A 'big science' approach for Australian cybersecurity research?

Australia's Cyber Security Strategy, to be released this Thursday, will include an emphasis on research and development, as well as education. How might that unfold?

Australia should adopt a big-science approach to its cybersecurity research, according to Dr Jackie Craig, chief of the Cyber and Electronic Warfare Division of the Defence Science and Technology Group (DSTG), Australia's equivalent to the US Defense Advanced Research Projects Agency (DARPA).

By big science, Craig means blue-sky projects with "audacious" goals, along the lines of CERN's attempts to detect the Higgs boson and gravity waves.

"There's two really important things about big science. One is that big science has actually given birth to many many many practical inventions along the way," Craig told last week's Australian Cyber Security Centre (ACSC) Conference in Canberra.

"Scratch-resistant glass in your glasses, for example, came from NASA. Many of the drugs that we use today were actually developed using synchrotron radiation. So big science isn't just about this audacious goal ... There's a tremendous opportunity within a big-science approach to have what we would call 'off-ramps' to produce technology that could be exploited within Australia, and also go out for export," she said.

"The other really good thing about big science is that it always has this really really strong outreach program ... The more we outreach, and educate people about cybersecurity, the better our overall cybersecurity will be, because they will begin to take on the behaviours that make us more secure in the cyber domain."

Craig also sees a basic practical reason for a big-science approach.

"Within the cyber area the technical problems are so profound, and so multi-disciplinary, that we will have to actually work together as an S&T [science and technology] community to tackle some of those problems," she said.

While Craig's comments may sound like an ambit claim, there are good reasons to believe that the government's Cyber Security Strategy, to be released this coming Thursday at 11:00 AEST, will contain much of what she's asking for.

On November 2015, Australia's Chief Scientist, Dr Alan Finkel, identified cybersecurity as one of the country's nine strategic research priorities. The goal of the Cybersecurity Capability Statement was to "position Australia as a leader in cutting-edge cybersecurity research and innovation to safeguard Australia's security, enhance resilience and enable economic growth."

The capability statement identified four "practical challenges": Highly-secure and resilient communications and data handling; secure, trustworthy, and fault-tolerant technologies for software applications, mobile services, cloud computing, and critical infrastructure; new approaches to support cybersecurity operations; and understanding the scale of the cybersecurity challenge, including social factors for individuals and organisations, and the national attitudes.

Then in December 2015, the National Innovation and Science Agenda included AU$30 million funding for a Cyber Security Growth Centre.

"We're investing in a mechanism here that connects the researchers, industry, venture capitalists, and governments as well, so that we can coalesce around the research priorities," said Sandra Ragg, assistant secretary cyber policy in the Department of Prime Minister and Cabinet, who led the development of the Cyber Security Strategy.

The growth centre's aim is to commercialise cybersecurity innovation, "to set Australia up both as a cybersecurity export industry, but also to help cybersecurity enable all businesses within Australia," Ragg told the ACSC Conference.

In February 2016 came the Defence Integrated Investment Program [PDF], released as part of the 2016 Defence White Paper.

The investment program identified several cyber-related priority research areas: Quantum technologies, to increase the security of military and government communications and computing through better encryption; trusted autonomous systems, including autonomous vehicles for military resupply missions; and a research program into cyber operations, to address the threats presented by information and communications technology dependencies and vulnerabilities within military systems.

And finally, last week there was the ACSC Conference program itself.

The government had originally planned to release the strategy at this event, and several sessions were based on that assumption. But with Prime Minister Malcolm Turnbull also visiting China last week, that plan fell apart. The conference sessions went ahead, though, with participants' coded language indicating what we can expect on Thursday.

"The national policy should inform things like an agenda for a growth centre. It should inform thematic areas of research, where we have some form of competitive advantage or critical mass to build around", said Adrian Turner, chief executive officer of Data61, the new organisation formed by the merger of NICTA with CSIRO's Digital Productivity research teams.

"We have to think of it at a systems-level view as well, and I'm sure it'll come to this, in terms of how to motivate talent, who may not be directly involved in cyber, to participate in research."

Other speakers also covered material which echoed the near-final draft of the strategy sighted by iTnews last week -- including Dr Gary Blair, adjunct professor with the Edith Cowan University's Security Research Institute, and chief executive officer of the Australian Cyber Security Research Institute, a newly-formed collaborative research initiative with partners across government, academia, and industry.

"The strategy will actually round out some of the initiatives that are already being put in place over the last year," Blair told ZDNet, listing the policies listed in this article.

Blair expects that Australia will get "a lot of new intellectual property in cyber", and that it will be able to be commercialised through the growth centre, and through collaboration with industry via programs such as the Cooperative Research Centres program.

"That will have some major effects for Australia. One is that it will improve the national cyber resilience, and two, it'll have an economic effect, because we'll be able to displace some of our reliance on imported technologies, and indeed build up an industry that has export potential," he said.

"We'll be able to focus those exports and project them into the region."

Australia won't be able to match the massive research budgets of the Cyber Security Division of the US Department of Homeland Security's Homeland Security Advanced Research Projects Agency (HSARPA). But Blair sees our leaner budgets as an advantage.

"We've always been quite judicious in the way we spend money, and we've been quite effective in the things we've done. My belief is, in one respect, we've got the size and scale to actually be taken seriously in cyber, and to produce output, and ... we're not large enough to be dysfunctional," Blair said.

"In some cases you can be too large, and waste resources. I think we're quite targeted, and if we actually use the strategy and the other initiatives that I've just mentioned to focus our efforts, then we will actually get the outputs that Australians are renowned for."