Australia is an enticing target for cyber criminals and nation-state adversaries due to its extensive internet penetration and wealthy economy. With Cyber security expertise a limited resource, how might we meet this challenge? Lachlan McGrath provides his thought leadership.

Adobe Stock by Mihail

Australia occupies a deteriorating geo-strategic environment. Because of Australia’s geographic isolation, it is likely that any nation-state conflict would include a significant component of cyber warfare. With these considerations, Australia should focus on increasing national cyber-resilience and capability, as quickly and cost effectively as possible.

Cyber security expertise is a key resource in ensuring the ongoing security of Australia. This is true in both the public and private sectors. However, the public sector is far more limited in its ability to tempt cyber security professionals with competitive salaries and other perks. In response to these challenges, we propose that the Australian government should establish a Civilian Cyber Corps; a part-time, volunteer cybersecurity organisation working to support Australian government interests.

What is the problem?

Australia simply does not have sufficient cyber security professionals to ensure the economic and national security of our internet-connected society. In 2019, AustCyber, the Australian Cyber Security Growth Network, predicted that Australia would face a shortfall of 17,000 cyber security professionals by 2026. This year, think tank Per Capita, with CyberCX, predicted a shortfall of 25-30,000 professionals across the broader ICT sector by 2024; suggesting that it is not an issue that can be addressed by simply up-skilling ICT professionals in cyber security.

One option is to increase Australia’s intake of cyber skilled migrants. But this human resources shortfall cannot be fixed through immigration alone. The recent (ICS)2 2022 Cybersecurity Workforce Study identified a global cyber security professional shortage of 3.4 million. While Australia has traditionally mitigated some skills shortages through immigration, the global shortage and international competition will make this more difficult. Further, many cyber security positions, especially those in government roles, require security clearances that are difficult for foreign-born Australians to attain.

The cyber security professional shortage is even more acute for government entities. Compared to the private sector, Australian federal and state government cyber security professionals will often have:

  • Lower average pay
  • A need to manage people as part of their career progression, rather than simply increasing their technical mastery
  • Other requirements, such as physical capabilities, vetting, or uniform requirements

There have been efforts to mitigate these disincentives, such as Recommendation 4 of the Australian Public Service’s recent Hierarchy and Classification Review, which recommended more effort to develop career pathways for specialist and technical staff, however; more must be done.

 

What has been done?

Efforts have been made within both the public and private sectors to address the cyber security professional shortfall. As part of the 2020 Cyber Security Strategy, the Australian Government has introduced the $26.5m Cyber Security Skills Partnership Innovation Fund to support the development of cyber security professionals through training new professionals and re-training existing workforce participants.

However, education alone does not appear able to address the workforce shortfall. A 2019 Centre for Strategic and International Studies(CSIS) study indicated that cybersecurity education and training programs were not sufficiently preparing students for high-skilled technical roles in cyber security. The growing need for cyber security is occurring at all experience levels, however; education and training can only properly address the shortfall in junior cyber security professionals. The need for experienced cyber security professionals in both public and private sectors is not being addressed by education and training.

If migration and training are not solving the shortfall, we are left to understand that the only way that the Australian government can meaningfully address the shortfall of experienced cyber security capability is to get more out of their existing cyber security professionals without promoting burnout.

Australia currently has a small number of Defence Force reservists who are responsible for the cyber security of ADF networks and cyber warfare. Even if this group was to grow in scale and capability, it would not be able to contribute to the national resilience required prior to the next significant cyber event. This is because there are limitations on the deployment, duration, and operations of ADF personnel domestically.

Furthermore, even if this were not an issue, prospective ADF reserve members may be disincentivised from joining the ADF due to dress, fitness or other standards that don’t relate to cyber security competency. UK Defence has already highlighted this issue in their Reserves in the Future Force 2020 report, noting that scarce cyber security experts “might not necessarily fit the traditional reservist profile. Thus, they may either be unable or unwilling to meet the current military entry standards”. The same report recommended a pilot program with different conditions of service than standard Defence personnel, such as reimbursements or tax incentives, workplace protections and legal indemnity.

What is the solution?

To address this shortfall, the Australian government should establish a Civilian Cyber Corps under the jurisdiction of the Australian Cyber Security Centre (ACSC), which would be a part-time, volunteer cyber security organisation working in support of Australian government interests. Similar organisations exist in other countries, such as the Joint Cyber Reserve Force in the United Kingdom, the Cyber Unit of the Estonian Defence League, and the Wisconsin and Michigan cyber response team equivalents in the United States. An Australian Civilian Cyber Corps is not a novel concept, the Hon Tim Watts MP, Hon Dan Tehan MP, and Professor Greg Austin (UNSW Canberra Australian Centre for Cyber Security) have all proposed related or similar concepts.

With a model similar to State Emergency Services (SES) or Rural Fire Service (RFS), a Civilian Cyber Corps in Australia would provide the government with an increased cyber security capability for preparation against cyber attacks, provide training for members, and provide a government-directed incident response surge capacity.

Purpose

The purpose of the Civilian Cyber Corps would be to provide the Australian government with an increased cyber security capability for preparation against cyber attacks, provide training for members, and provide a government-directed incident response surge capacity.

