Cyber ambassador a welcome move but laggard Australia still not “mature” on security: expert

Australia talking the talk on cyber security but hurt by slow progress on breach notification, skills development

The appointment of an Australian Ambassador for Cyber Affairs is a step in the right direction but the federal government needs to move more quickly in related areas for its cybersecurity credentials to be taken seriously, one security leader has warned in the wake of the long-awaited announcement.

Prime minister Malcolm Turnbull first flagged the potential ambassadorship during the government’s April announcement of Australia’s $230m Cyber Security Strategy (CSS). To be filled in January by Dr Tobias Feakin – a security and cyber policy researcher who served on the CSS independent panel of experts and has been director of national security programs at the Australian Strategic Policy Institute since 2012 – the position will see the ambassador liaising with international bodies to represent Australia’s interests in emerging multinational cybersecurity enforcement.

That engagement is a core part of the CSS that will help Australia, partner countries and organisations like INTERPOL maintain an international response to match the international nature of the ongoing cybersecurity threat – which is increasingly finding commonalities with conventional crimes as organised crime pushes into the increasingly profitable space.

Feakin “has the right relationships in the US and all over the world,” Guy Eilon, senior director and ANZ general manager with security specialist Forcepoint, told CSO Australia. “If he’s going to invest time and effort in building these relationships, I believe it will bring the right value to Australia.”

Australia was recently picked – along with France and the United Arab Emirates – as one of the world’s cyber security ‘hotspots’ in terms of the level of investment and commitment to developing cybersecurity skills.

That analysis, published by global consultancy Procorre, noted the value of France’s three-year, €1 billion ($A1.48b) cybersecurity strategy, the UK’s £1.9 billion ($A3.29b) National Cyber Security Strategy, and the UAE’s $US1 billion ($A1.33b) investment through 2018. That company also recently noted that cybersecurity jobs make up 14 percent of all new UK-based IT roles.

The high profile of such international ‘hotspots’ had seen firms like UK-based NCC Group push into the Dubai market “because of the prevalence and pace of its evolving IT sector,,” Procorre head of relationship management Wiktor Podgorski said in a statement, “and we’re seeing other big companies investing in these emerging markets too. There will be many other companies across the globe thinking about their next move so it’s important for them to consider these burgeoning hotspots.”

Yet the work of the Ambassador for Cyber Affairs – whose appointment completes a CSS triumvirate that also includes Special Advisor on Cyber Security and Australian Cyber Security Coordinator – is already cut out for him, cautioned Eilon, who believes Australia is doing too little, too late when it comes to cybersecurity investment.

“Investing $230 million over four years is nothing for a country the size of Australia,” he said. “There are individual companies spending more than $50m on cybersecurity every year. So on a national level, it means nothing. And while it’s a good move that the government is taking, they need to take it more seriously.”

He also joined the chorus of voices flagging Australia’s foot-dragging on data breach notification legislation as an ongoing deficiency in the country’s approach to cybersecurity, arguing that such legislation has become mandatory for any country that wants to be seen as taking a “mature” approach to managing cybersecurity risks.

“Australia needs to put data breach notification on its agenda and make a serious decision about whether Australia is willing to behave as a mature country that does care about its citizens,” Eilon said, noting that countries like China, the US and South Korea had long ago not only adopted breach-notification laws but begun formal programs to build ‘cyber armies’ that concentrate cybersecurity skills within a military context. “[Appointments like Feakin’s are] a good move but the Australian government needs to take it more seriously.”