Australia's cybersecurity skills make it a destination for 'cyber tourism'

With solid cyber skills, strong links in the Asia-Pacific region, and being not America, Australia has the potential to profit big from the cyber boom.
Written by Stilgherrian , Contributor

Regional countries are looking to Australia for cybersecurity education and services, and not just because we have the skills, according to Clive Lines, deputy director of the Australian Signals Directorate (ASD) and coordinator of the Australian Cyber Security Centre (ACSC).

"In a post-Snowden environment, they don't want to buy from the US. And they don't want to buy from Europe, because they don't feel that Europe services the region properly. Now there are always exceptions to that rule, but it's quite interesting that they've been absolutely adamant that they want to collaborate with Australia, they want to buy services from Australia, and they want to get education from Australia," Lines said on Tuesday.

"If you run a new cybersecurity centre, you have what we call 'cyber tourism'. We've actually had a lot of regional countries come and visit us, also a lot of European countries."

Lines was speaking at SINET61, the inaugural joint conference of the Security Innovation Network (SINET) and the CSIRO's Data61. Developing Australia's cybersecurity industry, and fostering innovation, are key elements of the nation's Cyber Security Strategy, which was announced in April.

Lines sees this emerging cybersecurity market as an "enormous opportunity". Parents should encourage their children to get into cybersecurity, he said, because "they can pretty much name their job" and it's a "guaranteed employment market".

"There are over a million people short worldwide at the moment, and that is only going to grow."

The rapid growth of critical infrastructure and the Internet of Things (IoT) provide a another "tremendous opportunity", according to Dr Tobias Feakin, head of the International Cyber Policy Centre at the Australian Strategic Policy Institute (ASPI).

"To state the bleeding obvious, what you've got is rapid development of critical infrastructure around the region that's happening at polar opposite ends of the scale," Feakin told the conference.

"At one end you've got basic provision of power and water infrastructure, and that's happening at a rate of knots. But at the other extremity you've got Smart City development and Internet of Things in places like Singapore," he said.

"Then you have a complete patchwork of other standards amongst those countries of what actually constitutes their infrastructure, where their critical nodes might exist or not. And on top of that, you have regional critical infrastructure programs."

International electricity grids are being set up, for example, but not always with cybersecurity as a top priority.

"It sounds like a bit of a dangerous mix, but actually it does provide Australia with a tremendous opportunity, and I look forward to seeing how the future Cyber Ambassador might interpret this," Feakin said.

There are even opportunities for critical infrastructure protection within Australia.

"Naming no names, I've been party to conversations with some very large infrastructure delivery companies where that cybersecurity discussion is not happening at board level," Feakin said.

"The drop-off point seems to be quite sharp in the critical infrastructure scene in Australia, and that concerns me."

Dr Carolyn Patteson, executive manager of CERT Australia, said her organisation is looking to work closely with Japan in this area.

"They do a lot of really good work around control system [ICS] security. Now obviously, yep, Five Eyes are naturally good partners in that, but actually Japan has greater capable people," Patteson said.

"We've been moving into automating indicator-sharing, they're very keen to learn from us. [We're] an early adopter. We will help them with that. They will then help us with control system security."

Australia is also working closely with the Netherlands on how to set up the Joint Cyber Threat centres that are part of Australia's Cyber Security Strategy, and how they bring in the private sector, and sharing unclassified threat reports.

"We will work with whoever it happens to be where we think there's mutual benefit," Patteson said.

One of Australia's closest cyber relationships is of course with New Zealand. But according to Paul Ash, director of the National Cyber Policy Office in New Zealand's Department of Prime Minister and Cabinet, both countries operate across a range of regional forums, doing an "enormous amount of work" on confidence-building and exercising.

"I'm a Chinese speaker [so] I lead our dialog with China on cybersecurity," Ash told the conference. There are dialogs coming up with Japan, Singapore, and India.

New Zealand went beyond the "obvious" partners when developing its cybersecurity strategy.

"We went out and had a good look at who we think does cybersecurity really well, and the ones we really drew on were Singapore, Netherlands, Estonia, Israel. We also looked at Qatar, actually," Ash said.

"What they've all got in common was they've all had massive problems with cyber, that has turned them to start thinking: 'Well how do we actually turn that into strength?' And they've all got different ways they did that. But they're all small, relatively speaking, and they've all been very, very coherent about how they've responded to that," he said.

"From my perspective, just as we're in the market for stuff from the private sector, we in the search for good thinking and policy around how to build cybersecurity [also] need to be thinking very, very widely, and having conversations with a whole range of partners."

To profit from all these opportunities, however, Australia will need to build the right organisational infrastructure. That will require the right mix of agility, diversity, and experience, according to Dawn Meyerriecks, deputy director of the Directorate of Science and Technology at the US Central Intelligence Agency (CIA).

"I believe that you have great capability in terms of experience. You certainly have diversity, based on the panels and the folks I know here. The challenge will be the agility piece, which is a function of infrastructure," Meyerriecks said.

"The lead opportunity that I think you have, as a nation, is that you very, very, very deeply understand the merge of cyber with the physical world. You have better phenomenologists than most of the planet concentrated here, and that's based on personal experience. And that is where the market is going to be, across the board," she said.

"It's the combination of my smart watch, and my heart rate, physical and virtual. It's the combination of my car, and more compute power than Apollo had when it went to the moon and back. You have that expertise here, and it is up to you to create the infrastructure, the collaboration, to achieve the agility to set the standard for the planet. And you have everything you need."

Editorial standards