Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
Is Australia Spending Enough on Cybersecurity?
Academics Argue Government Underestimates ThreatAustralia pledged in April to spend AU$230 million (US$167 million) over the next four years on a range of initiatives to bolster the country's cybersecurity stance. But two academics contend Australia still isn't spending enough compared to the U.S. and U.K. and remains dangerously underprepared for a major cyber emergency.
See Also: Forrester Top 35 Global Breaches Report: Balance Defense with Defensibility
Greg Austin and Jill Slay, both professors at the Australian Centre for Cyber Security at University of New South Wales Canberra, argue that the government's plan doesn't address the pace and scale of digital threats the country faces.
"These gaps have important policy implications, as well as negative impacts on the security and prosperity of Australians," reads the discussion paper, which was released May 30.
In a statement, Australia's Department of the Prime Minister and Cabinet didn't directly address the discussion paper but said that although every country has unique cybersecurity needs, Australia shares many priorities with the U.S. and UK.
When developing its Cyber Security Strategy, the government "looked at best practice policy and programs across the world and from both the public and private sectors and identified what will work best in Australia," the department said in its statement.
Spending Out of Proportion with Crime?
In an interview, Austin says that while Australia's defense forces are likely at a world-class standard, the country is weaker outside that narrow circle than other countries in areas such as critical infrastructure and cybercrime deterrence.
One problem is simply estimating the scale of cybercrime. It's believed cybercrime costs Australia at least $1 billion a year; the government, however, said in April the figure could be as high as $17 billion going by the rule-of-thumb that cybercrime is 1 percent of a country's GDP.
In February, U.S. President Obama announced US$19 billion for civilian sector cybersecurity spending for one fiscal year (see Obama Creating Federal CISO Post). Austin said Australia's spending in the same area is AU$100 million (US$72 million) annually.
While the U.S. faces broad threats that are at a much larger scale, there's still a very large proportional disparity, Austin said. The U.S. spends 400 times more than Australia's annualized spend, with the U.K. at 10 times Australia's spend, according to the paper.
That means Australia may not be well prepared for a critical infrastructure attack against the financial sector, electric grid or the transport system, all of which depend on networked systems, Austin contends. "If all or some of those infrastructures were attacked, the Australian economy would suffer substantially," he says.
'Need to Shift Our Thinking'
The discussion paper recommends that Australia set up a high-tech crime unit that could, in part, leverage Interpol's center in Singapore. The unit should have research staff and be funded at AU$20 million a year for 10 years, the paper says.
The authors also recommend establishing a Cyber Defense League similar to what Estonia created after enduring cyberattacks in 2007. Austin says such a group would establish a reserve capability of experts who could coordinate a response in the event of a national cyber emergency.
"We are in a position to do really good things, but we do need to shift our thinking," Austin says. "Our lack of capability to respond to serious attacks is far more serious than the Australian government has admitted. So we need to shift that. Once we shift that, we will get more money, more programs, more research and simply more results."