Watch out for the cyber charlatans, Australia

Government handouts and tax breaks, confusing cyberjargon, and an emphasis on startups -- the ideal chemistry for making snake oil.

It's no secret that Australia is behind the pace in regard to startups. We're only eighth in the world when it comes to startups focused on cybersecurity.

That might not sound too bad, given that Australia's population of 24 million is significantly less than most other high-tech nations, and we're only the 15th largest economy in the world.

But there's a huge gap between the United States in the number one spot and Israel, with a population of 8 million, at number two. And there's another big gap between Israel and what can at best be called "the rest".

As Richard Stiennon, chief research analyst with IT-Harvest, reportedly said in Sydney on Tuesday, Australia has fewer cybersecurity vendors than his home state of Michigan. Have you seen Detroit lately?

Stiennon was speaking at Australia's inaugural National Fintech Cyber Security Summit, hosted by CSIRO's Data61, startup incubator Stone & Chalk, KPMG, and the Australia-Israel Chamber of Commerce.

The global cybersecurity industry is currently growing at 24 percent a year, Stiennon said, and Australia has untapped potential to take advantage of that market.

This sentiment was echoed by Stone & Chalk's chief executive officer Alex Scandurra. And of course it's a key part of Australia's new Cyber Security Strategy. The AU$30 million to establish the Cyber Security Growth Centre is for exactly this purpose.

But before we get too excited by the cyber boom hype, let's step back a bit.

As we've said before, government handouts, including a bunch of random tax breaks for startups, effectively mean that the government is covering businesses' losses in their gamble on high-risk investments. "Externalising the risk", it's called.

On top of that, cybersecurity is a world of jargon. Few people know what it all means. Something can sound like a good investment if you just add the right buzzwords. Threat intelligence. Real-time network visibility. Machine learning. Feel free to add your favourites.

Even if you do understand the buzzwords -- at least the ones that have actual meanings -- how can you tell if a company's secret-sauce systems actually work as advertised? Are they even real?

Sheesh, we don't even have an agreed-upon way to count "cyber attacks" per day, let alone a taxonomy for categorising their severity.

As Cosive's Kayne Naughton said at last month's Australian Cyber Security Centre (ACSC) Conference, for an industry based on computing science, there doesn't seem to be much actual science involved. And, let me add, for an industry supposedly based on software engineering, I'd expect a bit more actual engineering too.

Would we let civil engineers build bridges using techniques so shoddy that almost any random vandal could push them over into the river? Because that's pretty much where cybersecurity has been for more than two decades.

Now there are people pushing for a scientific approach to cybersecurity research, and the federal Budget, announced on Tuesday night, does include a few million for research. Well, from 2018-2019 anyway.

But the combination of government handouts and tax breaks, confusing cyberjargon, and an emphasis on fast-moving high-risk high-return startups? That's the ideal chemistry for making snake oil.

One senior technology strategist at National Fintech Cyber Security Summit confirmed my concerns that the event was less about "How can we make Australia and its financial sector more secure?" and more about "How can we make shiploads of money from this cyber boom thing?"

There's nothing wrong with making money, of course. That's what businesses are for. Stone & Chalk seems to be one of the reputable startup incubators. Good luck, everybody. But those priorities seem backwards to me, and I can sense the seagulls gathering.

Meanwhile, we already know some of the best ways to improve cybersecurity. Take the time to build robust and resilient systems. Set up processes to implement the most critical mitigations, using whichever of the well-established checklists you fancy. Foster a security culture in your organisation. Teach people how to spot phishing attacks.

All that stuff works. It just doesn't make for big bucks. Or for a sexy pre-election political announcement.