyber threats, disrupt more foreign cyber criminals, build more partnerships with industry and government and protect more Australians.

They key aim is to help the country’s cyber intelligence agency, the Australian Signals Directorate (ASD), to know as soon as possible who is attacking Australia, with what, and how the attack can best be stopped.

Australia’s cyber deficiencies

Australia certainly needs to do more to defend itself against cyber attacks.

Intelligence specialists like top public servant Nick Warner have been advocating for more attention for cyber threats for years.

The government is also acknowledging publicly that the threats are increasing.

Earlier this month, Morrison held an unusual press conference to announce that Australia was under cyber attack.

While he did not specify who by, government statements made plain it was the same malicious actor (a foreign government) using the same tools as an attack reported in May this year.

Related attacks on Australia using similar malware were also identified in May 2019.

This type of threat is called an “advanced persistent threat” because it is hard to get it out of a system, even if you know it is there.

Read more: Australia is under sustained cyber attack, warns the government. What's going on, and what should businesses do?

All countries face enormous difficulties in cyber defence, and Australia is arguably among the top states in cyber security world-wide. Yet after a decade of incremental reforms, the government has been unable to organise all of its own departments to implement more than basic mitigation strategies.

New jobs in cyber security

The biggest slice of the $1.35 billion is a “$470 million investment to expand our cyber security workforce”.

This is by any measure an essential underpinning and is to be applauded.

But it is not yet clear how “new” these new jobs are.

The 2016 Defence White Paper announced a ten year workforce expansion of 1,700 jobs in intelligence and cyber security. This included a 900-person joint cyber unit in the Australian Defence Force, announced in 2017.

The newly mooted expansion for ASD will also need to be undertaken gradually. It will be impossible to find hundreds of additional staff with the right skills straight away.

The skills needed cut across many sub-disciplines of cyber operations, and must be fine-tuned across various roles. ASD has identified four career streams (analysis, systems architecture, operations and testing) but these do not reflect the diversity of talents needed.

It’s clear Australian universities do not currently train people at the advanced levels needed by ASD, so advanced on-the-job training is essential.

Political window dressing

The government is promoting its announcement as the “nation’s largest ever investment in cyber security”. But the seemingly generous $1.35 billion cyber initiative does not involve new money.

The package is also a pre-announcement of part of the government’s upcoming 2020 Cyber Security Strategy, expected within weeks.

This will update the 2016 strategy released under former prime minister Malcolm Turnbull and cyber elements of the 2016 Defence White Paper.

Read more: Australia is facing a looming cyber emergency, and we don't have the high-tech workforce to counter it

The new cyber strategy has been the subject of country-wide consultations through 2019, but few observers expect significant new funding injections.

The main exceptions which may receive a funding boost compared with 2016 are likely to be in education funding (as opposed to research), and community awareness.

With the release of the new cyber strategy understood to be imminent, it is unclear why the government chose this particular week to make the pre-announcement. It obviously will have kept some big news for the strategy release when it happens.

The government’s claim that an additional $135 million per year is the “largest ever investment in cyber security” is true in a sense. But this is the case in many areas of government expenditure.

The government has obviously cut pre-planned expenses in some unrevealed areas of Defence.

Meanwhile, the issues this funding is supposed to address are so complex, that $1.35 billion over ten years can best be seen as an incremental response to a radical threat.

Australia needs to do much more

According to authoritative sources, including the federal government-funded AustCyber in 2019, there are a number of underlying deficiencies in Australia’s industrial and economic response to cyber security.

These can only be improved if federal government departments adopt stricter approaches, if state governments follow suit, and if the private sector makes appropriate adjustments.

Above all, the leading players need to shift their planning to better accommodate the organisational and management aspects of cyber security delivery.

Read more: Australia is vulnerable to a catastrophic cyber attack, but the Coalition has a poor cyber security track record

Yes, we need to up our technical game, but our social response is also essential.

CEOs and departmental secretaries should be legally obliged to attest every year that they have sound cyber security practices and their entire organisations are properly trained.

Without better corporate management, Australia’s cyber defences will remain fragmented and inadequate.