Scope

The Civilian Cyber Corps would require a clearly scoped remit to ensure the prioritisation of activities and resources, and to allow the Australian cyber security industry to develop without undue competition from non-profit government entities.

Australian government entities and non-profits often do not have the resources to implement effective cyber security controls and yet are often targeted by cyber threat actors. The primary effort of the Civilian Cyber Corps would be to provide government and non-profit entities with the cyber security uplift they otherwise wouldn’t have access to. This remit is scoped to ensure ongoing growth opportunities for the Australian cyber security industry; businesses and consumers would still require cyber security services, and it is likely that government and non-profit entities would still engage with paid professionals for expert or priority work.

The secondary effort of the Civilian Cyber Corps would be to uplift the Australian cyber security workforce. Similar to the SES, Civilian Cyber Corps participants would undertake training to ensure that they are competent to undertake required activities. This training would include informal ad hoc training and more formal cyber security accreditations. On-the-job training and experience implementing cyber security controls would provide the valuable practical skills that recruiters complain are missing from more formal cyber security education.

The final and most limited effort of the Civilian Cyber Corps would be as a surge capacity for widespread cyber security incidents. Similar to the incident response support provided by the ACSC, the Civilian Cyber Corps would provide technical incident response support to certain entities with prioritisation based on the same framework that the ACSC currently uses.

As the members of the Civilian Cyber Corps would likely be cyber security professionals, in the event of a widespread cyber incident like WannaCry or NotPetya, they would likely be engaged in cyber security operations through their paid employment and therefore not available to undertake incident response through the Civilian Cyber Corps. This is why the Civilian Cyber Corps’ primary task is not incident response. However, it is likely that during a widespread incident there would be some members available to assist with incident response; and even if there were no members available, the relationships and information sharing would support individual organisations’ responses to a widespread cyber incident.

Structure

The Civilian Cyber Corps should sit under the jurisdiction of the ACSC. This is because, among other things, the ACSC has:

  • Jurisdiction over operational domestic cybersecurity for Australia
  • Undertaken uplift activities for Australian government entities
  • Responsibility for providing incident response capabilities on behalf of the Australian government
  • Experience engaging with public (non-security cleared) entities regarding cyber security issues   

Alternatively, the Department of Home Affairs could establish the Civilian Cyber Corps as a separate organisation. However, given the Department has responsibility for cyber security policy but not operational cyber security, this would not be recommended.

The Civilian Cyber Corps would have a similar model to the SES and RFS/CFA in that it would be a majority volunteer organisation with a small full-time cadre of staff to organise and administer the organisation.

The Civilian Cyber Corps would not be expected to have mandatory uniform, fitness, or appearance requirements. The Civilian CyberCorps would be organised around regional units, with units being established and approved by the national organising body. It would be expected that initially, the Civilian Cyber Corps units would be developed around major cities and would leverage existing Joint Cyber Security Centre (JCSC) infrastructure.

Similarly to Defence reservists, the Civilian CyberCorps would meet regularly for training, this would extend to protective uplift of government and non-profit entities.

Funding

The Civilian Cyber Corp shares a similar model to the Cyber Response Team within the US State of Wisconsin. The Wisconsin Cyber Response Teams are a volunteer organisation with a small cadre of administrators. The main funding outlay of the Wisconsin Cyber Response Team is the cost of training programs for members, which can be adjusted based on funding available. In mid-2022, they had ~250 volunteer members, 3 full-time employees, and an annual cost of US$600 000 (~AUD$875 000), or US$2500 (~AUD$3700) per participant. It can be assumed that an Australian Civilian Cyber Corps would have a similar cost per person as the Wisconsin Cyber Response Teams.

The Civilian Cyber Corp should be funded as a separate line item in the Annual Commonwealth Budget within Department ofDefence (ACSC) spending.

Why would this work where other efforts haven’t?

Past attempts at addressing the cyber security skills gap have focused on encouraging new entrants into the industry. While this is important, it does not address the need for more experienced cyber security professionals, particularly within government entities.

The Civilian Cyber Corps model addresses the need that is most difficult to fill, medium and highly experienced professionals.

Many Australian cyber security professionals have previous experience in or an affinity for government service; whether in ASD, the military, or public service. Many of these people have been drawn to non-government roles because they need to provide for themselves and their families. This model gives them an opportunity to maintain their current wage while also undertaking public service.

Conclusion

The Australian Government needs increased cyber security capability, particularly experienced cyber security professionals. It is imperative that the Australian Government begin developing the human resources necessary to prepare for and respond to a cyber security incident of this scale.

To achieve this, the Australian government should establish a part-time, volunteer Civilian Cyber Corps under the jurisdiction of the ACSC. This organisation should have a responsibility to support preparatory cyber security uplift for government and non-profit entities, as not to undermine Australia’s nascent cyber security industry. The Civilian Cyber Corps should also seek training and incident response outcomes.

The Civilian Cyber Corps would add much-needed capability into the Australian government at a time when the government simply cannot effectively compete against the private sector for cyber security talent.

Australia faces a deteriorating geo-strategic position; due to our geographic isolation it is likely that any nation-state attack on Australia will include a significant cyber component. It is imperative that the Australian government begin developing the human resources necessary to prepare for and respond to a cybersecurity incident of this scale.

Lachlan McGrath

Advisor

Author Profile